Small to medium-sized businesses face a long recovery road after a data breach

Published: February 21, 2013 by Michael Bruemmer

Understanding why data breach preparedness is a priority is key. According to the latest Ponemon Institute Study, State of SMB Cyber Security Readiness: US Study, the road to recovery is long and hard for small to medium-sized businesses (SMBs) after a data breach.  Not only did the SMBs lose customers, costs to acquire new customers went up significantly, some organizations had to lay off employees and it took almost a year to recover from the damage to their business reputation.  The purpose of the study was to understand the ability of SMBs to prepare their companies for a possible cyber security threat or data breach.

The study examined the differences in perceptions about the consequences of a data security breach between those companies that experienced a breach and those that have not.  The average cost of a data breach was almost $900K, which is almost three times more than what unaffected companies estimated.  This lack of awareness about the costs and consequences of a data breach can negatively affect an SMB’s ability to be prepared for a cyber security attack.  Although participants stated that the priority for their IT security spending was to meet compliance requirements and implement a data breach response plan, the reality is most companies didn’t have policies in place to deal with a breach of data.  In addition, respondents expressed that their biggest frustration in implementing a data security plan was dealing with employee negligence and felt it was unrealistic to expect an organization of their size to be totally secure from a cyber attack.
In response, The Ponemon Institute has the following recommendations to improve the current state of cyber readiness for SMBs:

  1. Like bigger sized organizations, make it a priority to implement formal data protection and security programs to detect cyber security risks.
  2. Conduct risk assessments and monitoring to identify data breach risks. Establish security objectives and set actionable metrics to be able to measure that your company is meeting security goals.
  3. Ensure that employees’ mobile devices are properly protected with anti-virus/anti-malware protections and encryption technologies.  Identify your sensitive and confidential information that needs security and protection at all times.
  4. Educate workers through training and awareness programs on the importance of following proper security procedures.  Make the business case for investing in cyber security.

As with many things, it’s not the size that counts, it’s the content that is important.  And no matter how large or small the business, the importance of protecting that content should always be the first priority in every company’s cyber security plan.