Data Breach Optimism Bias: The Importance of Being Vigilant
In the last couple of months, a colleague and I have had the opportunity to interview almost fifty small business owners in interviews with questions relative to data security. One of the questions we wanted to answer is whether business owners feel at risk with regard to their business data. Overwhelmingly, we’ve found the answer is a resounding “no” from 90 percent of our respondents. Despite lacking very basic security precautions, such as network security in a firewall or even backups, many business owners report feeling safe enough with no plans in the future to invest in further data protection measures.
I obviously work in the data security space, and I mainly talk to customers who have been affected in some way by data breaches, but this really surprised me. I’d say that a person is significantly more likely to purchase one of our products if they have experienced some sort of mishap or data breach (be it accident-related or an attack of some sort). But, by and large, when we survey small business owners, they feel that they simply are not a target. They report they don’t feel “on the radar” of malicious actors because hackers care about “the big guys,” not the small mom and pop shops. However, according to our research, they are completely wrong in these assumptions. We know that 43 percent of companies with a major data loss go out of business. According to Verizon Data Breach Investigation Report, 61 percent of breaches hit small businesses last year, up 8 percent from 2016 at 53 percent. Further, UPS Capital reports that nearly two-thirds of cyber breach victims are small to mid-size businesses. Still, 90 percent of small businesses don’t use any data protection at all. So, it’s puzzling how small business owners can feel their data is safe. Is it a lack of understanding? Maybe. Have they just not been targeted? The aforementioned statistics would suggest otherwise.
I entered my IT solutions consulting career with a psychology background, and I am familiar with optimism bias, which I think is the true culprit here. Optimism bias is commonly defined as the belief that one’s chances of experiencing a negative event are lower (or inversely, positive event higher) than that of others. A common example being smokers who feel they have a lower risk of lung cancer than their smoking peers, or a motorist thinking their chances of getting into a car accident are lower than the realistic possibility. Generally, people think they can beat the odds and thus, are willing to take their chances with their safety, which, in the data security world translates into behaviors such as poor password hygiene, not backing up their data and no network security. People report “feeling fine” about not locking their virtual doors or neglecting to insure not just their data, but their customers’ data. Tali Sharot, a leading researcher in the area of optimistic bias, recently did a Ted Talk where she shared her findings and some of the harmful ramifications over-optimism can cause. For instance, the optimism bias has been named by several economists as one of the core causes of the financial downfall of 2008.
So, if this is a natural phenomenon, experienced by even the most logical of human minds, how do we combat this tendency? My recommendation is to arm yourself with information when making important decisions. Don’t let your flurry of daily activities prevent you from doing your research and making smarter business decisions. If you would like to consult with us, please contact us at firstname.lastname@example.org. We are happy to show you how we can help you cultivate an informed data security plan to protect yourself and prevent your business from experiencing the security breach that is likely on your horizon. If you remember nothing else from this blog, remember this: It’s not IF you get hacked…it’s WHEN.