The threat of cybercrime to small and midsize businesses continues to rise, presenting significant risk to these organizations in particular. For those of you in IT or running your own small business, this isn't news to you, but you might be having a hard time conveying the gravity of the cybersecurity problem to your peers, your CEO, or your employees. To help paint that picture, we've done some digging to get the alarming facts on the real state of security breaches and attacks that present real risks to your business, and why you need to be implementing a cybersecurity strategy.
In a recent study by Kaspersky Lab, 90% of firms surveyed admitted a security incident, and 46% lost sensitive data due to either an internal or external security threat. Verizon, in its latest Data Breach Investigation Report, found “81% of hacking-related breaches leveraged either stolen and/or weak passwords.” And Symantec, which tracks cyberthreats through a global network of 98+ million sensors, reported this year that cybercriminals had spawned more than 375 million new, unique malware variants in 2016, and that there are now more than 98 million malware bots lurking in cyberspace.
Meanwhile, the National Cyber Security Alliance reports that more than 70 percent of cyberattacks target small businesses. They also found 60% of hacked SMBs go out of business within 6 months!
In other words, it’s not a question of IF your business will be attacked. It’s a question of WHEN, how severely and… will you survive?
The total cost of a cyberattack on an SMB
A cyberattack can have a massive impact on an SMB, paralyzing operations, damaging its reputation, threatening its existence. Even for those who survive, the repercussions may be felt for years. Kaspersky estimates that costs incurred by small or midsize businesses to recover from a cybersecurity breach average $46,000. Of that total, $38,000 are spent on direct costs (money paid for professional services to cover lost contracts and downtime), while about $8000 goes toward indirect costs (additional staff hiring and training, infrastructure upgrades etc.). The Ponemon Institute, calculated an average cost per stolen record of $141. Ponemon also estimates that the per capita cost of a cybersecurity breach to SMBs is more than three times that experienced by large enterprises ($1388 vs $431). The real financial cost of brand reputation damage is difficult to calculate, but Kaspersky took a stab at it. Combining figures provided by their respondents on consultancy expenses, lost opportunities due to damaged corporate image, and spend on marketing and PR activities aimed at reducing the impact to reputation, they estimated losses for this specific type of damage average $8,653 for SMBs. They included this total among the direct costs to the business. If a hack causes pain to customers through monetary or identity theft and word of the breach spreads, the reputation damage to an SMB could be fatal, as the National Cyber Security Alliance discovered. One thing this calculation doesn't cover? The value of any proprietary information lost due to the attack. Such losses are extremely disruptive to most businesses, but they’re especially costly to small firms like technology startups, which have much of their worth tied up in intellectual property.A breakdown of cybercrime costs for SMBs
In a report issued in 2016, Deloitte took a deeper look at the business impacts of cybercrime. They identified a total of 14 cost factors associated with recovery from a cybersecurity breach and broke them into two groups: (1) the “above the surface,” or well-known costs, and (2) the “below the surface,” or hidden or less visible costs. And like an iceberg, according to Deloitte’s calculations, more than 90% of a cybersecurity incident’s fiscal impact lies below the surface, in those less visible costs which may persist two years or more after the event. The five most significant cost factors for SMBs, according to IT experts Ed Tittle and Chris Janson, are probably:- Lost business - shutting down operations while corrective action is taken.
- Loss of proprietary information - customer records, employee information, company strategies, product designs and other intellectual property.
- Damage to reputation - it could take months for the company’s online reputation to be restored
- Litigation - due diligence to protect customer information
- Protection costs - staffing, firewalls, encryption, software, etc.