According to USA Today, the cost of cyberattacks on small businesses fall between $84,000 and $148,000. This is also buttressed by the fact that about 60% of small businesses go out of business within six months of an attack and, 90% of small businesses don’t use any data protection at all for company and customer information. There is a recent spike in cyberattacks on small businesses. The threats are growing and changing as quickly as online technology.
A successful cyberattack can cause major damages to your business. The bottom line of the business can be severely impacted, alongside the business’ goodwill and consumer trust. Even though the impact of a security breach can be classified as financial, reputational and legal, at the end of the day, it still boils down to financial.
The economic cost of a cyberattack most times lead to substantial financial loss arising from theft of corporate information, theft of financial information (e.g. bank details or payment card details), theft of money, disruption to trading (e.g. inability to carry out transactions online), and loss of business or contract. In addition, businesses that were victims of a cyber breach will usually incur costs associated with repairing affected systems, networks and devices.
Trust is an important element of customer relationship. Cyberattacks can damage the reputation that the SME has built over time and every ounce of trust may be eroded too. The result of these happening is the potential loss of customers, loss of sales and reduction in profits. The effect of reputational damage is also external as it can even impact business suppliers, or affect relationships with business partners, investors and other third parties vested in the business.
Another negative cost to the SME is the cost arising from legal and regulatory or compliance requirements. Data protection and privacy laws require that businesses manage the security of all personal data being held – whether on staff or customers. However, in the event that this data is accidentally or deliberately compromised, and it is assumed that there was a failure in deploying appropriate security measures, which may lead to fines and regulatory sanctions.
Kaspersky (2016) reports that in all data breach cases, the financial impact has been seen to increase with time, and when there is a rapid detection of a data breach, it becomes a key factor in minimizing not only data loss but the financial cost to the business. The longer a breach goes unnoticed, the more it will cost a business in monetary and data integrity terms.
“Even when breaches are detected almost instantly, SMEs estimate a cost to their business of $28k, rising to $105k if undetected for more than a week. For enterprises, where a detection system is in place the estimated financial damage is still $393k, increasing to over $1m if it remains undetected for over 7 days.”
The expectations from IT security sometimes fail to yield results. This situation translates to a real cost of a security associated directly to the incident, thereby sending a wake-up call to the business of the need to reassess IT security spending and ensure that available budgets are being allocated in the right way. Spending on IT security can be a meager drop in the ocean for many SMEs when this is compared to the actual cost to a business of a security incident or data breach. The impact is felt not just in financial terms but through reputational damage, which could affect the long-term prosperity and success of a business.
Hence, almost 52% of all businesses assume that their IT security will be compromised at some point, by viruses and malware causing a loss of productivity; inappropriate IT resource use by employees; and data loss or exposure due to targeted attacks.
Cyberattacks are unavoidable to the IT assets of SMEs, but the way businesses use available budgets and resource will be noteworthy in the coming years, in keeping the financial (and reputational) impact down. Although losses will occur as a result, it is important to minimize them. The financial impact can only be curbed by taking a holistic approach to IT security instead of relying just on detection technology to do the job. It is encouraging to see that 45% of companies believe that hardware and software alone won’t necessarily solve all IT security incidents. Research has shown that educating employees must be a key component of a company’s war chest in the defense towards minimizing the likelihood of cyberattacks. With careless employees being the second biggest cause of security incidents in the past and the single biggest cause of serious incidents involving data loss or leakage, training and education on cyber threats is vital to creating a contemporary and less vulnerable workforce. Finally, only by advancing beyond prevention and towards recovery and mitigation will organizations be able to reduce their risk and the inevitable financial consequences of a cyberattack.