Estimated Reading Time: 7Minutes
Small to Mid-Sized Businesses (SMBs) depend on IT to run operations, engage and retain customers, manage supply chains, and deliver products and services. Besides managing internal systems, IT teams establish and facilitate communication modes among departments for smoother workflows and interoperability. Business communication technologies, therefore, have become a critical operational facet.
These technologies, in return, generate an incredible amount of data–emails, group chats, and direct messages–as they allow a constant back-and-forth of files, records, and business-critical information between employees and across channels. Without proper data governance SMBs open themselves to cybersecurity risks and data loss.
The consequences of data loss can be devastating. According to IBM’s 2022 report, the average data breach cost is $4.24M, the highest in 17 years. Email-a critical platform for SMBs-is also identified as “the riskiest channel for data loss” by 65% of organizations, according to a 2022 study by the Ponemon Institute and Tessian.
But data governance also has another dimension: business protection. Compliance demands are escalating, as are lawsuits. Privacy protections are on the rise globally.
SMBs often turn to their solution providers—Managed Service Providers (MSPs), web hosters, and Internet Service Providers (ISPs)—to manage or even completely outsource their IT.
These solution providers have an opportunity, perhaps even a responsibility, to guide their SMB customers through data protection practices, whether for emails or other third-party SaaS providers. They must understand the business needs and risks around data backup and data archiving, especially in highly regulated industries, to deliver the reliable, inclusive solutions SMB customers are counting on.
The Three Main Vulnerabilities of SMBs
Data Breaches
While major breaches get big headlines, in reality, cybercriminals also target smaller businesses. According to Verizon, 28% of data breach victims in the US are smaller, more vulnerable businesses. According to the National Cyber Security Centre, 38% of SMBs report suffering from cyberattacks in the UK. This is because SMBs often lack the security awareness and defense mechanisms that large enterprises have, making them easier to penetrate.
For a smaller company with tight resources, the effects of a breach can be far more detrimental than for a larger corporation with better reserves to weather such storms.
The average data breach cost of$4.24M stems from a broad range of breach consequences:
- Loss of data – Even “small instances” (about 100 compromised or lost records) of data loss can cost organizations between $18,000-36,000.
- Loss of finances – Data loss can result in downtimes and outages, which can greatly impact revenue.
- Loss of customers – Data loss may also result in loss of customer trust and loyalty. Sometimes, it results in stakeholders, and even investors, jumping ship.
- Legal fees – Companies will often pay lawyers to advise them on what disclosures are necessary. Legal firms will also help deal with industry regulations and contract commitments, whether international, federal, or state.
- Fines and penalties – The largest penalty imposed so far due to unprecedented data loss went to Equifax: they were forced to pay a hefty $575M fine for losing the data and records of 145 million customers in 2019.
- Costs associated with mandatory breach notification steps – Companies have a responsibility to report to their customers and stakeholders whenever they experience data loss, and costs are also associated with that – e.g., the cost to notify and offer credit monitoring to every victim.
Longer term, there can be lawsuits, reputational damage, added technical infrastructure costs, and other costs associated with additional third-party services that the courts may call into the mix.
Lawsuits
Another significant risk to SMBs is lawsuits. Some eye-opening stats:
- 36% to 53% of small businesses are sued yearly.
- About 45% of small businesses are currently involved in litigation.
- There are around 12 million contract lawsuits filed every year against small businesses.
- Over 75% of small business owners are concerned that they’ll be targeted for a lawsuit.
- The average liability suit costs at least $54,000.
- A small business earning $1 million yearly would typically have $20,000 in litigation fees.
Whether suits are frivolous or grounded, a response is always required, and a defense statement is frequently in demand. The most common lawsuits for SMBs are:
- Employee claims of discrimination – 61% of U.S. employees have experienced or witnessed discrimination based on age, race, gender, or sexual orientation.
- Wrongful termination – According to data from the US Equal Employment Opportunity Commission, about 61,331 wrongful termination lawsuits have been filed in 2021 alone.
- Wage and hours violations – Wage theft occurs when employers fail to pay wages or provide employee benefits owed to an employee by contract or law. Los Angeles is the wage theft capital of the US; LA workers alone lose $1.4 billion to wage theft every year. Workers in Chicago and New York are close behind. Collectively, the three cities account for $3 billion in wage theft each year.
- Contract disputes – According to legal services firm Rocket Lawyer, contract disputes make up about 60 percent of the roughly 20 million civil cases filed yearly.
The company [Rocket Lawyer] also points out that keeping good records is a critical step in protecting a business in case of a lawsuit.
Part of those well-documented facts should include a thorough data trail, accessible through the discovery of rigorously archived correspondences. Archiving solutions that maintain these correspondences should also have features that enable legal holds, evidentiary discovery, quick search capabilities, and more.
Regulations and Compliance
A most challenging area of risk for SMBs is the increasing amount of regulation and oversight to which many are subject. Data backup, discovery, and compliance are vital for those in heavily regulated industries dealing with sensitive information:
- Financial Services
- Government and Public Administration
- Healthcare
- Insurance
- Law Firms
- Oil & Gas Industries
- And more…
While compliance is burdensome, non-compliance can be catastrophic, especially for a smaller company that lacks the resources to endure lengthy audits and pay hefty fines. Many SMBs may be unaware of all the regulations affecting them and risk violating them.
