Research performed by Dimensional Research demonstrated something
most of us know: Just about every business cares about data privacy, and
intends to do something to protect sensitive information. But when you
cross-tabulate the results to look more closely at what organizations
are actually doing to ensure that private data stays private,
the results are sadly predictable: While smaller companies care about
data privacy just as much as big ones do, they're ill-equipped to
respond. What's different is not the perceived urgency of data privacy
and other privacy/security matters.
IT is grappling with how to protect sensitive data, making the
state of data privacy worrisome no matter how big or small the
organization is. Smaller companies care about data privacy
just as much as big ones do, but they’re ill-equipped to do much about
it. Large enterprises take more measures to deal with the issue, but
they aren’t that successful, either.
When we talk about topics like IT governance, data privacy, and information security,
there’s a tendency to imagine that these issues apply primarily to
large companies with household names. As if smaller organizations don’t …
well, not exactly
don’t care, but they have so much to juggle, and fewer IT staff available to do the juggling, that such matters get little attention.
As it turns out, that’s not precisely so. Small and mid size businesses care about data privacy. They care
a lot.
A recent report among IT and business professionals responsible for
corporate data, sponsored by by Druva, shows that 93% of respondents
across company size are challenged by data privacy. (You can
download the report to see the results yourself, or get a broad overview from
this infographic.)
However, differences emerge when we drive a little deeper into the
data to learn how company size affects organizational behavior regarding
privacy safeguards. Nominally the data is less trustworthy – the sample
size for each category gets somewhat small – but the trends are clear
enough that you and I can draw some useful (if not precisely scientific)
conclusions.
Larger organizations put more energy into protecting the privacy of sensitive data; after all, they have to contend with greater risks. A single stumble can result in major corporate embarrassment, such as
millions of customer records being stolen.
So we see 77% of businesses with more than 5,000 employees investing
more effort into this initiative in 2015, as are 100% of companies with
1,000-5,000 employees.
But data privacy urgency affects smaller businesses, too, because you don’t need to be a big organization to have your finger on personally identifiable or other private data.
In even the tiniest companies, those with under 100 employees, 83% are
investing more in data privacy protection this year; so are 72% of those
with 100-1,000 employees.
What’s different is not the perceived urgency of data privacy and
other privacy/security matters. It’s what companies are prepared (and
funded) to do about it.
Large companies have more resources, such as the opportunity to offer
and enforce employee training. And indeed, when it comes to training
employees on data privacy, 82% of the largest organizations do tell the
people who work for them the right way to handle personally identifiable
data and other sensitive information. Similarly, 71% of the businesses
with 1,000-5,000 employees offer such training.
However, even though smaller companies are equally concerned about
the subject, that concern does not trickle down to the employees quite
so effectively. Half of the midsize businesses offer no such training;
just 39% of organizations with under 100 employees regularly train
employees on data privacy.
Another example of the difference in organizational behavior is
security audits. It’s become commonplace, if not exactly routine, for
organizations to conduct
regular security audits
to ensure compliance with data security standards. These are
conventionally done in large organizations (in this study, 91% of the
businesses with over 5,000 employees do regular security audits) though
they are less frequent in smaller businesses (about half of companies
with fewer than 1,000 employees have regular security audits).
On the other hand,
data privacy audits
are far less common. Just 54% of companies overall do data privacy
audits regularly (compared to two thirds who do security audits), most
commonly in the largest organizations (among the large enterprises, four
in five regularly do data privacy audits… which means about 20%
aren’t policing their practices). In contrast, only 28% of businesses with under 100 employees do these kind of audits.
Auditing business practices (in any context) measures how well an
organization complies with the way things are supposed to be done.
Obviously, breaches happen even in very large companies with security
teams, audits, and privacy controls. More needs to be done before IT
has the controls in place to properly protect sensitive data.
So what’s the bottom line? Data privacy is becoming ever more
important to businesses of all sizes. While a data breach at a big
company may get the headlines, smaller organizations are also at risk;
after all, they’re dealing with the same personal data and the same
government and industry regulations.
The research suggests that data privacy is being treated as an
afterthought to security, an alarming fact considering the rate of cloud
adoption and volume of sensitive personal data. Increased attention to
the risks and greater investment in employee awareness, audits and
technology safeguards can help to address the challenge. That especially
important for companies that deal with sensitive data, are moving it to
the cloud, and express concern about it. And that’s pretty much
everyone.
For instance: "When it comes to training employees on data privacy, 82%
of the largest organizations do tell the people who work for them the
right way to handle personally identifiable data and other sensitive
information. Similarly, 71% of the businesses with 1,000-5,000 employees
offer such training. However, even though smaller companies are equally
concerned about the subject, that concern does not trickle down to the
employees quite so effectively. Half of the midsize businesses offer no
such training; just 39% of organizations with under 100 employees
regularly train employees on data privacy.
