The new EU regulation regarding data protection has highlighted the dire need for security skills development among small and medium-sized businesses.
Carole Embling, senior information security advisor at Prudential, explains: “Having just participated in some data protection training, it struck me that data security skills are perhaps an even bigger issue for small businesses than they are for larger organisations, which have the resources and skills to protect customer data and digital assets.”
It is widely predicted that social-engineering attacks on SMEs will increase. “Small businesses often don't have the luxury of appointing security managers and data protection specialists, and use consultants to help undertake the necessary IT security measures or to undergo training,” says Embling. “However, a data breach suffered by these organisations potentially affects each and every one of us – it is our personal details that could be used by cyber criminals for illegal activity – but, more importantly, a single breach can have long-term repercussions on the future of these businesses.”
Data security requires infosecurity knowledge and technical skills. Embling adds: “I recently asked an estate agent about what measures they had in place, or were looking to put in place, to safeguard customer data. They had no idea where to start. This reinforces the view that in today's digital environment, SMEs require concentrated education and training, not just for data protection, but for information security at large. As things stand, many are relying on ‘best endeavour' and a piecemeal attitude towards IT security.
“There is no silver bullet to help small businesses address these challenges. We need to put our heads together to collectively help solve the problem. The infosecurity community, Chambers of Commerce and trade associations must come together to reach out to and help these organisations equip themselves with the wherewithal to protect their data and businesses.
“Big businesses have access to numerous security-related training programmes. There is a need to think about how smaller businesses can access these programmes. For example, the idea of developing modular security courses that are tailored to the specific security requirements of vertical industries is worth exploring. The aim is to give smaller businesses the baseline skills to make informed decisions when it comes to dealing with security issues and related regulation, and even adopting best-practice approaches.”