Most small and midsized businesses (SMBs) are swimming in financial data, but not all of them take steps to safeguard it, according to the 2014 State of Risk report (registration required) from Chicago-based IT security services provider Trustwave.
The company surveyed 476 IT and security professionals, three-quarters of which work at SMBs (up to 1,000 employees). Respondents originate from more than 50 countries, although the majority of them are based in the United States, United Kingdom and United Arab Emirates.
Of those companies surveyed, 81 percent store financial data. But despite the sensitive nature of such information, many businesses leaders don’t take big enough of stake in securing it, said Greg Rosenberg, security engineer at Trustwave. Although most organizations "touch some sort of sensitive information, they're getting little executive support from a risk prevention perspective," he told Small Business Computing.
Forty-five percent of businesses reported that their board or senior management plays only a partial role in data security. Nine percent said there was no involvement from higher-ups at all.
Small Business Security: Out of Sight, Out of Mind
Small businesses struggle to track and control sensitive data, with 63 percent of respondents reporting they lack effective tools and procedures. Nineteen percent don't even bother.
Less than half (49 percent) of those surveyed said they fully encrypt their data stores, while 31 percent admitted to taking a piecemeal approach to encryption. A full 20 percent don't encrypt their sensitive data at all.
As bleak as it seems, there is a silver lining in Trustwave's data. A majority of respondents (80 percent) said that they have security incident response procedures in place, which allow IT workers to nip potential threats in the bud.
A small blip on the security radar can quickly mushroom into major breach. To prevent such an outcome, Trustwave recommends that small businesses establish a process "where employees and third parties can report events no matter how minor they appear—immediately and without fear of reprisal."
Hackers Chase More than Just Money
Even though 47 percent of the small businesses surveyed stated that their computer systems are not loaded with credit card numbers and bank information, there's still plenty of data that's attractive to hackers.
Seventy-one percent of respondents said they store and process intellectual property, while 58 percent revealed that they handle sensitive business-to-business data, all of which make tempting targets. "Theft of non-payment data has skyrocketed," said Rosenberg. "The market for these types of information has grown," giving hackers an incentive to grab information that has little, if anything, to do with cash.
Small businesses may be tempted to outsource their data protection to IT and data management services, but that doesn't mean that they should let their guard down, said Rosenberg. Yet many do.
Trusting Third Parties
Fifty-eight percent of businesses engage third-party providers to manage sensitive data, yet less than half (48 percent) have a program in place to manage those third parties. Essentially, many small businesses hand over their data and wash their hands of it.
Perform your due diligence, urged Rosenberg. IT and cloud service providers "handle or come into contact with your critical assets" and should therefore come under the same scrutiny those assets deserve.
Check up on their financials, he suggested. They may take your money today, but that's no guarantee that they'll be around for the long haul. The industry is littered with cloud providers that left their customers scrambling for alternatives on short notice. "What will you do if they go belly up?" said Rosenberg.
Trustwave recommends that before allowing third-party providers access to systems and data, small business owners "need to sign off on all appropriate contracts and agreements. These include non-disclosure agreements, service-level agreements and appropriate certifications. Also consider legal issues, depending on jurisdiction."
Don't trust a vendor's worry-free claims, "take it for a spin," advised Rosenberg. Don’t simply shove your IT needs onto a third-party and then never interact with it—or them— again, he added.
Pedro Hernandez is a contributing editor at Small Business Computing. Follow him on Twitter @ecoINSITE.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|