Small businesses still underestimate cost of security breaches

The good news is that more SMBs are shoring up cyber-security defenses, but many worry the measures they are taking won't be adequate.
Written by Heather Clancy, Contributor

Small companies realize they are ever more vulnerable to security breaches, but few of them fully appreciate the ramifications of an IT infrastructure break-in. Or even something far more likely such as a stolen credit card number.

That's just one of the high-level takeaways from the new State of Cyber Security Readiness survey by Ponemon Institute.

Here's another: More than half of SMBs are more worried about the time and productivity lost than they are about more tangible outcomes such as lost of customers and business partners, damage to reputation or an increased cost when it comes to winning over new prospects.

"Results indicate that companies tend to seriously underestimate the potential damage to brand and reputation, revealing a great data breach perception gap," said Larry Ponemon, chairman and founder of Ponemon, which conducted the survey on behalf of Faronics. 

"Misconceptions about the consequences associated with a data breach are preventing organizations from implementing the necessary financial tools, in-house expertise and technologies to achieve cyber-readiness," he said. 

The good news is that a large majority of the U.S. and U.K. SMBs surveyed by Ponemon are acting to protect themselves. The bad news is that most of them worry that the measures they are taking are probably inadequate. 

For example:

64 percent of the U.S. respondents said "insufficient people resources" are a probably, compared with 75 percent of the U.K. respondents

55 percent (of all respondents) pointed to "lack of in-house skilled or expert personnel"

50 percent of the U.S. respondents were bothered by a "lack of central accountability"

What exactly are small companies worrying about?

Here are the top three threats for the U.S. respondents:

"Proliferation of unstructured data" (69 percent)

"Unsecure third parties including cloud providers" (65 percent)

"Not knowing where all sensitive data is located" (62 percent)

The U.K. responses are slightly different:

"Proliferation of end devices" (62 percent)

"Lack of security protection across all devices" (56 percent)

"Unsecure third parties including cloud providers" (53 percent)

What can small businesses do to go beyond technical and policy measures to protect themselves?

One idea might be to invest in a cyber-insurance policy. While many existing offerings are tailored toward large companies, Farmers Insurance Group recently stepped up its focus on small businesses looking to improve their cyber-readiness profile.

Insureon, the largest online business insurance broker focused on small businesses, also has created a new suite of cyber-liability coverage

The policies focus on helping cover small businesses for losses related to disclosure of confidential data, loss of data or digital assets, and the introduction of malicious code or other malware.


Editorial standards