Encryption: For large organizations only?
Breaches have a disproportionate effect on SMBs
Data protection for SMBs – Just a matter of degree
Stories about data security breaches are commonplace in the news. Generally, such stories tend to cover breaches at large organizations: Fortune 500 companies, governments the world over, the military, etc. Based on what’s reported, one would assume that it’s only the big guys that need data encryption software like AlertBoot endpoint security systems.
Such an assumption makes sense. Large companies have more people. More people means more computers. And with each computer being a node for a potential data breach, chances are that a big company will have more instances of data breaches.
Notice, though, that I wrote “more instances” in the last sentence. Small and medium-sized business will have breaches as well; it’s just that they won’t have them as often. And that may give SMBs a false sense of security.
A Breach Affects Big Companies And SMBs Differently
While small and medium businesses won’t experience breaches as often, the effects can be even more disastrous.
Consider the resources a big company has versus an SMB: big companies have deep coffers; they have outside council on retainer; they have PR departments. In other words, it’s a machine that can take on most challenges. And as long as a company doesn’t go out of its way to perpetrate all-out fraud–so that the government comes after them in full force–the company will usually survive a damaging situation. I mean, notice how Union Carbide is still in business, despite its travails at Bhopal, India.
But what about SMBs? Chances are an SMB doesn’t have the resources of a Fortune 500 company. What would happen if they suffered a data breach? My guess is that the negative consequences would have a magnified effect on them.
For example, take the issue of customer turnover. TJX suffered one of the biggest (or, rather, the biggest to date) data breaches of all time, which was caused in part by their decision not to upgrade their data security. And yet, TJX found that their revenue numbers didn’t suffer after the breach. In fact, sales grew, which was contrary to expectations. Many were expecting customers to stop shopping with TJX in disgust. Polls conducted on customers showed an agreement with such assessments.
So, what happened? Does this mean customers didn’t care about the breach? Study after study shows that this is not the case: people get angry when their information is breached, and businesses have felt the impact of irate customers–with the exception of TJX.
I opined a couple of years back that TJX didn’t face repercussions because people who already shop at TJX can’t stop shopping there–they really don’t have options (price and distance…kind of hard to find a Wal-Mart right next to TJX and vice versa. And, if you’re shopping at a Wal-Mart or a TJX, chances are you won’t be shopping at Target). Being a low-priced behemoth in a 50-mile radius has its benefits.
But SMBs? Customer turnover resulting from a data breach could be disastrous. Unless an SMB is a monopoly in its field, chances are there will be noticeable customer turnover.
And what if they’re sued? There could be serious damage. Remember, small and medium-sized companies are designated as SMBs because they have a low employee count, not because they serve a small number of customers. In fact, the number of customers at some SMBs rival some of the smallest Fortune 500 companies. If all these customers file suit with an SMB…well, they could choose to vigorously defend themselves, but they don’t have the resources of bigger companies.
A long story short: SMBs are in greater need of minimizing the chances of a data breach from occurring. For large companies it’s a matter of making next quarter’s numbers; for small companies, it could be a matter of survival.
Data Protection For SMBs – Not Overkill, Just As Necessary
And from a survival perspective, it may turn out that investing in data protection is not overkill, but even more necessary for SMBs. In fact, I don’t see how any security measure can be overkill: the requirements for protecting the data of a small business will be pretty much the same as for big businesses; the difference will lie in the scale.
For example, all types of businesses need firewalls; data encryption software for laptops, desktops, and external drives; file encryption software for files that are copied around, say, via e-mail or to a CD. But, bigger companies need more of them: more licenses for hard drive encryption software, for example.
So, if there are any SMBs out there that believe that, because they’re copying the strategies employed by their bigger brethren, they’ve gone a little overboard, this may not be the case.
Are you employing the same strategies but scaling it down to what your needs are? If you are, you haven’t gone overboard, you’re just being smart about data security:
You use laptop data protection, but not at the scale the NSA would employ it.
You host information at a data center that employs a high level of security. But, it’s nothing like that of a Wall Street investment bank that has a data center six stories underground and protected by a SWAT team-equivalent.
Same technologies, same tools, same practices–just a little lower in intensity than what the big guys use (but, of course, still following accepted secure practices–there’s no point in having “security as a show” solutions).
Granted, the use of encryption means that there are background processes that need to be taken care of, such as encryption key management, which are not easy to do for the average person. But, there are services out there that offer encryption as a service which will take care of a lot of the headaches that would require hiring an IT and security consultant.