The majority of the UK's SMEs are not prioritising better online security in the next 12 months, despite the impending impact of the EU's new data protection legislation, General Data Protection Regulation (GDPR), which was adopted in April 2016 and takes effect within two years.
Notwithstanding the EU referendum result, the Information Commissioner's Office has confirmed that, 'if the UK wants to trade with the single market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's GDPR framework starting in 2018'.
The findings, which form part of Close Brothers' quarterly survey of UK SME owners and senior management from a range of sectors, found that 63% of companies have made the decision not to invest in better online security while the remaining 37% indicated they would.
"Businesses of all sizes should be aware of their responsibility when it comes to protecting customer data," said Ian McVicar, Managing Director, Close Brothers Technology Services. "Keeping customers' details safe are at the core of the EU's new data protection legislation, General Data Protection Regulation (GDPR), which was adopted in April 2016 and takes effect within two years.
"It is intended to strengthen and unify data protection for individuals within the EU and the penalty for non-compliance, which is up to 4% of annual revenue or €20 million, whichever is the higher."
A mixed picture has also emerged about UK firms' readiness for the impact of cybercrime on their businesses. While the majority of the UK's small and medium sized businesses (SMEs) are concerned about cybercrime and the impact it might have on their business (57%), a significant minority are not (36%).
Further analysis of the results reveal that only 41% of businesses feel 'adequately protected'; 17% are unsure of their levels of protection; 21% know it is an important issue but 'haven't had time to look into it', while a further 21% don't think 'it is an issue for our business'.
When asked the question 'do you have data breach / security policies in place around the use of email, internet and mobile devices?', 51% of respondents answered 'yes', 38% 'no' with 11% 'unsure'.
Ian continued: "This picture of uncertainty may be driven by the feeling that many SMEs, particularly in sectors like construction, feel that they don't rely on IT as much as companies in more technology-focused industries. Even if this is the case, companies must remember that GDPR requires all personal data collected to be gathered lawfully, and for specific purposes only. In addition, it must be used for the purposes for which it was collected, and must be accurate and up-to-date."