man stretching in front of computer
PHOTO: rawpixel

All organizations, from giant companies to small and midsize businesses, have sensitive data they need to protect: customer information, employee records, intellectual property, medical records and more. Since data breaches around the world have become more and more common, protecting that confidential data has become a very difficult — and very important — challenge for businesses of all sizes.

At the same time, another wrench has been thrown into the data security world: GDPR. The European Union’s General Data Protection Regulation (GDPR), which goes into effect May 25, will also affect all companies with a European presence, no matter their size. Any organization that offers goods or services to residents of the EU — including cloud services developed by companies based in the U.S. — must comply with the GDPR, even if the company itself isn’t based in the EU.

Related Article: The GDPR Clock Is Ticking: Here's How to Get on the Road to Compliance

A Big Challenge for Small Businesses

While GDPR compliance can be difficult for all organizations, small businesses face a number of unique challenges. For one, they simply may not have the money to put a detailed, high-tech security program into place. However, in terms of risk mitigation, security isn’t just about preventing a data breach or a cyberattack.

GDPR requires companies to comply, and provide evidence of their compliance, with a number of regulations, including mandates to implement data protection impact assessments and appoint a data protection officer, among several others. GDPR compliance is certainly no small undertaking, and it will require a major shift for many companies, particularly for smaller organizations that may not have privacy programs in place.

If leaders of small and midsize businesses (SMB) want to improve their security programs while keeping their budgets under control, the most important thing for them to understand is how data, people and location weave together to create patterns — both good and bad — across and within their organizations. Only by understanding your existing data can you effectively protect it.

The EU is beginning to recognize that small businesses are struggling with GDPR compliance, and officials have started to enact measures to help them work toward compliance. In late 2017, the U.K. Information Commissioner’s Office launched a helpline where the U.K.’s estimated 5.4 million SMBs can turn for assistance as they address the specific data protection challenges of the new EU law.

Related Article: GDPR Compliance: What Is a Data Protection Officer and Do You Need One?

The Insider Threat

That said, it’s extremely important for SMBs to take data protection into their own hands. The most common mistake small businesses make when it comes to privacy, security and data protection is one that all businesses make: They focus on threats posed by outsiders when, in fact, many breaches are initiated from within their networks.

Either intentionally or unintentionally, insiders represent the greatest threat to your data protection program. Fortunately, small businesses can take several steps to alleviate insider threats. To rework their data protection strategies to focus on internal threats, SMBs can employ the following strategies:

  • Trust, but verify. Train your end users to identify and classify the sensitive data they handle and/or create, and make sure they are doing so. Use a combined or layered approach to data classification to ensure employees understand the policies, training and tools you provide and are integrating them into their day-to-day tasks.
  • Understand your organization’s data. Determine what the data is, how it’s being created or collected, how it is maintained, stored and shared, and finally, how it should be disposed of. That will help you develop and implement practices that will best protect this valuable asset. Among other things, small businesses should implement practical and operational policies that delineate between work-related data and personal data.

Data protection within an organization requires an all-hands approach. Though this often requires some upfront legwork on the IT team’s part, it shouldn’t lead to a need for bigger budgets or teams in the long run, which is great news for small businesses. And, more importantly, it will help limit a small business’s risk of experiencing a damaging data breach.