A key planning tool for any business is a PESTLE analysis. At the moment, however, the analysis for many companies looks something like this:
- Political: uncertain. New PM, new cabinet, soon to be new shadow cabinet
- Economic: uncertain. Post Brexit negotiations have yet to be started
- Sociological: uncertain. What effect will changes to EU migration have on supply and demand?
- Technological; uncertain. All we know for sure about technology is it is fast-changing
- Legal; uncertain. Will the new government increase or decrease red tape?
- Environmental: uncertain. Electricity demand is likely to outstrip supply this winter. Rationing? power cuts?
All in all, it is what you might describe as a perfect storm of uncertainty. It would be very easy to conclude, then, that companies should batten down the hatches and take shelter – concentrating on core products and waiting for new markets to emerge. In fact, the world’s most successful businesses have often become successful through expanding or developing new products in uncertain times. These companies view uncertainty as an opportunity: a time to create and exploit market shifts; a time to lead rather than to follow.
What is the worst that can happen?
One way to plan for uncertainty is to ask yourself: “What is the worst that can happen?”. Ask this for each of your products and services and each of your markets. Now plan how you would continue to grow your business even if that does happen. It may be that the answer is to diversify so that, if one product begins to fail, other products can compensate for that loss. Alternatively the answer may be to specialise so that you can ride on the growth of a niche market even when the general market is falling. By putting plans in place to cover even the very worst case scenarios, you are building the foundations of a business that will not easily be knocked down.
Planning for uncertainty, not planning to fail
Some people feel that planning for the worst case is, somehow, planning to fail. Nothing could be further from the truth. In fact, it is well known that failing to plan is planning to fail. Planning for uncertainty, on the other hand, is your umbrella on a murky day. Carry your umbrella and it will be dry; leave it behind and the storm of uncertainty will not be far away from you.
Recently, I spoke at a seminar in Brighton. The topic was “We’ve been hacked – what now?” The other speakers were: a data forensics expert, a disaster recovery expert and a police officer. I thought I would share with you the common themes that emerged:
- Don’t rely on your in-house IT team. It requires specialist skills to investigate an attack in a way that provides quality evidence for court. Your in-house IT is likely to compromise evidence in their attempts to get service up and running.
- Have an incident management plan and good working backups of your data. Robust planning prior to an attack is often the key difference between a company that survives an attack and one that does not. Companies neglect the basics, such as backing up data, at their peril.
- Concentrate on dealing with the effects on your business, not on the technical issues. It is easy to tie yourself up in the detail of how to fix your servers and get things back up and running. However, it is actually far more important to keep your customers happy. In fact, never lose sight of what your customer wants and needs from you.
- Think carefully about statements to the press and social media. Recent cyber-crime surveys show that the biggest cost of a cyber attack is not the loss of data or loss of trading. It is the loss of reputation. Manage your reputation carefully throughout the incident.
- Take time to stop, look and listen before jumping in with a recovery plan. Make sure you fully understand the scope of the problem before trying to patch it up. A patch for a specific problem can lead to a false sense of security because the underlying issues that exposed that problem are still vulnerable.
Your reaction matters
Overall, business owners have different definitions of what it means to get hacked. For some, a single PC catching a virus is a security incident. Others only view it as a problem when they have evidence of actual data loss or angry customers. Whatever your definition, customers will usually focus on how you react to the incident; not how it happened. Your best protection against losing reputation and customers is to have a robust plan in place so that you know your reaction will impress.
These days, cyber security breaches at large corporations make headline news and have ramifications that last for years. (LinkedIn’s breach in 2012 resurfaced as a current issue just last month). However, many small business owners are reluctant to spend any time or effort on cyber security. Some feel that the subject is just too complex. They simply don’t have the resources to effectively protect their data. Others feel that they have no data that is worth protecting. Others, that cyber criminals are unlikely to be interested in them. The security industry doesn’t help as it often plays on fear, uncertainty and doubt in an attempt to create a market. So what is the real situation? Is it worth worrying about?
Small businesses are targets
First the bad news: all of the properly-conducted research shows that large numbers of UK small businesses have had a cyber security incident in the last year. Depending on what people define as an incident, the survey figures vary from 30% to well over 80%. The simple fact is that, when a cyber criminal is searching for targets, they do not exclude small businesses from their search. With such high chances of being targeted in any one year, it is reasonable to conclude that, sooner or later, your business will be a target.
Security is not that difficult
Now the good news: it is actually not difficult to defend your business. It is often said that you don’t need to have a high-end alarm system and doors like Fort Knox to deter burglars. You just need to have better security than your neighbours. The same is true in the cyber world. If the cyber criminal targets your business and finds that you have effective defences, they are likely to quickly move on to an easier target. Therefore a few simple steps can make all of the difference between falling victim or the attacker moving on to the next target. The UK Government has an excellent scheme called Cyber Essentials (https://www.cyberstreetwise.com/cyberessentials/ ). This scheme explains very clearly what these steps are and how to achieve them. Here are some of the basic steps:
- Change default passwords and delete unnecessary user accounts
- Use strong passwords
- Remove unnecessary firewall rules and services
- Remove unnecessary software
- Disable “auto-run” features
- Use security protection software
- Update and patch all software regularly.
The Data Protection Act is getting a bit long in the tooth. It was introduced in 1998, the year after re-writeable CDs and the year before Wi-Fi was introduced. It was more than a decade before social media became popular. In fact, the Data Protection Act has done extremely well to remain relevant. It has withstood massive changes in how we store and manage our own personal data, never mind how other people look after the data they hold about us.
Change is afoot
However, change is afoot. The EU has been working on an updated General Data Protection Regulation (GDPR) for some time now and it is almost ready for nation states to begin adopting it into domestic law. The thing is, though, this isn’t just about big corporates any more. Almost every single one of us uses and processes personal data. We store our contact lists containing dates of birth, addresses (street and email) and phone numbers happily in the “cloud”. We copy the data automatically from device to device as we go. In fact, we do this without thinking. It is the default option. Now, everybody is a Data Controller and a Data Processor. Everybody is affected by data processing laws.
Data protection is personal
Often, we only think about data processing when it is visible to us. Perhaps there is news of a big data breech at a company that has your credit card information. Perhaps you want to use a Subject Access Request to find out what information people have been sharing about you behind your back. Worse still, perhaps privacy is just about that annoying pop-up in your web browser (you know the one, something about chocolate biscuits containing your data). In fact, you likely make decisions about the privacy and protection of your personal data every day. You decide what nuggets of information to share and who to share them with. The new data protection regulations will not be just for techies and geeks. We will all need to think about how we interact with data in this information world.