Data breaches are bad news for a business, but did you know that as Director you could soon be held personally liable if customer information falls in to the wrong hands?

This will be the case with data breaches as of 25th May 2018, when the new EU General Data Protection Regulation (GDPR) comes in to force. What’s more the company could be fined up €20m or 4% of global annual turnover, and then there is the lasting reputational damage.

The key to not falling foul of the cybercriminals and the regulators is risk management

Firstly, it is important to acknowledge the risk that needs to be managed. It is easy to assume that as a small business your organisation has nothing of value for a cybercriminal and therefore nothing to fear, and as a result SMEs often under invest and have inadequate security provision. However, many cyber-attacks are indiscriminate and in 2016 UK businesses were, on average, subjected to almost 230,000 cyberattacks. In addition, there are an increasing number of attacks that are highly targeted and whilst your organisation may not be the ultimate goal, it may have been identified as the weak link in the supply chain, en-route to a much more valuable prize.

A common fallacy is that security should be placed on the shoulders of the IT department

Or worse the outsourced IT company – after all it is ‘cyber’! However, it is a red herring! Whilst, it is essential to have the right systems in place and to maintain them correctly, the aforementioned ‘weak link in the chain’ is all too often a people problem, whether intentional or inadvertent.

Common everyday practices in the office including the sharing of passwords and not changing them regularly, downloading company information onto portable (and personal devices) such as laptops, smartphones, tablets and USBs, as well as remote working via an unsecured wi-fi network, can all seriously increase the level of risk. For most employees getting the job done takes precedence over security, if they even think about it at all.

Tim Watts OBE is the Senior Advisor for SME Cyber Security at BeCyberSure and he advises that: “Good cyber security, information and risk management starts with making sure people understand the threat, ensuring that they are trained, educated and properly led.

You need to create a ‘human firewall’ as well as a technical firewall and it need not be expensive

If you can remove the weak link, then the bad guys will look for another softer target.”

The GDPR does not distinguish whether customer data is lost, stolen, sold or misplaced. If you cannot demonstrate that the organisation has the appropriate safeguards in place it is vulnerable from all sides. A final word of warning! Don’t think that BREXIT means the risk of stiff penalties will diminish, as the UK will still be bound by GDPR, or an equivalent ruling from the Information Commissioners Office.