Study: Majority of Small Businesses Suffer Data Breaches; Disclosure Is Another Matter

By | March 13, 2013

Posted in: Network Security Trends

Small businesses have big data breach problems, and they're having a hard time admitting it.

A new Ponemon survey, commissioned by the The Hartford Steam Boiler Inspection and Insurance Company -- a part of reinsurance behemoth Munich Re -- found that while more than half the U.S. small businesses surveyed experienced at least one data breach, only a third notified individuals that their personal information had been exposed.

While consumers are used to large corporations like Apple, Microsoft and others fessing up to their high-profile breaches, Eric Cernak, a vice-president with Hartford Steam Boiler, said these organizations need to be cut a little slack. He told Security Bistro that a general feeling of uncertainly fuels this lack of disclosure.

"The business owner may simply not know what to do, " said Cernak. "Where do they turn for help once there has been a breach? They also may not be aware that they are required to notify affected individuals, or think they are too small for anyone to notice. The result can be a significant loss of business and irreversible damage to their company’s reputation."

The survey of more than 1,200 U.S.-based small businesses with annual revenues of less than $10 million found that 55 percent of those responding have had a data breach, almost all involving electronic records, and 53 percent had multiple breaches. Of those, only 33 percent notified the people affected, even though 46 states require that individuals be contacted when their private information is exposed.

The problem, in Cernak's estimation, is that small business owners assume that the "little guy" is not a big enough target.

"Many small business owners don’t think a data breach can happen to them. They may believe that data thieves are only interested in large corporations with thousands of customer and employee records," Cernak said. "In fact, light security often makes a small business more vulnerable and this study shows that data breaches are a serious problem. Others think that small businesses are exempt from state laws that require them to report a data breach."

Since many small businesses do not have the necessary manpower to do all things in-house, they rely on outside vendors. This, according to the survey, is where they believe they have issues. Seventy percent of the respondents thought that sensitive information is more likely to be compromised when the data has been outsourced.

That perception is not exactly true. The reality is that most of these breaches are usually caused by human error, things like employee mistakes, lost laptops, smart phones and storage media and procedural mistakes usually lead to the majority of these incidents, according to the survey.

Despite the commonality of these data breaches, not many small businesses have the necessary safety net in place to cover the possible financial hit. The survey found that 62 percent do not have contracts that require third parties to cover all the costs associated with a data breach.

Cernak said this is a huge oversight. Not only do these companies need financial protection, they also need to invest in rudimentary security measures.

"Install firewalls, anti-virus and anti-spyware programs. Consider encryption software. Even basic security software can make a big difference," he said. "Seek professional security services before there is a data breach."

Cernak said that there are some additional -- and simple -- steps small businesses can take to ensure a big data breach doesn't happen to them.

"A small business owner should run at least simple background checks on all employees. Inventory the private information that is stored and keep only what is necessary. Dispose of old data securely and limit employee access to the information that is needed," he said. "A crisis is no time to be seeking help. Take the security steps that make sense for your business and that you can afford. Understand that standard commercial insurance policies will not likely pay for a data breach. Look into separate data breach coverage that will help pay to respond and provide personal services to victims."

The onus, however, is on the small business to make certain they have the policies and procedures in place to handle a compromise because, in the end, accountability is key.

"There are no safe harbors for small companies," said Cernak.

You May Also Be Interested In: