Information Security & Compliance: The First Step

Information & Security Compliance: Step 1

In prompting various chat bots and AI engines for "scariest cybersecurity facts," a user will encounter no shortage of statistics that would make any Small-to-Medium Businesses owner fear for their livelihood. Amongst those facts and figures that are most concerning is that the majority of Small-to-Medium Businesses (SMBs) in the United States aren't even aware they are in possession of sensitive data.

SMBs represent a growing target population for cyber attackers and there's no slowing down in sight: 40-50% of SMBs in the US experienced a cyber incident or attack in 2025, up ~10% since 2020.

As a result, increased regulatory pressure means costs associated with information security risk go beyond what may be paid out to a successful attacker. PCI DSS violations can multiply breach costs exponentially and of course, the somewhat incalculable damage done to the reputation of your organization. Per CNiC, the estimated cost of an information security breach for an SMB in 2025 is somewhere in the range of $120k-1.24 million. This fun fact is to be considered in close conjunction with IBM estimated average cost for organizations under 500 employees at approximately $3.31 million factoring in incidents, downtime, legal fees, recovery and opportunity cost. Of those SMBs unfortunate enough to experience a major incident, 60% go belly up within six months.

Of those organizations that are aware of the sensitive data flowing through and at rest in their networks, a good number are unclear as to the regulatory obligations they face in terms of that sensitive data- and with good reason: information risk standards are still being established. Even when it comes to established standards such as PCI DSS, substantial revisions occur every 3-4 years.

Simply put, in addition to increasing threats and growing costs associated with those threats, Information Risk Compliance obligations are expanding rapidly. The question isn't whether your SMB will be attacked but when an attack will succeed.

Of the multiple cybersecurity horror stories with which an organization can scare itself stiff, a frequent question (perhaps the most frequent) is where to start? What questions need to be answered? To which requirements and rules is my company subject? Every business needs to know not only how to respond to a cyber-attack but also prevent one. The most basic place to start is knowing what sensitive data is processed, transmitted or stored by your organization.

Once that question is thoroughly and exhaustively answered, compliance regulations have a habit of making themselves painfully obvious. SMBs will suddenly find themselves ensconced in frameworks and standards professed by stalwart institutions like the International Organization for Standardization (ISO) or National Institute of Standards in Technology (NIST).

This realization can overwhelm some businesses, but the key is knowing where to start and taking proactive steps toward securing your network. This means addressing compliance as more than a box to check but as a major cost saving effort to build security into your company's processes from the ground up. In a business landscape where threats are increasing, costs are growing and regulatory obligations seem ever-expanding, hope is not a strategy, fear is not an option. Protect what matters. 

The choice of a lawyer is an important decision that should not be based solely on advertising.