Why SMEs need to act on the Facebook data breaches

Posted on
12th April 2018

Recent revelations about data harvesting from Facebook users have caused alarm for computer users everywhere. While individuals may be concerned about their own personal information being accessed, the data breach has also led to concerns by small businesses about their own cyber security and about cybercrime. In fact, the scandal has served as a wakeup call for SMEs handling and protecting customer and staff data of all types.

What was the Facebook breach all about?

A researcher collected the social profile data of some 87 million Facebook users worldwide who had taken a survey but also from all their FB ‘friends’ who has not taken the survey and therefore knew nothing about the harvesting of their data. It is thought to have affected over £1 million UK users. The type of data collected included personal details and their online behaviour showing likes, favourites, sharing etc. This built up a profile of the user’s likes and dislikes. The researcher then passed the collected personal data – in violation of Facebook’s terms of service – to Cambridge Analytica, a British data analytics firm. This company was employed to work on political campaigns, including Trump’s election campaign and the ‘Leave’ campaign during Brexit, leading to allegations that it was able to use the data to benefit these campaigns.

The cyber data scandal has resulted in political fallout both sides of the Atlantic, as well as a loss of confidence in Facebook.  It’s likely that even the larger tech companies such as Google and Microsoft will now face scrutiny about how they share customer information.

What is a data breach?

Any small business which keeps personal data, whether on its staff or customers needs to be aware of what a data breach is.

A data breach has a specific legal definition. In the UK the Information Commissioner’s Office (ICO) is responsible for data protection. The ICO defines a data breach as follows:

“A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.”

So it’s clear that a breach is about more than just about losing personal – it could also be about, for example, not keeping it confidential or not being able to guarantee its integrity.

What are the implications for small businesses?

The Facebook data breach highlights the need for small businesses to realise that they are at risk. Yet small business regularly underestimate their cyber security vulnerabilities.

Research has shown that 82% of 2,500 small business owners surveyed do not feel they are at risk of a data breach ( Insureon ).

So what are some of the implications for small business?

● Cost – Government figures have indicated that the most serious data breaches can cost SMEs as much as £310,800.

● Loss of trust – As Facebook found out to its cost, once trust is lost by consumers it can be hard to regain and can prove costly.

● Reputational damage – the reputational damage to Facebook led to a dramatic fall in its share price and users deleting their accounts in droves. Once lost, many of these users will find alternatives and not return to the platform. The same could happen to businesses where customer data has been compromised.

● Legal Compliance – all businesses have legal obligations to meet concerning the data they hold. These are about to be sharpened in the forthcoming General Data Protection Regulation (GDPR) which is just around the corner. By 25 May all UK businesses need to ensure they comply with the new GDPR which sets out important privacy and data protection requirements. Non-compliant firms guilty of data privacy breaches can face fines of up to 4% of annual turnover or £17 million.

SMEs need to remember that, while the Facebook data breach was the result of a deliberate attempt to collect information, data breaches are not always due to criminal or otherwise wilful activity – they can occur accidently, for example due to insufficient IT protocols and systems or improper practices by under-trained employees.

Why SMEs should check their cybersecurity

SMEs need to increase their awareness and understanding of how their data may be breached and take appropriate action to ensure they are not caught out. Here are some of the actions SMEs should have their IT support provider take care of:

● Develop staff use protocols – Small businesses need to develop protocols for staff use of social media on business devices, be they PCs, tablets or smartphones.  The data scandal revealed that so much of online behaviour can be tracked that it can be risky to access sites which may compromise businesses information.

● Review your personal and business data protection – Ensure that you’ve taken professional advice on putting in place adequate cybersecurity controls. There should include: anti-malware software; anti-virus software; firewalls; automated data backups; automated software updates; cybersecurity vulnerability scans and spam filters. It’s also important to provide the appropriate IT training for employees.

● Ensure GDPR compliance – Preparing for compliance with the looming GDPR (see above) will form part of your cybersecurity measures.  The overall aim of the GDPR is to make businesses transparent and secure in the collection, storage and use of their data. The Federation of Small Businesses (FSB) fear that small businesses are failing to prepare for the GDPR – their research revealed that up until recently 35% of small businesses were only in the early stages of preparation. The FSB said that the two sectors with the biggest problem sectors being hospitality and arts & entertainment.

● Attract more business – Demonstrating that you’re serious about your data and cybersecurity can engender more confidence in your firm and help you win more business. For example, if you’re pitching for work with a government body, your business will need to conform to the Cyber Essentials standards set by the National Cyber Security Centre.

● Reassure customers – when potential customers give you their data – emails, telephone numbers, etc. – they are putting their faith in your business.  This applies especially if they are registering an account online with SMEs which engage in e-commerce.  The current focus is a good opportunity to connect with existing and potential customers to reassure them about the safety of their data. While the Facebook breach may be of a different type to any which may occur when online shopping, that scandal has caused great confusion and anxiety in the minds of the public about giving any information digitally.

At 360ict Ltd we’re closely following the fallout from the FB scandal. We’re pleased that one positive outcome for small businesses is that data privacy has become the top issue amongst software developers and it is likely that data won’t be as easily accessible as at present. However, while this may be good news, we’re also wary that the spotlight could soon move on. So it’s important that we remain vigilant about how our data is used.

360ict wants to ensure that its customers reduce their data breach risks as far as possible. We can help you develop ethical and robust approaches to how you collect, store and use staff and customer data. You can have our experts make sure that your firm is compliant with all data security and data protection regulations have our business IT support experts carry out an on-site review.

To arrange your on-site review or talk to our IT support team about your options, call 0208 663 4000 today.

If you require any further advice or information please do contact us on 0208 663 4000 or Contact Us online.

<< Back to Blog