Small businesses and organizations take comfort in the belief that they are simply too small to be at risk of a data security breach. This belief, however, is incorrect. In 2012, 31% of all targeted cyber-attacks were directed at companies with fewer than 250 employees.[1] This represents a marked increase from the prior year. While larger organizations have stepped up their defenses against the threat of data security breaches, most small businesses have remained either unaware of the threat or unwilling to invest in proper measures to protect themselves. As a result, cyber-criminals looking for the path of least resistance have focused on these smaller businesses and organizations in seeking out unprotected, valuable data.
In light of this trend, the latest statistics represent an alarming failure on the part of small businesses to adequately protect their own information as well as the information of their clients and customers. Currently:
- 28% of small businesses have never trained their staff regarding data security issues;
- 46 % of small businesses do not have anyone directly responsible for data security or secure information destruction;
- 87% of small businesses do not have a formal written internet security policy for employees;
- 66% of small businesses do not have an informal internet security policy for employees;
- 59% do not have a contingency plan outlining procedures for responding to a data breach; and
- 60% of small businesses do not have a privacy policy that employees must comply with when handling customer or employee information;
In light of these statistics, it is surprising that 77% of small businesses are satisfied with their current online safety measures and believe that they are safe from cyber-threats. Approximately half of small businesses do not think that lost or stolen data would seriously impact their business, despite the fact that 60% of small businesses would be forced to close within six months after suffering a data security breach. Clearly, there is a disconnect between the perceived threat and the actual threat when it comes to data security breaches and smaller organizations.
All organizations, regardless of their size, retain valuable information such as social security numbers, credit card account numbers, banking and financial information, intellectual property, and confidential commercial information. Therefore, small businesses should take actions to secure the data that they retain and establish procedures to respond to any breaches in an appropriate, efficient manner. Failure to do so may result in compromised relationships with customers, clients, business partners, and could lead to potential legal liability, fines and negative publicity. In today’s environment, small businesses can no longer hide from the emerging threat of data security breaches.
If you would like to talk with someone in more detail about what steps your organization should consider taking to prevent a data security breach, please contact David McConnell or Joe Talbot directly at 1-866-774-2635 or dmcconnell@perkinsthompson.com or jtalbot@perkinsthompson.com.
[1] Statistics for this article were taken from: Symantec, 2013 ISTR Shows Changing Cybercriminal Tactics, http:// http://www.symantec.com/connect/blogs/2013-istr-shows-changing-cybercriminal-tactics; Shredit, Security Tracker Infographic (2012), available at http://shredit.com/Shredit/media/ShreditAssets/Multimedia/Infographics/SHR-SecurityTrackerUS_FINAL.pdf; and National Cyber Security Alliance, Small Business Online Security Inforgraphic (2012), available at http://www.staysafeonline.org/stay-safe-online/resources/small-business-online-security-infographic.