Have you ever considered the structure rules bring to a game? Pick any game. It can be a board game, card game or even your favorite sport. What if I take away the rules? Chaos. Right?

In Monopoly, your opponent decides to skip jail and earn money without mortgaging properties. Or let’s say the card game Uno. You declare yourself the winner while still having 10 cards in hand. In sports, it would be like teams ignoring the referee’s whistle and continuing play. It’s highly unorganized and it doesn’t seem quite fair.

Rules give necessary structure. It keeps everyone on the same page, sets expectations and ultimately lets us know who wins and for what reason. It’s no surprise then that when someone decides they’re not going to play by the rules we say they’┬óre cheating. Rules must be enforced for the game to be played properly.

act dishonestly or unfairly in order to gain an advantage, especially in a game or examination.

How Does this Apply to Business?

In some cases the rules are defined by our government or regulatory bodies, they dictate how we play. If you’re in Healthcare you have regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. In Finance there’s the U.S. Securities and Exchange Commission (SEC) while the retail industry has Payment Card Industry (PCI) security standards. Each one of these regulatory bodies is intended to protect customers by implementing and enforcing laws.

These standards are in place to protect certain types of information appropriately. In business we’re not just playing a game with our own assets, we’re using assets that belong to others it’s their personal information! But when it comes to protecting those assets there seems to be a great chasm between those that are regulated and those that are not. But why? Do we only act a certain way when we are required to? Or do we do the right thing because it’s the right thing to do? In business it should be a no-brainer to do that right thing because it’s the right thing to do!

It seems that’s not always the case. It’s not that we don’t hear about data breaches and many of those companies that are breached are regulated. It’s the smaller businesses that may or may not fall under a regulatory umbrella or consider themselves big enough to be scrutinized that are not protecting information in a way that’s appropriate. That’s a big problem.

We can try to excuse this away by saying information security is too expensive for the small business, perhaps it’s too unmanageable for the small business. Surely this is for banks and corporations with multi-million-dollar budgets to pour into cyber-security. It’s their responsibility to protect my information but when it comes to me treating my customers with dignity and respect by properly securing the information that I’ve either ask them for or they willingly handed me that’s a different story. The general thinking goes something like this: “I’m just a small guy I would never get hacked.”

According to the Identity Theft Resource Center, between January 2005 and April 2018 there were 8,854 recorded breaches. The average length of time it takes for organizations to identify a data breach is 191 days. The average time needed to fully contain a data breach is 66 days according to the Ponemon Institute for IBM Security.

Unfortunately, the stats are rather staggering and in my opinion they’re probably way wrong. Not because researchers have missed the mark but because not only do small businesses lack the resources to set up proper cyber security networks but any kind of breach would go unnoticed and unreported – likely forever. Because of this, there’s no way for the stats to show just how much data loss and how much identity theft is a result of a small business not treating their customers’ information correctly.

Far too often there are businesses out there that are not strictly regulated and don’t do what they should because they’re not being audited.So they feel like they don’t have to. In some cases businesses who are in regulatory environments don’t take the regulation seriously or do as little as possible to meet the requirement in the letter of the law. Doing as little as possible doesn’t solve the problem.

Let’s take a small HIPAA regulated shop for example. Sure, it’s regulated but it may not take the regulations and it’s responsibility of security seriously. HIPAA requires clients be notified in the event of a data breach. The size and scale of the breach changes a few of the details but it’s still required. Many small offices have no way of detecting a breach, so there is nothing to report.

Is this cheating?

I would say it is. As nice as it would be to use the excuse of size, lack of resources or the poorly perceived value of customer information, these are all really poor reasons to not protect the information we have collected. The security posture in the United States is not going to change from the top down. It’s not going to get better just because the government sets up a new set of rules. We have to be willing to follow rules and do the right thing even if someone isn’t looking over our shoulder. We have to have an understanding that rules must be enforced for everything to work as intended. Otherwise, what’s the use of having rules in the first place? Like our favorite game without rules we’re going to be involved in pure chaos.

That’s not fair to those who are entrusting businesses both big and small with personal data.

What’s my point?

There are insert number of businesses with less than 50 people in the United States. Of those I would argue that the mass majority are using informal or Shadow it practices with no service provider providing any guidance or if they are it’s very little if there is guidance. Feeling Financial pressure business decision leaders often make other business priorities float to the top above protecting the information they have. The average cost have a lost record, think of a record is a client, donor, customer, patient in a database that is owned by your business is $141 and as best I can tell that’s a very conservative number other numbers show that it may be closer to five hundred and some cases particularly with Healthcare.

There are 40 million businesses in the United States that employee 20-99 people. I would argue the majority are using informal or shadow IT practices. This is when the technology used in an organization is not regulated, provisioned, or formally approved by its IT team. The result can lead to data loss, misuse, inefficient and disconnected processes, and fragmented information. All of which must be addressed appropriately.

This tends to happen when an organization doesn’t invest in a knowledgeable service provider or one who offers very little guidance.

I get it. Many business leaders feel the financial pressure of continuously increasing financial gains. Data protection isn’t always top-of-mind, At the end of the day it needs to be.

More and more organizations are learning the hard way they must prioritize protection of data. Your business can’t afford to treat customer data half-heartedly. Eventually regulators will come knocking to make sure you’re playing by the rules. Saying you weren’t aware of the rules won’t be enough. You will end up paying more than you bargained for with fines and penalties,

Bottom line: Do the right thing and play by the rules!