Why Bother with an Information Security Program?

by Sarah Harvey / November 22nd, 2019

When headlines about companies like Capital One, Imperva, Marriott, Target, or Home Depot becoming victims of a data breach are released, we understand why small and medium size businesses start wondering if their efforts put towards an information security audit are worth it. If enterprise-level companies and household names can’t protect themselves, why should startups and smaller companies even try? If they can’t do it, no one else can either, right? Wrong. If your organization tends to align with this dangerous, unproductive line of thinking, then this blog post is for you. The threats you’re up against are real, but you can protect yourself and your clients’ data – you may just need some help establishing an information security program.

You vs. Them

Hackers don’t discriminate based on company size, industry, or location. They’re after sensitive assets like PHI, CHD, passport information, dates of birth, travel reward numbers, and Social Security numbers. The methods they use to go after small, medium, and enterprise-level businesses are different, though.

Hackers cast a wide net to catch small and medium businesses in their areas of weakness. When they can send phishing emails to 100 companies with 100 employees, the odds are good that an untrained, unaware employee will fall for it – even better if it’s an employee who should know better. There are plenty of breaches that happen each day that could have easily been prevented by security testing, employee training, or a basic information security program. How frustrated would you be if one employee clicked on a malicious link and it cost you hundreds of thousands of dollars, when security awareness training could’ve prevented this entire situation?

For enterprise-level businesses, hackers have more to gain, so they can spend more time planning and executing an attack. They can spend months testing their methods and observing vulnerabilities, maybe even collaborating with other hackers. This is something that, unless you have extremely sensitive data, you probably don’t have to worry about. Does that mean you shouldn’t have an information security program? Absolutely not.

Protect Yourself

When a data breach happens, it’s not just your clients who are impacted. Your name is in the headlines, and you’re the one who will pay for it (literally).

Legal Ramifications – New, state-level breach notification, cybersecurity, and privacy laws are consistently passed, with non-compliance resulting in hefty fines. When you ignore these laws or try to find loopholes, there will be legal ramifications to face.

Regulatory Responsibility – If you are subject to a regulatory body, what will happen if they find your organization non-compliant?

Costly Consequences – According to IBM, the average cost of a data breach in the United States is $8.19 million, with 67% of the cost occurring within in the first year, coming from data breach detection and escalation, notification cost, incident response, and lost business. Does this cost outweigh your hesitancy to establish an information security program?

Competitive Disadvantage – If you don’t establish an information security program and have a data breach, your competitors can learn from your mistakes and use your data breach during sales conversations. If you don’t establish an information security program and haven’t been a victim of an attacker yet, your competitors can still have an advantage over you by pursuing information security audits to prove their commitment.

Protect Your Clients

When a client trusts you with their sensitive data and you can’t even provide them with evidence of your commitment to protect that data, do you think they’ll be loyal clients? Is the cost of an audit or information security personnel worth more to you than client data being sold on the dark web? According to Symanetc, here’s what hackers earn after stealing the personal data you are responsible for:

Online banking account – 0.5%-10% of value
Cloud service account – $5-$10
Hacked email accounts (groups of 2,500+) – $1-$15
Hotel loyalty from reward program accounts with 100,000 points – $10-20
Stolen medical records – $0.10-$35
ID or passport – $1-35

When you have no formal information security program in place and no way of showing it even if you do, your clients won’t be satisfied with your service. In some cases, a client legally cannot contract your service without seeing your audit report or policies.

Partner with KirkpatrickPrice

When you have the right partner, information security best practices can be an integral, sustaining part of your business. Audits are hard. We get it. But, they’re the only way to prove your commitment to protecting your clients and protecting yourself. Let’s partner together to define an accurate scope, implement industry best practices, and establish an information security program that will protect you and your clients.

KirkpatrickPrice is an audit firm whose goal is to provide the guidance you need to embark on a successful compliance journey. You don’t have to settle for choosing a partner that conducts an audit and leaves you with unanswered questions and worries, or who holds you to unrealistic expectations. Contact KirkpatrickPrice to get the partner your organization deserves to have on its compliance journey.