Loss of Critical Information Threatens SMBs

Thursday, June 24, 2010

Anthony M. Freed


The average cost of an information security event for a small to medium size business (SMB) is $188,242, according to a new report published by Symantec from data collected by Applied Research, and unauthorized access to sensitive data was rated the single greatest threat to corporate viability.

As reported in DarkReading, "The respondents ranked data loss and cyberattacks as their top business risks, ahead of traditional criminal activity, natural disasters, and terrorism, according to the report."

And it is not merely booked losses and overall risk awareness that have seen an increase - the level of resources being consumed by information security efforts has also continued to grow.

"SMBs are now spending an average of $51,000 a year -- and two-thirds of IT staff time -- working on information protection, including computer security, backup, recovery, and archiving, as well as disaster preparedness," the report reveals.

And what is wrong with data like this? Nothing, except for what it says to those SMBs still trying to decide their company's direction regarding future investment in technology and security.

According to the data, if an SMB only suffered an average loss from compromised data systems every four years, they would save money compared to a company with an average security outlay.

And even worse, the company that did make the investment in security has no guarantee they will not suffer a data loss event in the same period, as the study also reveals: "forty-two percent [of SMBs] have lost confidential or proprietary information in the past. All of the companies that lost data reported seeing direct financial losses, such as lost revenue or costs in money or goods. Seventy-three percent of the respondents were victims of cyberattacks in the past year. Thirty percent of those attacks were deemed somewhat or extremely successful. All of the victims saw losses -- such as downtime, loss of important corporate data, or loss of personally identifiable information of customers or employees..."

So is security bunk? The simple answer is No.

Information security best-practices do not create an impenetrable bubble of protection, but it does offer mitigation of risk if and when an event does occur.

Good security practices are like a healthy diet, and compliance audits are something like rigorous exercise. Neither will guarantee you a long and disease free life, but it is a fact that a poor diet and lack of exercise simply invites problems.

It is the same for information security efforts for the SMB. The Symantec report presents data as averages, and it is the quality and due diligence of corporate security programs that will decide which side of average your company will fall.

If you are charged with security responsibilities at an SMB and are looking to control costs and have a healthy security program, go find yourself a nice independent consultant (the Doctors) who you are comfortable with, and who truly understands the particular risk set in your business sector.

Then, under professional guidance, investigate the menagerie of managed security services (the HMOs) available in the market place, and find the services that best fit your needs and budget.

And finally, spend some time researching some of the issues yourself, as there is a wealth of information and free tools available online that can help you cut down your risk profile immediately, and at no cost - InfosecIsland.com is just such a place.

Possibly Related Articles:
Budgets Breaches
Data Loss Budgets
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.