Even as the average consumer worries about the safety of electronic transactions, so, too, must companies of all stripes.
But depending on their size and financial wherewithal, many companies are surprisingly slow to protect themselves in this age of data insecurity. That, according to a national researcher who’s looked at the issue for financial services giant American Express.
Kenneth Marks, a research adviser for American Express and managing partner of High Rock Partners, has been crunching the numbers from a midyear survey conducted for the credit behemoth, in an attempt to uncover trends among businesses nationwide. One of the survey questions centered on whether companies planned to increase investment in data security.
In general, Marks said, the larger the company the more likely it was to be planning such investment. Smaller companies, though, are less prepared to spend the money and may only be doing so to keep up with compliance requirements, he said.
The results of the American Express Survey of Mid-sized Companies were divided among what Marks called lower middle market (companies making $5 million to $50 million in annual revenue); middle market (companies making $51 million to $100 million); and upper middle market (companies making $101 million to $1 billion).
Some 339 respondents participated, with many being chief executive or chief financial officer of the companies involved.
The responses were being analyzed even as several national chains were reporting breaches in their security systems, exposing the personal information of millions of customers. Commercial behemoths from Target to Home Depot to JPMorgan Chase have gotten caught up by hackers in recent months.
Marks said nearly 80 percent of mid-sized companies are adapting to changing technologies and working to protect customer information and proprietary data by increasing their investment in data security. The advance of mobile technology has heightened the concern.
But smaller companies appear to be more reactive than proactive. Only 65 percent of the smaller firms surveyed said they planned to invest in data security, compared to 89 percent of the largest companies.
There is a disparity but “it kind of makes sense,” Marks said. “I think much of what you see in the lower middle market is driven by compliance requirements. For example, if you’re accepting payments with credit cards, PCI (payment card industry) compliance is required through the financial institutions. I think that’s continuing to evolve, given all the things we’ve seen publicly. If you’re in ecommerce or accepting payment by credit card, that’s an area of compliance requiring investment.”
Each industry sector has its peculiarities.
“If you’re in health care space, HIPPA compliance is driving some of the IT security requirements. If you’re in the financial services space, you’re seeing some of the FINRA and SEC requirements,” he said. The Financial Industry Regulatory Authority is the largest independent regulator for all securities firms doing business in the United States. SEC is the U.S. Security and Exchange Commission, the agency responsible for enforcing federal securities laws
“In the government contracting space, you continue to see, depending on the type of contract, continuing evolution of compliance, for exchanging information. If you’re in life science or pharma space, you have this crossover between HIPPA and protecting patient information as well as protecting intellectual information around drugs and drug development,” Marks said.
Are companies worried enough?
“The smallest companies, unless it’s intellectual property-driven, I don’t see having the same sense of urgency, unless it’s mandated, as I do the larger companies, which become the targets,” he said.
Information accuracy is kind of a tangential reason for data security investment, he said. His company deals frequently with merger and acquisition projects where such accuracy is paramount.
“We definitely see a higher level of concern for the transmission of company proprietary information in these processes now than we did five or 10 years ago. There’s a real concern to make sure that things are not freely available, protected and only certain individuals can see the information, and what happens to it if a deal falls apart,” Marks said.
Some companies look long and hard before spending money on security.
“There is no question that there is a constant balance between the available investment dollars and the desire to beef up or be more aggressive,” Marks said.
While standard IT employees routinely handle much of a company’s computer operations, outside consultants and vendors are frequently called in to deal with specialized problems, such as compliance regulations or security concerns.
That investment can add up.
“Most of the security issues being addressed are material to the budgets of these companies” with the expenditures ranging from the low five figures to the high seven figures.
“I think it’s a continuing evolution,” Marks said. “Does it become a line item in the budgets? I think it does for most companies. Data security is going to have to become a built-in asset for companies.”
He added: “You can put any server on the public network — the Internet — and within a couple of days have attempted hacks. I think it’s a lot more prevalent than a lot of executives understand.”
This was the first time that American Express conducted the survey, and the company hopes to get insight to help clients improve their businesses.
“They are looking to benchmarking information that they can provide proactively to their client base to help them better navigate the growth of their business and understand the trends. More and more companies are using electronic payment methods,” Marks said.
The American Express survey was conducted between June 2 and June 19. Research was completed online.
Marks runs High Rock Partners, a Raleigh, N.C., company that offers strategic and M&A advisory services to middle market companies. He’s written about financing and strategy for a number of years.
The survey asked businesses a variety of questions, not just on data security.