For many small businesses, the security of their information doesn’t seem to be a high priority. However, their customers, partners, and employees do consider it a high priority. Customers have an expectation their sensitive information will be properly protected. Employees also have an expectation their data will be kept protected. Business partners expect the other business to maintain a level of security assurance so their systems that are connected are not put at risk. A breach of any kind can run up such a high cost, it can shut the small business down. Let’s look at some facts collected over the years to better understand why it matters to the little guy. We’ll discuss cost of a breach, and facts and figures on how often it actually happens.
Before we do, let’s look at some typical reactions to information security we at Shades of Gray Security have run across. They may only run a simple niche retail outlet or a bar, or maybe they are a small law firm. We have heard excuses from all industries on why it doesn’t matter. Lawyers will say “everything in my system is on the public record so it doesn’t matter.” Research companies will say something similar, “we bid on projects and everyone else bidding on those projects has access to all the same data so it doesn’t matter.” Retail stores will say, “we do take credit cards, but that is safe, we don’t store the data.” The lawyer may have a point, but what about evidence in his case that has not gone to trial? What happens if that is made public? What about all his clients’ personal information like social security numbers, bank statements, etc.? All of this can quickly lead to an enormous problem. The retail store doesn’t understand the risk it runs with credit card processing. Not having a security audit leaves you at fault in the event of stolen credit card information. It’s in the the PCI guidelines. They may also be tracking customer information for loyalty rewards. Everyone tracks sensitive information, and everyone needs to secure it. So why not? Cost?
There is a cost in protecting data. True. There is also a cost in not protecting data. Those involved in the finances of a business should be familiar with risk management and we are talking about cost-avoidance. Specifically, the cost of not protecting sensitive data. In order to consider this, we need to be aware of those costs which are not immediately obvious. State laws require breach notification to affected people and business. The US government has estimated the average cost of each notification the individual or business affected is well over $130 per entity. Let’s then say you have 1000 customers whose data may have been compromised, you can expect a minimum cost of $130,000. That number is just the notification and loss of business. It doesn’t include penalties that may be levied against the business, reputation damage, financial loss to those affected which will come back on your business and litigation. But realistically, how often does that happen? What is the likelihood a small business will be targeted?
Response time is a huge factor in a data breach. The faster you can identify that you have had a breach, the less damages you will suffer. Sadly, nearly 70% of breached organizations are notified by an outside entity, typically law enforcement and by then the breach had been ongoing for over 200 days. According to Verizon, 40% of breaches in 2012 were small business. Why are small businesses such a large target?
First, let’s consider that large business have been actively engaged in security practices for some years now. As a result, they are becoming harder targets. What we are seeing now, is the focus is on less secured businesses. The reasons are, it’s easier to gain access, you can steal a great deal of information and go undetected for a very long time. You may be able to gain access through a connection with a big partner who does have security in place by first compromising some of it’s smaller partners (Shades of Gray Security has responded to several breaches where this is the case). We also have to consider viruses and other malicious programs are becoming a bigger problem. They are indiscriminate about who they attack and are being used to compromise computers to use in other criminal activities. Verizon also reports that 45% of small businesses don’t take measures to secure company data on personal devices and 80% don’t use data protection at all. Less than 50% use email security, internet security, and back up their data.
Shades of Gray Security can work with you and your budget to make sure you are doing what you can to secure your data and protect your interests. Our Managed Information Security Services can help you fill in gaps where you don’t have properly trained employees. We can install the security tools you need to help keep your data safe and alert you to attempts to compromise your network, computers, and email systems. We offer training for employees to be able to identify suspicious activity and emails, and what to do in the event a breach occurs. Contact us today to find out how we can help.