It’s important to note that not only are large corporations affected by regulatory standards, but the small and mid-size companies are also equally affected; especially when their core business is dealing with protected classes of information by law (patient information, credit card information, financial data, etc).
A very good example is a regional medicare facility that has less then 500 employees. Now one may think that they are not subject to the same regulations mainly because of their size, but HIPAA is HIPAA and it applies to any organization that stores and maintains patient privileged information.
For example if this fictional medicare facility were to have a screen-logger on a PC containing any of the above classes of information this could lead to a potential violation of the following and could result in fines:
HIPAA §164.308(a) (4) that pertains to protecting health information: “implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a) (4) [Information Access Management]”
It also leads me to believe that controls implemented around enforcing compliance doesn’t always lead to assurance that one is protected. This is particulary true regarding the recent high profile data security breaches occurring with corporations that have all followed regulatory standards, but some how were still compromised.
In conclusion security should not be ignored within small and mid-size companies. Especially if these companies handle protected classes of information.