Data protection and startups: an uncomfortable truth

Single red open padlock amongst many blue closed padlocks in rows

Thanks to the rise of the internet and digital technology, it's never been easier to set up a business. No matter what sector you operate in, there are more opportunities to turn that lightbulb moment into a lucrative business and to attract paying customers.

More and more people are identifying this and setting up their own companies. In fact, according to statistics from the Centre for Entrepreneurs and Companies House, over 650,000 new businesses were formed in the UK last year. Just to compare, this number was at 608,110 in 2015.

But while there's never been a better time to set up your own business, that's not to say this journey isn't challenging. Of course, there are common issue such as finding funding and staying agile, but technology can also act as a barrier.

On a daily basis, companies collect huge amounts of data. Tech giant IBM claims we generate more than 2.5 quintillion bytes of data each day, and 90% of all data in existence was created in the past two years. There's no doubt that this number will only continue to grow, and it means that data privacy is something that all organisations need to focus on -- small businesses included. But laws are always changing, and it can be a challenge for SMBs to keep up-to-speed.

Data is lucrative

In the UK, the primary law that businesses need to adhere to currently is the Data Protection Act 1998. Firms are expected to take steps to ensure customer data is protected with methods like encryption and that there are adequate security mechanisms in place to detect and fight potential cyber attacks. Otherwise, if a hacker were to compromise a company's online assets, they could get access to information such as email addresses, phone numbers and bank details.

Christian Mancier, a data protection lawyer at Gorvins Solicitors, says that data is extremely lucrative to businesses and that so much can go wrong for a company if it isn't protected appropriately. "Data is often the most valuable asset a business holds. However, failing to protect that data is one of the biggest risks a business faces in this digital age where a data breach can cause significant reputational damage," he says.

"Any organisation holding personal data in the UK must take adequate steps to protect that data under the Data Protection Act 1998, and this includes taking adequate technical security measures. With cyber-attacks becoming increasingly sophisticated, businesses need to be constantly on top of their security systems to avoid becoming a high profile casualty of a cyber-attack."

Cyber attacks may be an increasing threat to businesses, but Mancier explains that many data incidents happen due to human error. Take, for example, an employee sending company information to the wrong person or leaking it online. These can be have huge ramifications for businesses.

"However the one area that often gets overlooked, and is traditionally the weakest link in any data protection system, is the human element.The vast majority of data breaches occur due to human error. This is someone such as an employee or sub-contractor doing something they shouldn't be doing or simply making a mistake such as the fax or e-mail to the wrong recipient, losing a memory stick or failing to encrypt data or destroy data properly," he continues.

"Any business can have a superb written data protection policy, however that policy is not worth the paper it is written on unless employees are trained so they understand the reason there is a policy in the first place, the consequences of breaching that policy and how practically that policy impacts on them as they go about their day-to-day tasks."

GDPR

GDPR (General Data Protection Regulation) is another law that will affect businesses. Set to come into force next year, it's aimed at improving the way data pertaining to people resident in the European Union is handled. Alex Guillen, go-to market manager at technology reseller Insight, says it will dramatically affect businesses of all sizes that handle client data.

"GDPR is forcing a culture shift in the industry as it puts the responsibility firmly on the businesses that hold customer data. There are two sides to what will engineer this shift -- the first is prevention, which will be shaped in the preparation phase before the regulations come into play. For most organisations of all sizes this will mean establishing the critical data they need to protect and identifying where it resides and the value it holds," he says.

"Once established, we'll see organisations creating security strategies and policies for the end-to-end management of this data, with a particular focus on governance. When it comes to securing the data itself, we expect organisations to lean on consultancy services to help them navigate the best provider in what we know is a crowded market.

"A priority for businesses should be to look for holistic solutions that can ensure the integrity of the data, rather than throwing money at the problem and creating a patchwork of ineffective tools, as has been done in the past. There are number of hurdles organisations will need to overcome, including the significant problem of 'dark data'. It's a tough one to prepare for, because organisations don't tend to understand the nature of their data and we expect, or hope, to see businesses using the time before 2018 to get to grips with it."

Protection doesn't have to be expensive

A business lacking significant data protection mechanisms may seem nonsensical this day and age, but it's easy for organisations to fall behind in this area. Startups don't always have the financial resources to invest in expensive security products, while some believe that cyber criminals only target large enterprises.

Phil Maynard, data protection director EMEA at Barracuda, says these are common misconceptions. In reality, young companies need to maintain a strong reputation, meaning that data protection is vital to their survival. "Data protection is becoming increasingly important in a world where ransomware is now the biggest threat to many businesses. For startups, choosing the right data protection is critical, because they often rely heavily upon their reputation and word-of-mouth for new business," he tells IT Pro.

"One ransomware misconception is that cyber criminals primarily target larger enterprises. In fact, research suggests the opposite: often cyber criminals see SMBs and startups as more lucrative targets because they are more likely to be resource-limited and not have ransomware protection."

Data protection mechanisms can be costly to put in place and maintain, although Maynard says there are ways startups can save money, such as adopting tiered data structures. "For startups on a tight security budget, tiering your data in terms of importance is good practice so that you can intelligently decide where to focus your data protection efforts. Of course, customer data is often your most valuable asset and so usually will take precedence," he says.

"However, don't fall into the trap of only protecting the data that you view as important and not taking into account the data that cyber criminals can easily monetise. For example, personally identifiable information is often targeted by cyber criminals, but may not be viewed as an important business asset."

Education is important

Cyberlytic, a UK start-up that has experience developing cyber security solutions for the UK Ministry of Defence and the GCHQ, has just launched an AI product to help businesses fight cybercrime and adopt effective data protection procedures. Stuart Laidlaw, founder and CEO of the London-based company, says a lack of understanding of threats causes big issues for startups.

"Business leaders often don't realise the scale or types of cyber-attacks that could harm their business," he says. "A weak coding practice, a weakness in the company's website, a mistake made by an employee that clicks on the wrong link and the whole structure can collapse. If leaders followed the Government's cyber essentials or 10-steps guidance, they would greatly minimise these risks."

What's more, Laidlaw says the methods used against startups are often very simple, like an SQL injection on their website or ransomware delivered through a malicious link in an email.

While there isn't one simple solution, Laidlaw says companies can make a start by taking part on relevant training courses and by investing in appropriate software."The worst thing startups can do is bury their heads in the sand and hope they won't get targeted," he says. "All owners should take a cautious approach, get some basic training and better still, arm themselves with some software that can protect [their] business as and when they are attacked."

"Adopt a solution which does not interfere with the everyday running of the business. Cloud-based backup and recovery is often chosen for this reason; their employees need to be flexible and on the move when working and so they need their data and data protection to be the same," he adds

Data protection is a complex area and while startups can struggle to stay in tune with this area - especially if they don't have significant time or budget to implement appropriate systems - they can end up failing if they don't.

General Data Protection Regulation (GDPR) GDPR news: GDPR turns six months old

WATCH: Learn more about the security threats facing businesses today and how to combat them in this free webinar WATCH NOW

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, the Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan. You can follow Nicholas on Twitter.