To round things off, we spoke to Jason Hart, VP Cloud Solutions at SafeNet, to discuss some of these issues further, including the lack of awareness of data regulations and the forthcoming changes, and why hackers are now being attracted to target small businesses.
TechRadar Pro: Are SMBs paying too little attention to the type of information they are collecting, and how this data is being stored?
Jason Hart: Small businesses often operate in cost-constrained environment, with limited staff and resources available to support security and compliance efforts. So with data now stored and accessed in different locations and from different devices, it can be difficult for them to stay on top of security. The more they can centralise, streamline, and separate encryption administration, the better they'll be able to address security and compliance demands.
TRP: Is there a lack of awareness regarding regulations concerning how sensitive data is being stored?
JH: The majority of businesses are aware – to some extent – of the upcoming changes to EU Data Protection laws. The problem is not many are actually doing anything to prepare for them. Our Breach Level Index revealed that in Q2 2014, less than 1% of all breaches were 'secure breaches' – where data stolen had appropriate controls and protection around it.
But if companies don't start taking the steps to change how they protect data now, they're likely to find themselves subject to compliance penalties, as well as reputational damage.
TRP: Hackers have traditionally targeted banks. Are SMBs now replacing banks, as they are storing similar personal information, but don't have such robust security measures as the banks?
JH: Hackers will always follow the path of least resistance. It's much easier for them to target businesses with weaker security controls and unfortunately SMBs tend not to have enough expertise in-house on security and compliance. So they are an attractive target to cybercriminals.
TRP: The British Pregnancy Advice Service (BPAS) was fined £200,000 following a serious breach, which affected thousands of personal data records. How can businesses protect themselves from similar prosecutions?
JH: Businesses need to bring the security controls closer to the data. This means putting in place best practice data protection techniques such as encryption, secure key management and authentication. These mechanisms provide a robust foundation for data security and also achieving compliance with the upcoming EU data protection laws.
TRP: Are SMBs overlooking their security responsibilities when storing data in the cloud?
JH: One of the biggest problems that SMBs face in the cloud is a lack of awareness of what data they need to protect, where it resides and what the risks are. Data is now stored and accessed in multiple places and from multiple devices, which means businesses need to bring security controls closer to the data.
So, often security and compliance requirements, like more effective and secure management of cryptographic keys, are a critical prerequisite to cloud migration. But it's not just the SMBs who are overlooking security responsibilities – not enough cloud providers are enabling the correct security controls within their offerings – such as two-factor authentication and key management. So preventing this ticking time bomb is as much the responsibility of cloud providers as it is SMBs.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!