IT Risk Assessments: Why Don't Companies Conduct Them?

Data breaches are everywhere! Every time you read the news online or watch the news, there is some form of Cybersecurity problem that has taken place somewhere in the world. Whether it is a credit card data breach or a healthcare data breach, there is no doubt that the security of our sensitive information is under attack now more so than ever before. Combine that with the fact that as we continue to become more “connected”, the risks only increase and provide more pathways for hackers and bad guys to gain access to your company’s sensitive information. With all that risk, organizations of all sizes fail to conduct an IT Risk Assessment of their infrastructure to identify problem areas before they are exploited. Why? Here are some common reasons that we hear from businesses of all sizes as to why they don’t conduct IT Risk Assessments, even if they are mandated by some regulation (HIPAA, PCI, etc.)

• It Can’t Happen To Me – This is probably one of the most common reasons that we hear from organizations. Many organizations out there feel as though they fall under the radar or that these data breaches happen to everyone else but not them. I attended a lecture one time given by an FBI Cybersecurity expert and he told us that there are two types of companies: The ones that have suffered a data breach and the ones that have suffered a data breach and don’t know it yet. Let that sink in for a minute before we move on to our next point!
• I’m too Small of an Organization – This is one that we hear all the time, especially when it comes to PCI Compliance. The way that the regulation is written when it comes to PCI Compliance is that EVERY organization that accepts credit cards as a form of payment must be PCI Compliant. Whether you accept 10 credit card payments per year or 10,000,000 credit card payments per year, you must be PCI Compliant. The path to getting there might be very different but they both have to get there.
• We Don’t Have the Budget – This is another big one that we come across and honestly makes sense. Everything costs money these days and running a business isn’t cheap and all costs must be accounted for. However, what happens if you do suffer a data breach? What are the costs of fines, penalties, legal fees, forensic fees, and loss of consumer confidence going to cost your business? I guarantee that no organization budgets for those numbers. Ever. Like the old saying goes, it’s better to spend a little up front to save a whole lot down the road.
• We Won’t Get Caught – This is another big one that we come across. Most organizations refer to this as a “calculated business risk.” While this is true, this can be a dangerous game of cat and mouse to play. Organizations do get caught all the time and when they do get caught, the fines are usually of the record setting nature to prove a point.

For more information on the various statistics that are out there about data breaches, who they target, and what they cost, take a look at the Ponemon Institute 2015 Cost of a Data Breach Study here. For more information on some of the steps that you can take to mitigate your risk of a data breach, download the Compass IT Compliance Security Assessment Services Brochure below!