Thornsten Kurpjuhn, European Market Development Manager at Zyxel
If you are self-employed or run a small business, you’ve probably lost count of the number of e-mails you’ve received about the General Data Protection Regulation (EU), better known as GDPR. There will have been e-mails pleading for you to opt in, asking if you want to opt out, telling you that if you don’t tick that box or this you will never hear from them again, but then still have. It’s all been rather confusing, and businesses still don’t seem to be entirely sure what GDPR is asking of them and what they should ask of their customers. However, the email opt-in overload is just the peak of the iceberg, it is the larger and inconspicuous underside of the GDPR iceberg that businesses need to be actively on the lookout for – external threats to the sensitive data they hold dear on the network. If businesses have out of date network security, they run the risk of a serious attack to the network and a resulting breach of data.
But when the law gets involved in data protection none of us really has a choice — we either comply or risk some pretty dreadful consequences. And these consequences are not merely legal: if you suffer a data breach the Information Commissioner’s Office (ICO: the body responsible for enforcing GDPR) will not be the only entity to respond and dent your balance sheet. Once your customers and potential customers get wind of the problem, your reputation will inevitably be damaged and that is likely to mean loss of business and a poor public profile, possibly for years. What’s more, businesses will face up-to 20 million Euros or 4 per cent of their annual global turnover in fines, depending which is higher.
Although GDPR has only been enforceable by the authorities since May 2018, it has been clear for some time that businesses have assumed that it won’t impact them, but in reality, it affects everyone that manages European consumer data, no matter where they are based and whatever their business size. Businesses must prioritise data protection or face the wrath of GDPR due to oversight. For example, some of the biggest names in the UK — Thomas Cook, Butlins, Ticketmaster UK, even the British Government — have experienced massive data breaches to occur within their networks[1].
When it comes to GDPR, strengthening your network to protect data and withstand cyber-attacks must be a priority. You can send out all of the compliance e-mails you like, update your privacy policy and put a warning on every web page, but if your network is not strong enough to withstand attack or data breach, you will fall foul of the regulations and can face severe penalties.
What’s your weakness?
A business’ network is its weak spot, simply because that network is the portal to data. Therefore, European law has brought in GDPR and demands that businesses do everything they can to securely process and protect data. As a business, your promises around data protection are not the point, it’s your behaviour that counts most. Data handling procedures and protocols must be compliant in practice, and your network secure from cyber-attacks.
But if big businesses can’t manage it, how can smaller ones protect themselves?
To be brutally honest, there isn’t a network in the world that is utterly and completely unbreachable, but that’s not what GDPR is asking you for anyway. GDPR simply requires that you do all you can do to assure data security. So, alongside updated policies and procedures, you must have a network that you know and can prove is as secure as it can be.
The answer’s in SOHO
In practice, if you are a sole trader or running a small business that generally means you need a small office/home office (SOHO) network. This is basically a local area network (LAN), configured to cater for both domestic and small business use. In particular, a dedicated SOHO network device and security is likely to include a greater level of security and encryption than most standard domestic routers, particularly older models, along with VPN provisioning and/or encryption.
This elevated standard of security matters when it comes to GDPR compliance, not least because many small business operators routinely carry out business transactions, such as online banking or accounting, that is vulnerable to human error and leaves them more vulnerable to cyber-attacks than they realise.
Now consider the type of data that you send back and forth across that network, and how often you do so. What would it mean for your business if that connection was exploited maliciously in the manner suffered by the NHS in 2017, when it was hit by a cyber-attack[2]?
As businesses become more reliant on technology, the threat is increasing for those who still rely on an outdated or obsolete domestic router to administer their business. That’s where GDPR comes in. If you are handling data, even if you do so in a GDPR-compliant way, but are using an insecure network, you are very vulnerable.
The more you move that data around or store it remotely, the more vulnerable you become. Because even though your GDPR-compliant protocols may mean your data is largely anonymised, and that data no longer required is promptly deleted, nonetheless you will, almost inevitably, have current and sensitive data on your system, even if that’s only your clients’ names and contact details.
GDPR is not an unreasonable piece of regulation but a much-needed protection that benefits us all. While implementation has become mired in confusion, it’s not that much of a challenge for small businesses to comply as long as they remember that their real vulnerability lies not in failing to send out e-mails, but in failing to protect networks. To protect themselves from external threats, businesses must adopt appropriate network security that is up to date – in fact, some network providers believe in this so strongly they have a trade in and trade up policy currently. To future-proof, businesses must ensure that all software is up-to date, as external threats will continue to evolve, so it is imperative that networks are kept one step ahead at all times.
