Latest|Digital

Secure your data in the cloud

User Image
Michelle McCarthy
August 29, 20224 mins read

How do you get the best technology bang for your buck? Set the standard with a governance, risk-management and compliance SaaS.

Technology continues to transform small-business models and reduce barriers to growth. Access to secure payment systems, automations that improve information accuracy, and even the widespread adoption of collaborative tools are all increasing the effectiveness of growing organisations across the country.

Most of us know continued digital transformation should factor into our spending for the coming year, but constraints on budget, time and expertise can affect what feels achievable. Add in the increasing threat landscape, it can be tempting to put further digital adoption to one side until it all calms down. The bad news is that isn’t going to happen. The good news is there’s a way to play it safe, optimise your operations and even win new business, all through one activity: standards compliance in the cloud.

Vendors and experts tout a wide variety of cautionary-tale statistics about data breaches, many designed to send ripples of fear throughout supply chains. In its annual Cost of a Data Breach report, IBM states that the average cost of a breach in Australia last year was a staggering $3.9 million, a 31 per cent increase from the previous year. While that figure is undoubtedly skewed by the big-ticket data breaches that hit the headlines, the proportional amount for your small business is still likely to affect the bottom line dramatically, not to mention the reputational hit to your previously trusted brand.

“There’s one unifying risk factor that makes or breaks your broader security posture – humans.”

While the application of cyber security solutions is, of course, vital for your front line of defence, there’s one unifying risk factor that makes or breaks your broader security posture – humans. IBM’s Cyber Security Intelligence Index Report states that “human error was a major contributing cause in 95 per cent of breaches”. Recognising that adequate information security, cyber security and data privacy go way beyond the IT department and are company-wide concerns is the vital first step to adequate governance, risk management and compliance (GRC).

The next step for any small business looking to secure its information might be to consult the Small Business Cyber Security Guide. This is a useful framework put together by the Australian Cyber Security Centre. Depending on the maturity of your business and your available resources, you may already comply with Australian government-led frameworks like The Essential Eight and the Australian Privacy Principles.

The ISO 27001 advantage

While these frameworks will provide considerable confidence around cyber resilience, growth-focused small businesses are increasingly setting their sights on the internationally recognised standard ISO 27001. It’s the only standard that sets out how to design, build and implement an Information Security Management System (ISMS) that can be independently verified for assurance purposes. It’s applicable to every industry and increasingly required as a baseline for doing business in Australia and across the globe.

Why has Australian small business fallen in love with ISO 27001? The immediate benefit to getting certified is that you, your customers, and your supply chain can be confident that everything possible is being done to ensure your collective data is protected from risk. Plus, the implementation of an ISMS often reveals tangible cost efficiencies that can be made across all areas of your business. The fact that powerful customers – both in business and government – are increasingly requiring the standard as a baseline for contracts is also a major factor driving the ISO 27001 gold rush. 

In days gone by, gaining ISO 27001 certification required a significant financial outlay, with lengthy commitments to external consultants on expensive day rates. It was an exercise limited to already well-connected enterprises with deep pockets. But as software solutions have come onto the market that have been specifically designed to make ISO 27001 achievable for smaller players, access to excellence in information security is becoming increasingly democratised.

With a variety of implementation solutions of varying quality and cost to choose from, how does a small business identify its perfect match? If you’re one of the 50 per cent of Australian small businesses that already uses a provider for managed services, make them your first port of call. The best-managed service providers (MSPs) are themselves certified for your assurance and they may have a preferred cloud ISMS to recommend. If not, why not ask them to do the research on your behalf and come back with some recommendations? After all, they’re there to work as an extension to your business. Don’t forget, the new financial year is the perfect time to renegotiate your other regularly billed services to possibly absorb some of the additional investment in an ISMS.

If you don’t use an MSP, or you prefer to do your own research, there are some fundamental features that you should look for when deciding on the software that will futureproof your entire governance, risk management and compliance posture:

  • Get a live system: ISO 27001 is a management standard that requires evidence of a process of continual improvement. So, you’ll want a live system, accessible from anywhere at the click of a button. Disconnected templates and toolkits may seem economical but it’s impossible to evidence continual improvement and embed good practices into your company culture with a static ISMS.
  • Expandability: Your choice of GRC platform should be expandable, so it can easily accommodate other standards, regulations and frameworks that will help you extend your reach into new contracts and markets. If you’ve got overseas customers on your database, you may need to add data privacy regulations like ISO 27701 or GDPR into your system.
  • Inbuilt guidance for users: As a small business, it’s unlikely you’ll have a crack team of infosec experts at your disposal and your already stretched budgets may not extend to a temporary consultant. Look for software with inbuilt guidance features that are preconfigured by experts, so even if you’re a complete novice, you can take a cost-effective, self-directed approach. Don’t spend precious budget on a training course, kill two birds with one stone by using software that teaches you as you implement.
  • Data hosted in Australia: Finally, many industries are regulated by bodies that require Australian data to be hosted on Australian soil, either for data residency, localisation or sovereignty requirements. Be sure your choice of cloud software offers this ability, so you don’t inadvertently limit who’ll be able to do business with you.

Your investment in the right GRC platform isn’t just an investment in ISO 27001 certification. It’s a commitment to strategic growth and demonstrable long-term resilience. Committing to a cloud management system this year means that when powerful customers turn the spotlight on your small business, you’ll be ready for your close up.

This article first appeared in issue 37 of the Inside Small Business quarterly magazine

Recommended by IR
Five things you need to know about AI for your small business
Innovation
Five things you need to know about AI for your small business
Southeast Asia: land of business opportunity
Growth
Southeast Asia: land of business opportunity
Earth-friendly hair care evangelists
Sustainability
Earth-friendly hair care evangelists
Practise what you teach
Sustainability
Practise what you teach
A meditation on success
Start-Ups
A meditation on success
Author's latest articles
×
Essential insights delivered straight to your inbox. Sign up now - it's FREE
By submitting your details you confirm you have read our T&Cs and privacy policy.