We’ve become accustomed to data breaches. For consumers, data breaches are irritating, can be inconvenient, and sometimes create identity theft issues for those affected. Consumers expect “the big boys” to have data security and privacy under control. They take offense when their personal data is compromised, and they assume that a data breach occurred because of a lack of rigor in process, or lack of investment in technologies and methodologies designed to protect their information. Many companies have managed the risk associated with data breach by making sure their insurance limits are adequate to cover the eventuality. That’s a prudent part of an overall response strategy. However, proactive strategies and planning can also reduce (though not eliminate) the likelihood of a breach occurring.

Though it seems as if breaches are more frequent, it is unclear as to whether the success ratio of hackers is actually increasing. The big breaches may seem to suggest hackers are having an easier time. But perhaps it is actually the case, with all the attention focused on data security over the past 10 years, that more effort is now required to find and exploit a large vulnerable target.

This may be a reason why hackers are starting to go downstream, in terms of the size of their targets – to find easier pickings. And the consequences to smaller businesses may be even more drastic. A few stats suggest that attackers are focusing more and more on small businesses: In August 2013, PC World reported that 31% of hacks occur at companies with less than 250 employees. Twenty percent (20%) of small businesses will be victims of cybercrime each year. The National Small Business Association’s 2014 survey results indicated that 44% of its members reported having at least one cyber-incident. Similarly, Business News Daily reported in November 2014 that the National Cyber Security Alliance says that 71% of all security breaches target small businesses, and nearly half of all small businesses have been victims. Even more troubling, the PC Word article estimated that 60% of small businesses falling victim to cybercrime will be out of business in 6 months. The Business News Daily article in 2014 repeated the 60% failure rate statistic. Shockingly, despite what appears to be an extremely high risk of their business failing if they suffer a successful cyber attack, almost 90% of small and medium businesses in the U.S. do not use data protection for company and customer information, according to a Guardian magazine report in January 2015, citing McAfee as a source.

The numbers are a bit confusing. And the size or revenues of businesses that fall into the ‘small or medium business’ category are not clearly defined. Nonetheless, there’s an unmistakable take home message from these statistics. Small businesses are huge targets for cyber attackers, and if your small business is successfully attacked, the odds of business longevity drop significantly based on this event alone.

So, if you’re a small or medium size business, what should you do? First and foremost, small and medium businesses need policies, plans, and strategies to protect themselves and minimize vulnerabilities. Organizations of all sizes need information security plans, based on thorough and regular risk assessment, and those plans should include breach response procedures. (See our previous post on Breach Response Plans). These sound like heavyweight, expensive, and perhaps overwhelming projects for a small business. But they don’t have to be, and the right consultants and advisors can help. Alternatively, consider the potential consequence of doing nothing.

Information security planning is not only the purview of the multi-billion dollar company. It’s the purview of every company, regardless of size.