There's no doubt that data is the lifeblood of any business – but is your organisation paying enough attention to what information it's collecting and how it's stored?
What's marketing up to?
It's human nature to want to collect as much information as possible. This is especially true of marketing departments, which often collect data "just in case" it's valuable in the future. In reality, most SMBs have little or no use for much of the customer information they file away. This SMB "data addiction" flies in the face of the Data Protection Act, which requires a clear statement of intent and scope for the gathering of Personally Identifiable Information (PII).
Even when marketers collect information to support a specific campaign or service, many use third parties to gather customer data on their behalf with little or no thought given to compliance or secure data storage. This stands out in sharp contrast to legal or IT teams, which are typically much more aware of data regulations.
Nevertheless, disconnects across departments mean that all too often SMBs remain seemingly oblivious to the regulations concerning how sensitive data should be managed.
SMBs in the firing line
While banks have been the traditional target for cyber-criminals, SMBs are increasingly finding themselves in the firing line, as hackers cotton on to the fact that they often store similar personal information, but without such robust security measures. As banks step up their security capabilities and become tougher targets, SMBs are gathering more PII than ever, making them the perfect choice for cyber-attacks.
These concerns are even more pressing given the dramatic uptake of cloud storage by SMBs. Many businesses choose a cloud solution based on cost-savings alone, without considering where the cloud is physically located, whether it's public or private, how data segregation will be managed, what testing is performed to ensure security and how remote access is being overseen and secured.
Needless to say, a data breach can disrupt business-as-usual, damage revenues and destroy reputations – but the risks are not simply from the hackers. The recent £200,000 fine levied against The British Pregnancy Advice Service (BPAS) demonstrates that every SMB needs to take data protection seriously. In the case of BPAS, the Information Commissioner's Office (ICO) found that the charity didn't realise its website was storing personal data – it wasn't secured and a vulnerability in the website's code allowed a hacker to access the system and siphon off the highly sensitive information.
It's time to act
If SMBs had to pay to store data based on its sensitivity (i.e. the more sensitive the data, the more expensive it is to store), they might be deterred from gathering customer information for its own sake. However, since this is unlikely to happen any time soon, there are some steps every SMB should take today to ensure they are safeguarding customer information.
At a basic level, every SMB should have a dedicated security manager or team, set policies and standards for dealing with customer data, and educate staff about the need to treat customer data with care on a continuous basis. Organisations can further protect themselves by implementing one or more of the following steps:
- Define clear processes that link the collection of customer data to engagement with the security and legal departments
- Perform risk assessments on any third parties collecting PII data on your behalf
- Run regular penetration tests to check your security perimeter and the security of websites and databases where PII is stored
- Define clear security requirements during the development and rollout of new solutions
- Regularly review the PII data being stored and delete any information that is not required or inaccurate to reduce your exposure to risk
- Create a high-level data classification document to define the type of information your business expects to handle, how sensitive it is and how it should be managed
By implementing these steps, your organisation can ensure it's making the best possible use of customer data, without the fear that it may be storing up problems for the future.
- Carl Shallow is Head of Compliance at SecureData