The Sookasa Blog

The Curious Security Mindset of the Fortune 500

In our time building security solutions for consumers, small-to-medium businesses, and enterprises, one of the things we’ve found most striking is the difference in mindset among these types of organizations.

You might see it when reading between the lines every time there’s a new data breach in the news. The message? Even with a security budget that can fund a small country, there are enterprises out there who don’t take security seriously because they’ve deemed it cheaper for them to deal with a breach than to spend money on the infrastructure to prevent it.

A recent report showed that huge companies are more willing to pay for the aftermath of a data breach than to deploy preventative measures in the first place. For companies like Target and Home Depot, both of which were breached last year, the cost of cracking down on security apparently wasn’t worth it. For instance, Target’s massive breach last year cost the company a mere 0.1 percent of its annual revenue—even if it meant spending a quarter-billion dollars to deal with the data breach and the ensuing 140 lawsuits. Just this week, Target announced another $39 million settlement with banks and credit unions that lost business. It was a similar story at Home Depot. The home improvement giant lost 56 million credit card numbers, but had to spend less than 0.01 percent of its 2014 revenue mitigating the breach. Sure, these mega-companies suffered some reputational damage (though evidently not enough to stop people from shopping there after the initial shock)—but the stakes were much higher for the hundreds of millions of customers who had their credit card numbers, addresses, and other personal information revealed.

Time and again we’ve met with business leaders who want to know what big, successful companies are doing and how they can emulate them. But emulating Fortune 500 companies comes at a cost—literally. They simply operate with a different mindset than many smaller companies, particularly when it comes to spending money.

The best advice we can give a small or mid-sized business owner is to actually do what the huge companies don’t: Secure your corporate and client data before a data breach forces you to reconsider your security policies—and suffer the financial and reputational consequences. Without massive budgets, mid-market businesses must get smarter about security solutions that are actually usable. It’s a good idea to find sensible tools that fit your business’ budget and allow you to actually act on risks, rather than distracting you with too much information.

It’s counterintuitive to think that smaller organizations have more at stake. Only a few retail behemoths can really say that paying out a quarter-billion dollars is a drop in the bucket not worth preventing (nevermind the responsibility they owe to customers). In reality, most businesses suffering from data breaches are much smaller—and are hit much harder.

The average cost an organization pays after being hit by a data breach is $6.5 million dollars, which includes engaging forensic experts, providing free credit monitoring to affected clients, conducting an investigation, and dealing with customer loss. According to the Bank of America Small Business Owner Report, a small business in 2015 ranges in annual revenue from $100,000 to $5 million—meaning that a single breach can be a substantial hit to a small business’ profits.

By necessity, a mid-market business’ mindset must focus on protecting all corporate and client data before it’s too late. A smaller business storing sensitive client data and confidential financial information must know where its sensitive information is being kept at all times in order to adequately protect itself from a breach and stay afloat. Research has shown that even the simple addition of encryption tools to a business’ security protocol can decrease the cost of a data breach by $19 per breached record—and that can really add up.

Unfortunately, the cavalier security mindset adopted by so many enterprises instead is, quite frankly, a dangerous one. It puts real people’s sensitive information at real risk, and it’s not hard to see the ripple effects of this reckless attitude: We’ve practically come to take breaches as an inevitable part of running a business.  In the long run, not having adequate security measures can only backfire, no matter how much money a business is able to throw at the problem in the aftermath.