Solution providers who can educate their SMB clients about the risks of non-compliance will help them avoid costly fines, revoked permits, or other repercussions. They will also establish themselves as trusted advisors who stand to reap long-term relationships with their customers.
Table 1 – Laws and Regulations Governing US Entities (Partial List)
| US Entities and Organizations | Regulations and Agencies Governing Compliance Requirements |
|---|---|
| All Companies | Internal Revenue Services – income tax |
| All Federal and State Agencies | Freedom of Information Act (FOIA) |
| All Public Companies | Sarbanes-Oxley Act (SOX) |
| Banks and Financial Institutions | Federal Deposit Insurance Corporation (FDIC) |
| Banks | Federal Deposit Insurance Corporation (FDIC) |
| Credit Card and Card Processing Companies | Payment Card Industry Data Security Standard (PCI DSS) (self-regulatory) |
| Department of Defense Contractors | DOD 5015.2 |
| Healthcare | Health Insurance Portability and Accountability Act (HIPAA) |
| Pharmaceuticals, Biological Products, Food Manufacturers | Food and Drug Administration (FDA) Title 21, Part 11 |
| Securities Firms, Investment Bankers, Brokers and Dealers; Insurance Agents | Securities and Exchange Commission (SEC) 17a(3) and 17a(4) |
| Telecommunications | Federal Communications Commission (FCC) Title 47, Part 2 |
Table 2 – Entities and Regulations Governing Non-US Countries (Partial List)
| Non-US Entities and Organizations | Regulations and Agencies Governing Compliance Requirements |
|---|---|
| European Commission | EU General Data Protection Regulation (GDPR) EU-US Privacy Shield |
| Office of the Australian Information Commissioner | Australian Privacy Act Telecommunications Act of 1997 National Health Act of 1953 |
| APEC Ministers (numerous countries) | Asia-Pacific Economic Cooperation Privacy Framework (voluntary compliance) |
| Office of the Privacy Commissioner of Canada | Personal Information Protection and Electronic Documents Act of 2000 (PIPEDA) |
| Japan Ministry of Internal Affairs and Communications | Multiple communications Acts |
| Hong Kong Office of the Privacy Commissioner for Personal Data | Personal Data Ordinance |
Note: All organizations should consult legal and financial professionals to ensure they fully understand their obligations.
3 Key Goals for A Secure and Compliant Business
Reducing Data Footprint
Companies must only keep data necessary for normal business operations and specific industry regulations to maximize efficiency while minimizing cost. It is necessary to have a system that automatically and flexibly retains data based on retention policies unique to their industry. Such a system will help reduce both storage expenses and risks.
- Understand relevant regulations – A solid grasp of both general and industry-specific regulations helps determine critical data retention policies the company should adhere to.
- Implement a comprehensive data archiving system – An automated, comprehensive data backup and data archiving system should be able to either delete the data or transfer it into long-term storage after the fixed retention period has passed. It should also enable businesses to put a legal hold on said data, especially when information is needed for litigation.
Maximizing Productivity
Compliance is a time-consuming effort. However, best practices reduce wasted time to a minimum. A key example is making the process of archiving, discovery, and backup more straightforward.
- Provide easy-to-use features – As necessary, effective data backup and data archiving solutions should enable intuitive and easy-to-use functionalities like search, eDiscovery, and quick restoration.
- Enable email integration – An effective archiving system should also be able to integrate with email ecosystems, like Microsoft 365 and Google Workspace, for a more seamless experience without forcing users to learn/re-learn a different set of programs or processes. This capability should extend to collaboration platforms and chat applications that SMBs use, since the types of data usually sent via email is also transmitted through these tools.
Reducing Risk
Finally, the ultimate goal of compliance is risk reduction. Organizations want to avoid data loss and breaches, sanctions and fines due to non-compliance, and risks like cybersecurity attacks and insider threats. An efficient system that controls access and retains data according to industry policies, protected by robust data encryption, is an excellent solution.
- Use strong encryption – Modern encryption solutions use, at a minimum, AES 256-bit encryption with Transport Layer Security (TLS) for data at rest and in transit. This layer of protection ensures security wherever your data is.
- Control unauthorized access – Protecting customer data means ensuring no tampering, unauthorized access, or malicious destruction/deletion of records happens. Seek solutions that provide these safeguards to protect your data and, simultaneously, provide recourse in the event of a breach.
Securing Data and Compliance with Dropsuite
Backup and archiving solutions play a vital role for SMBs. They cover organizations’ three significant business gaps: data breaches, lawsuits, and compliance.
Dropsuite specializes in helping SMBs protect and secure their data. Our cloud-based solution allows businesses to efficiently backup, store, preserve, and quickly restore data at a moment’s notice. Dropsuite works across a range of cloud-based ecosystems: Microsoft 365, Google Workspace, IMAP-POP, and Hosted Exchange.
Our data backup and data archiving capabilities help companies provide business compliance and enable business continuity through the following:
- SMBs avoid coercion by threat actors because their records, emails, and business-critical files are safe and backed up.
- Data loss is minimized or entirely averted.
- Recovery from an attack can be quick and unhindered.
- SMBs can set flexible data retention rates that match compliance requirements and regulations tailored for every industry.
- Legal or time-based holds applied to pertinent information help address lawsuits and quicken the discovery process.
With Dropsuite, SMBs can address risks, reduce their data footprint, and maximize productivity. Learn more about how Dropsuite secures business-critical data for big and small companies. Contact our experts here.
