Many companies in the small or medium business (SMB) space assume that information governance and policy management concerns are solely the domain of large enterprises. That misconception couldn’t be further from the truth.  SMBs are bound by the same regulations and are exposed to many of the same risks as their larger counterparts.  Regulatory requirements, legal action, bring your own device (BYOD), disaster recovery and information security affect organizations of all sizes.  Additionally, SMBs are not immune to the data bloat that affects the smooth running of their business operations.

The SMB space, however, seems much less likely than its larger cousins to have effective information management in place.  According to a recent survey of more than 2,000 SMBs, less than 50 percent of respondents felt they were prepared for disaster recovery.  Another study revealed that over 75 percent of SMBs don’t have a basic BYOD policy.  Other assessments, including those by Sherpa Software, have revealed a startling lack of planning, preparedness, or policies for internet use, defensive deletion, document management, litigation hold or basic compliance auditing across the SMB space.

This lack of policy is not surprising.  Many SMB companies have grown organically with a ‘get the job done with what we have’ approach to business.  Often, neither the resources nor expertise are available to expend on creating, deploying, or enforcing policy. It is hard to convince stakeholders of the necessity of a policy directive unless there is an initiating factor such as a law suit, investigation or cataclysmic event.  Often, by that point, the effects on your business can be unrecoverable.

Management of electronically stored information (ESI) is essential to the effective running of a business and policy and enforcement are the keys to information management.  Over 90 percent of ESI has been created in the past few years, and this sheer proliferation makes regulating data within a company – SMB or otherwise – nothing less than challenging.  And much of this data has no legal, regulatory or worse, business need.  The acronym R.O.T. has been coined for the redundant, outdated or trivial records cluttering up servers, bogging down systems and inflating storage costs.

Most alarmingly, corporate data -whether it be from an old, grandfathered mainframe system, an email sent yesterday or the chat pinging in your IM client right now –is a risk.  Companies are liable (i.e. legally responsible) for all the data sent or stored on its corporate systems.  With this liability in mind, defining what types of web access or social media will be allowed using corporate equipment (internet use policy) or what devices are permitted to connect to the company networks (BYOD policy), is a priority to help mitigate the dangers.

Effective information management can keep the company running when the unexpected occurs, but it also is essential for the day-to-day running of business.  From the basic needs of finding and backing up data, to controlling access, protecting information assets, restoring data or finding ESI for a law suit, a well-defined policy is essential.

Without policy, one only has to look to the headlines for examples of worst case scenarios. What company wants to be featured in the breaking news for a data breach where social security numbers or credit cards were exposed?  Who wants to be hauled in front of a court and explain lost email records?  These events are highly detrimental to companies small and large.  They often result in lost customers, negative image and damaged reputation or brand trust.   A data breach of an SMB might not make the national news, but it will impact business relationships.

Even with good, established policy in all these areas, implementation and enforcement are essential.  Many of the organizations that find themselves in the worst trouble actually had policies, but rarely tested them or performed audits to make sure the rules kept up with the latest risks.

The avoidance of risk and the effective running of business are the key reasons that information governance and policy management matter to a small or medium sized business. These dangers are not just borne by the Fortune 500, they matter to mom & pop shops and every business in between.  Look at it this way, any SMB worth its salt invests in security, operations management and housekeeping for their physical space.  Shouldn’t they do so for their digital space as well?

For more information on policies and procedures, contact us today!