Thanks for checking back in for our latest Intreis Myth Busters post. Last time we examined the myth “You don’t get to pick your controls, your auditors do”. Today we’re going to prove that if you’re dealing with IT Compliance, size doesn’t matter!
Many small to medium sized businesses are under the (false) perception that compliance applies mostly to large size companies, not small or medium companies (SMB). ‘Why would a hacker focus on an SMB, when they could go after the big fish at a larger corporation’ – You ask? The answer is simple.
Small and medium sized organizations don’t do a good job protecting themselves.
According to the 2012 NCSA/Symantec Small Business Study, 83% of SMBs don’t have a written cyber-security plan in place and 59% of them don’t have any sort of contingency plan for responding, should a data breach actually happen. Sounds like easy pickings for those malicious hackers out there.
Those statistics seem incredibly ironic when you read this next one: “86 percent of SMBs say they are satisfied with the amount of security they provide to protect customer or employee data”. Really?! The majority of SMBs don’t have formal plans to prevent or respond to a data breach AND they are ok with that? Now that’s just silly.
In 2012, the average organizational cost of a data breach was over $5 million. We can all recognize that $5 million means something very different to an SMB than to a larger business. That type of loss could bring an SMB to its knees, not to mention the ensuing exodus of unhappy customers and reputational damage. Does it not then follow that SMBs should be MORE concerned with information security compliance than larger organizations?
To give SMB owners the benefit of the doubt, sheer ignorance might not be the only factor in lack of compliance efforts. High compliance costs can negatively affect SMB’s by causing them to feel that they don’t have the resources to invest in information security or avoid expanding into new markets, to limit exposure to diverse regulations. The truth is – Compliance may be costly, but non-compliance is even more so.
Moral of the story…
When choosing whether or not to deal with compliance, size doesn’t matter! Information security regulations are in place for a reason. ALL ORGANIZATIONS, large or small, need to protect their customers’, partners’, employees’, and organizational data, thereby protecting the organization itself.
If this post has helped you see the compliance ‘light’, check out these Info-Sec Guidelines for Small Businesses and get back on track.
Don’t forget!
If you have come across an IT Compliance misconception that you’d like us to debunk for the world to see, leave it in the comments below or tweet us .
Next week we’ll expose the common thought: “IT GRC is a Necessary Evil” for the dirty myth that it really is.
