Size doesn’t matter

An article published by the Information Commissioner’s Office (ICO) earlier this week, demonstrated perfectly, what many in the information security, compliance and governance industry have long understood – that the size of your business doesn’t matter when it comes to data protection. And that it is indeed what you do with it (the data that is), that counts.

In the news piece, Sally Poole, ICO enforcement managers warns all small and medium sized businesses, “Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.”

This of course flies in the face of the misapprehension many small and medium sized businesses have that authorities will be too busy chasing after the ‘big fish’ to bother with them. The fact of the matter is, no matter how big or small the organisation, under the Data Protection Act 1998, they have a legal duty to protect any data that they hold or process. In this case, a video game rental company had “failed to take basic steps to protect its customers’ information from cyber attackers.” The article goes on to say that the ICO investigation found:
• The company had failed to carry out regular penetration testing on its website that should have detected errors
• The firm failed to ensure the password for the account on the WordPress section of its website was sufficiently complex
• The company had some information stored unencrypted and that which was encrypted could be accessed because it failed to keep the decryption key secure
• Encrypted cardholder details and CVV numbers were held on the web server for longer than necessary

The ICO are right, this type of stuff seems pretty basic right? I bet the company’s 26,331 customers whose details were at risk in 2014 when it was subject to a cyber attack, hadn’t even given it a second thought when they entered their personal information. As consumers we take it as a given that the organisations we deal with will look after our data, don’t we? So if you hadn’t given any real thought previously about who you trust with your information, then this should give you food for thought. The ICO used the words “basic” when referring to the security measures overlooked by the company in question. Basic. Nothing fancy, basic.

The message is clear, small and medium businesses have nowhere to hide when it comes to data protection legislation. It seems fitting to leave you with some final words from the ICO –

“If a company is subject to a cyber-attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation (GDPR) coming into force next year, those fines could be a lot higher.”

The ICO have specific guidance for SMEs on their website  to help small and medium businesses find out about their obligations and how to comply, including protecting personal information and providing access to official information.

Anna Walters
Head of Information Security – Governance, Risk & Compliance