Underestimating the Consequences of a Data Breach

According to a report from the Ponemon Institute, many small to medium businesses (SMBs) fail to prepare for data breach.[1] In the “State of SMB Cyber Security Readiness: US Study,” Ponemon reports that organizations that had suffered a breach had different expectations from organizations that had not suffered a breach. As a result, many SMBs fail to allocate sufficient resources and give cyber security the proper priority.

The Ponemon Institute conducted this study in the UK and the US among 803 respondents from small to medium businesses with a range of employees from 50 to 3000. These respondents were selected based on their familiarity with their organization’s security mission, and sixty-one percent of them averaged more than 11 years experience and worked at supervisor level or above. Forty percent of the companies surveyed had not experienced a data breach. As a result, these SMBs failed to take proper measures for securing data.

Many of the SMBs surveyed focused on the minimum requirements for compliance issues without considering the larger implications of data breach to company finances, as well as company reputation. As a result, they failed to make cyber security a priority, failed to allocate proper resources, had a poor plan of protection for their company’s unstructured data, and lacked an understanding of the real threats facing their companies.

Instead of formal data testing procedures, most organizations (65 percent) are simply using informal reports from staff to determine the preparedness of their company for facing security risks. This tendency to trust in informal methods of security research and preparation is putting these companies at unintended risk. Long-term security protection requires regular security audits, penetration testing, and more.

Ponemon suggests that one of the most serious threats facing SMBs is the proliferation of unstructured data. Sixty-nine percent of these organizations are concerned about the inability to track and protect sensitive information throughout the organization. With the growth of wireless devices, the utilization of the cloud, and reliance on third party vendors, many organizations do not have a sense where confidential business information is located and whether it is sufficiently protected.

By simply trying to meet the minimum of regulatory compliance, by failing to test the organization security, and by allowing an unchecked growth of unstructured data, many SMBs are flying in the dark when it comes to security. The challenge is broad and deep and could have costly side effects in the long run.

[1] “State of SMB Cyber Security Readiness: US Study.” Ponemon Institute study sponsored by Faronics, November 2012 <http://bit.ly/TH4GE0>