According to the 2016 Internet Security Threat Report from Symantec – 62% of data theft victims are small to mid-size businesses. In addition, 40% of data breaches are caused by external intrusions.[1] In this context, external intrusions refer to third parties with access to your network or other personal devices connecting to your networks.


What the above indicates, is that not only large businesses, whom we would perceive as facing the most risk because of their clientele, but also small to medium sized operations are being targeted. According to a recent study, the cost of a data breach is about $4 million.[2]


Another important point to ponder, besides the obvious fact that most businesses obtain, use and store client data, and have for a long time; is the fact that all businesses, without exception, collect, use and store data as part of their operations. With this, I mean employee, supplier and stakeholder data. From these observations, I hope to illustrate the point that all businesses collect, use and store data and that data security is something that concerns all businesses – small, medium and large.


The real risk


Although this aspect should be taken seriously by all, smaller businesses find themselves particularly vulnerable for a number of reasons.  Before we delve into this further, let us first answer the question: what is a small business? In revenue, infrastructure or number of staff? Small or consolidated infrastructure does not necessarily mean small revenue streams.  It’s not about the size but rather a thought pattern.

According to Bindu Sundaresan, a senior security professional for AT&T: “They feel like ‘Who’s going to come after me?’” “I find that most small businesses don’t understand the impact of a cyber security breach outside of their business. They’re basically a pawn in a larger game.” [3]

Accordingly, the days of thinking this does not apply to you or is not a priority, is over. 


Recommended best practice

  1. Don’t underestimate the threat.
  2. Less is more – don’t collect what you don’t really need.

Collect, use and store only the information you truly need.

  1. Obtain consent from the owner of the information and only collect information or data where you have the required consent to do so.
  2. If you need to collect it, ensure you have a data collection and storage policy in place. Outline which personal information you have, where you are storing it, how you are using it and who has access to it.
  3. It is important that this policy is clear, understood by and easily accessible to staff and clients. In addition, ensure that it clearly outlines how you are keeping personal information safe.
  4. Observe and comply.

In addition to implementing a policy, obtain advice on any legislative provisions in the jurisdiction you are operating in. Most businesses set the minimum standards of care or acceptable best practices in relation to their data collection, storage and protection. Ensure you comply with these provisions and incorporate it in your data collection and storage policies.

  1. Educate and train your employees.


© Nicolene Schoeman –Louw is an attorney of the High Court of South Africa and the Managing Director of SchoemanLaw Inc in Cape Town, South Africa.





[1] accessed 06/02/2017

[2] accessed 06/02/2017.

[3] accessed 06/02/2017

About The Author

Spice4Life News

Leave a Reply