Video – GDPR and cyber security, we talk to the head of IT security specialist AVR

AVR is an industry-leading IT Security and Enterprise Mobility solutions specialist. Thinking Business caught up with AVR’s MD, Nick Kellaway – talking cyber security, GDPR and advice for business owners.

1. With new GDPR laws coming into action, is the threat of non-compliance as bad as the threat of a cyber-attack?

If you have a cyber-attack you will be found to be non-compliant anyway. With the GDPR rules you can be fined up to 4% of your annual revenue for being incompliant and it could be as small as not having signed up to a marketing tool or various things like that. I just think the GDPR is going to be a big player but also it links heavily into cyber security as well.

2. With myriad cloud-based apps replacing local software, why do individual businesses need to safeguard against attacks?

The thing is, with cloud based people presume it’s secure – and it does have a layer of security underneath it – but also you need to educate the people. If your people put something into the cloud and they have a four-digit pin code or they have a weak password, once somebody gets it they’ve got access to your data. So you just presume that everything’s covered by your insurers, your Microsoft, whoever’s in there. You could be in the public cloud, you could be in the private cloud, you could be in the hybrid cloud. You don’t know where your data is being stored – stored on-site or in a different country – so there’s a lot more behind it rather than just in the cloud. The safeguard is educating the staff and making sure you’ve got different layers of security.

We sometimes say you have like an “onion” and it breaks down so that you may have a firewall somebody gets through because they’ve set the wrong policy. Then you need to stop data going out – for example, a financial firm will have a lot of financial data. What’s stopping somebody clicking an e-mail to accidentally send it out? You need to have different things in place. If it goes out you need to adapt and redact the data. In relation to the GDPR rules, if data goes out you need to report a breach, but if the data goes out and it makes no sense it’s okay because nobody can read it and understand it – so if you’ve shown that you’ve put something in place for that to stop it then you’re okay.

3. What are the most worrying trends amongst business owners and their attitudes towards
cyber security?

I think the most worrying trend is the apathy and doing nothing. The budget used to be for security at the bottom. It’s now starting to go up to the top but as people are getting breached – I mean there‘s more breaches today in the news – it’s something that people are having to sit up and take notice. “Yes”, it’s an additional cost. It’s not being budgeted for but if you get attacked by ransomware and it takes your systems down or you pay the ransom, it costs you more than it would have done to protect yourself in the first place. We started a ransomware managed service six months ago and at the beginning we were knocking on doors talking to people, advising them – then with Petya, and WannaCry which spread around the world people are sitting up and taking notice.

4. If you had one piece of advice to small business owners with no plans in place, what would it be?

My advice would be to get hold of a security specialist who can come in and sit down and actually look at the areas where you ought maybe to have a penetration test where people then actually check to see where your issues are. 95% of businesses will be hit at the end point so that will be, you know, your laptop etc. or your server and people are coming back to hit at that end point. The traditional anti-virus is good – it doesn’t protect everything – you’ll be looking at the next generation antivirus which will then protect it.