[BreachExchange] Three things smaller, evolving companies should consider in the event of a data breach

[Audrey McNeil]

https://www.finextra.com/blogposting/13085/three-things-smaller-evolving-
companies-should-consider-in-the-event-of-a-data-breach

With government figures showing that 9 out of 10 organisations suffered
some form of a data breach last year, it's a near certainty that it will
happen, no matter what the size of the organisation.

The impact on larger enterprises can be great in terms of the scale of
costs and reputational damage suffered, especially if they attract media
attention.

However, it can be argued that they have a distinct advantage over smaller
growing businesses when it comes to protecting themselves against the
threat of a data breach. Why? They have the structure, resources and budget
to put solid data breach response plans and teams in place. For smaller,
evolving businesses, these three things could present a challenge.

Structure – complex vs agile?

Large organisations are structured in a way that means in the majority of
cases, they will have the ability to put a robust tried and tested data
breach response plan in place.

It can be argued, however, that many smaller evolving organisations are
potentially more agile and don't have the challenge that their larger
counterparts face in terms of the complexity of having to work the
corporate matrix. This flexibility can give smaller organisations the
opportunity to swiftly progress data breach readiness auditing and
planning. Yet, our research has found that almost a third don't have any
kind of data breach response plan in place.

Resource – who should be involved?

Having a team in place to respond quickly and effectively can make all the
difference. However, despite a third of SMEs admitting that they do not
have a data breach response plan in place, an even greater number have not
appointed the necessary internal or external teams required to manage the
data breach event - leaving the effectiveness to respond and notify those
affected to chance. This is in spite of the fact that nearly one in four
SMEs know their customers would stop using them if the safety of their
personal data was jeopardised.

Budget – the mistake of underestimation

It's easy to assume that much of the costs associated with managing a data
breach are focussed on the preventative measures, such as IT, forensics and
cyber security. However, businesses also need to take into account the
financial burden of business disruption, lost sales, recovery of assets, as
well as potential fines and compensation when a data breach strikes. Such
costs can be significant and our research revealed that many SMEs are
severely underestimating the costs associated with managing and responding
to a data breach.

SMEs estimate the average cost of a data breach to be £179,990. Government
figures, however, place it at £310,800. This suggests that SMEs are
underestimating the average cost of a data breach by £130,810. With four in
five admitting that the financial impact would be significant to the day to
day running of their business, SME are leaving themselves financially
vulnerable should a data breach hit.

Growing public awareness of data breaches and scrutiny from those
ultimately affected means businesses managing personally identifiable
information (PII) need to put planning for a data breach at the heart of
their business.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160914/8de2de8b/attachment.html>