Cost is arguably the biggest impediment to robust, proactive cyber security at small and medium sized businesses (SMBs). SMBs are aware of the need to secure their systems and data, but when presented with a solution, the costs may give them pause. Some of them think that hackers are interested in attacking large firms, and their companies are too small to warrant the investment.
The reality is that hackers find SMBs to be very attractive targets because they know these small firms may not have comprehensive cyber security defenses. Additionally, many SMBs sell services to large companies, and hackers frequently use these third-party vendors as backdoors into their primary targets. Verizon estimates that 58% of SMBs have fallen victim to a cyber attack, and stratospheric cyber attack remediation costs mean that these companies have a lot more to lose than multinational corporations.
Small businesses face big cyber attack costs
While cyber attack costs take a large bite out of multinationals, they can swallow SMBs whole. According to Ponemon Institute, cyber attacks cost SMBs an average of over $2.2 million. Cleanup costs are responsible for about half, with the other half being due to business disruption. It’s important to understand that $2.2 million is an average figure. Your company’s remediation costs could be higher, particularly if you do business in a highly regulated industry, such as healthcare or finance. The healthcare industry faces the highest per-record data breach cost, at $408 per compromised record, nearly three times the average of $148.
In addition to direct remediation costs, such as repairs to systems and hardware, businesses may also face a litany of indirect remediation costs, including:
* Regulatory or industry fines for compliance violations.
* Civil lawsuits from customers, business partners, or both.
* Higher cyber insurance
premiums.
* Higher fees from payment processors, if the cyber attack causes your customers to file a significant number of credit card chargebacks.
* Customer refunds and incentives, such as credit monitoring.
* Lost sales and business opportunities
.
These cyber attack costs are magnified if your company must temporarily suspend operations after a cyber incident. In addition to footing the direct and indirect costs of cyber attack remediation, your business must still pay everyday operational costs, such as rent, utilities, insurance, and payroll — and all of this while no money is coming in. If that sounds like a perfect (cyber) storm, that’s because it is; the U.S. National Cyber Security Alliance estimates that 60% of small businesses go under within six months of suffering a cyber attack.
Proactive cyber security doesn’t have to cost a fortune
Solid integrated risk management (IRM) and governance, risk, and compliance reduce the risk of cyber attacks, and automating IRM and GRC processes allows companies to save money and time without sacrificing efficacy. The risks are dire. It’s not cyber security that SMBs cannot afford; it’s the cost of remediating a cyber attack.
Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.
He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.