Study finds 55 percent of SMBs were breached in 2012

handsonkeyboardOver half of small businesses surveyed by the Ponemon Institute as part of a recent study experienced some sort of data breach last year. Out of the affected businesses, a great deal of breaches were ignited internally, either by mistake or on purpose by employees and contractors.

eWeek reported that many of the breaches that were merely accidents were caused primarily by lost or stolen laptops and smartphones, as well as errors in following security policy.

Shockingly, only 33 percent of these businesses notified those affected—this challenges the 46 states that have legislation requiring enterprises to let people know when their sensitive information has been compromised.

Of the sample surveyed, 85 percent said they had third party vendors with whom they shared customer and employee information such as billing, payroll, benefits, web hosting and IT services. Often companies outsource sensitive information to outside vendors who specialize in areas like PCI and HIPAA compliance without even considering these vendors’ security standards. Third party vendor auditing is something that often goes overlooked and can lead to breaches like the ones reported by the Ponemon Institute.

“Smaller companies are targeted by data thieves, but they often don’t know how to respond when sensitive information they keep on customers and employees is lost or stolen,” said Eric Cernak, vice president of Hartford Steam Boiler. “Failing to act in a timely and effective way can harm the reputation of businesses and even risk legal penalties in many states.”

The survey further found that 53 percent of the sample had had multiple breaches. This information suggests that hackers take advantage of the vulnerabilities that Cernak pointed out, and that small businesses are especially at risk for breaches. Unfortunately, the average cost of a data breach in 2011 was $194 per lost or stolen record.

The reason that breaches can be so costly is that on average, companies don’t even know that insider fraud has occurred until 87 days after the fact. Once they do know, it takes over three months to uncover the cause of the issue, reported ZDNet’s Joe McKendrick.

For companies of any size, lost or stolen data can not only be extremely costly, but it can also be disastrous to the firm’s credibility.

Whether your company needs a vulnerability assessment performed, full-time staff, or an Executive Search, contact Tiro Security for all of your information security needs.