A Ponemon Institute survey of small businesses throughout the United States found that 55 percent of those responding have had a data breach, almost all involving electronic records, and 53 percent had multiple breaches, suggesting the nation’s small to midsize businesses (SMBs) are at serious risk of a data breach.
The primary causes of the data breaches were employee or contractor mistakes, such as lost or stolen laptops, smartphones and storage media, as well as procedural mistakes. Only 33 percent notified the appropriate people affected, even though 46 states require that individuals be contacted when their private information is exposed.
At least 85 percent of those surveyed said they share customer and employee records with third parties such as those providing billing, payroll, employee benefits, Web hosting and IT services. When asked which type of lost or stolen data was more likely to harm their business, 70 percent agreed the loss of personally identifying information was more damaging than confidential company data.
"Smaller companies are targeted by data thieves, but they often don't know how to respond when sensitive information they keep on customers and employees is lost or stolen," vice president of Hartford Steam Boiler Eric Cernak said in a statement. "Failing to act in a timely and effective way can harm the reputation of businesses and even risk legal penalties in many states."
The survey, conducted for The Hartford Steam Boiler Inspection and Insurance Company (HSB), part of Munich Re, also indicated sensitive information is more likely to be compromised when the data has been outsourced.
Seventy percent of respondents said they felt that way about outsourced data, but 62 percent admitted they do not have contracts that require third parties to cover all the costs associated with a data breach. However, the survey indicated 70 percent of small business owners would purchase insurance to help pay for the costs if data is breached.
A March 2012 report from Ponemon found the top three root causes of data breaches were employees' loss of a laptop or other mobile data-bearing devices (35 percent), while 32 percent said it was third-party mishaps or flubs (defined by Ponemon as a third-party vendor that has another company's data stolen or lost by the vendor, and the cause of data loss is unknown) and 29 percent identified system glitches.
That report also found that even when employees make unintentional mistakes, most of these breaches are only discovered accidentally, according to 56 percent of respondents. Only 19 percent of respondents said that employees self-reported the data breach, making it difficult to promptly resolve it.