The threat of cybercrime to small and midsize businesses continues to rise, presenting significant risk to these organizations in particular. For those of you in IT or running your own small business, this isn’t news to you, but you might be having a hard time conveying the gravity of the cybersecurity problem to your peers, your CEO, or your employees. To help paint that picture, we’ve done some digging to get the alarming facts on the real state of security breaches and attacks that present real risks to your business, and why you need to be implementing a cybersecurity strategy.
In a recent study by Kaspersky Lab, 90% of firms surveyed admitted a security incident, and 46% lost sensitive data due to either an internal or external security threat. Verizon, in its latest Data Breach Investigation Report, found “81% of hacking-related breaches leveraged either stolen and/or weak passwords.” And Symantec, which tracks cyberthreats through a global network of 98+ million sensors, reported this year that cybercriminals had spawned more than 375 million new, unique malware variants in 2016, and that there are now more than 98 million malware bots lurking in cyberspace.
Meanwhile, the National Cyber Security Alliance reports that more than 70 percent of cyberattacks target small businesses. They also found 60% of hacked SMBs go out of business within 6 months!
In other words, it’s not a question of IF your business will be attacked. It’s a question of WHEN, how severely and… will you survive?
The total cost of a cyberattack on an SMB
A cyberattack can have a massive impact on an SMB, paralyzing operations, damaging its reputation, threatening its existence. Even for those who survive, the repercussions may be felt for years.
Kaspersky estimates that costs incurred by small or midsize businesses to recover from a cybersecurity breach average $46,000. Of that total, $38,000 are spent on direct costs (money paid for professional services to cover lost contracts and downtime), while about $8000 goes toward indirect costs (additional staff hiring and training, infrastructure upgrades etc.). The Ponemon Institute, calculated an average cost per stolen record of $141. Ponemon also estimates that the per capita cost of a cybersecurity breach to SMBs is more than three times that experienced by large enterprises ($1388 vs $431).
The real financial cost of brand reputation damage is difficult to calculate, but Kaspersky took a stab at it. Combining figures provided by their respondents on consultancy expenses, lost opportunities due to damaged corporate image, and spend on marketing and PR activities aimed at reducing the impact to reputation, they estimated losses for this specific type of damage average $8,653 for SMBs. They included this total among the direct costs to the business. If a hack causes pain to customers through monetary or identity theft and word of the breach spreads, the reputation damage to an SMB could be fatal, as the National Cyber Security Alliance discovered.
One thing this calculation doesn’t cover? The value of any proprietary information lost due to the attack. Such losses are extremely disruptive to most businesses, but they’re especially costly to small firms like technology startups, which have much of their worth tied up in intellectual property.
A breakdown of cybercrime costs for SMBs
In a report issued in 2016, Deloitte took a deeper look at the business impacts of cybercrime. They identified a total of 14 cost factors associated with recovery from a cybersecurity breach and broke them into two groups: (1) the “above the surface,” or well-known costs, and (2) the “below the surface,” or hidden or less visible costs. And like an iceberg, according to Deloitte’s calculations, more than 90% of a cybersecurity incident’s fiscal impact lies below the surface, in those less visible costs which may persist two years or more after the event.
The five most significant cost factors for SMBs, according to IT experts Ed Tittle and Chris Janson, are probably:
- Lost business – shutting down operations while corrective action is taken.
- Loss of proprietary information – customer records, employee information, company strategies, product designs and other intellectual property.
- Damage to reputation – it could take months for the company’s online reputation to be restored
- Litigation – due diligence to protect customer information
- Protection costs – staffing, firewalls, encryption, software, etc.
No target is too small
Small businesses often consider themselves unlikely targets of cyberattacks. They think cybercriminals couldn’t possibly bother with them when there are so many bigger, more tempting fish in the sea. Such thinking often leads to a false sense of security.
“Attackers often compromise smaller, less secure businesses and use their environments as their base of operations,” says Verizon. “The attackers rely on relatively insecure systems with poor monitoring and logging as an additional layer of security when perpetrating attacks. Your systems might be the origin of major breaches and, in addition, your intellectual property might be an attractive bonus.”
Cybercriminals exploit a variety of security holes to perpetrate their attacks, like cryptosystem backdoors, application vulnerabilities, and unsecure user interfaces. But, as mentioned earlier, some 81% of successful breaches leverage weak, re-used or stolen passwords, which can be resolved through an online password manager.
The problem of cybercrime continues to grow. And despite their small size, SMBs are prime targets, absorbing 70% of all cyberattacks. Small and midsize businesses need to take measures to protect themselves from cybercrime by implementing a cybersecurity strategy. That strategy – in our opinion, as well as that of Tittle and Janson – should include a robust password protection system. As you explore a strategy for your SMB, be sure to check out the Harvard Business Review webinar, “How to Build Your Cybersecurity Defense” and get started with a free trial of LastPass Enterprise today.