What a historic year 2020 turned out to be.  With a raging pandemic, good-ole American ingenuity saw companies large and small revolutionizing ways of doing business.  Although remote worker technology has been around for years, transforming on such a massive scale also had an unintended consequence; an increase in business cyber risk.  Is your cybersecurity strategy updated?

Now that 2020 is over, many cybersecurity and insurance companies will summarize cyber-attack costs to businesses.  For small business owners, these numbers are going to be large; $3.86 million average cost for a breach.  You may recognize that this number is significantly above your business value for a 5 or 10 employee business; therefore, it may feel it’s a scare tactic.

Assessing Cyber Risk and Financial Exposure

One take-away from $3.86 million is that this is an average.  Data held by some organizations may be of greater value than your business, skewing the costs upward.  When normalized for small businesses, the average loss is significantly less at $85,000.  Because each small business is unique, $85,000 is not necessarily a good benchmark to use when assigning losses from a successful cyber-attack and what your yearly investment in cybersecurity should be.  It’s important to periodically assess your business to identify changes that create or diminish cyber risks and update your cybersecurity strategy.

Regardless of business size or whether you believe a malware or ransomware attack won’t significantly affect your bottom line, every business needs to take these risks seriously.  Although direct costs in labor to restore backups appear manageable, secondary costs typically have the greatest lasting impact on a business.  When it comes to specifics, secondary costs include lawsuits, increases in cyber insurance premiums and public relations issues with consumer and client confidence.

Data Security Should Be a Focus

When evaluating your financial exposure to cyber risks, it is necessary to have an accounting of costs for your data value in the event it is leaked.  The Ryuk cyber-criminals have developed new techniques to ensure payout.  Encrypting your critical business files while threatening their public exposure is evidence as to how far they’re willing to go to get you to pay.  Continuity of Operations (COOP) is no longer sufficient and your cybersecurity strategy should include COOP-Compliance.  The value of some data will be subjective and based on what it means to your business; however, there is sufficient historical data on breaches to calculate cost per record loss:

  • $150/record – Consumer PII
  • $149/record – Corporate data
  • $147/record – Intellectual property
  • $143/record – Anonymized consumer data
  • $141/record – Employee PII
E-3-2-1 Data Protection Strategy

Costs per record are not hard numbers.  Factors that affect per record cost include industry, with healthcare record costs leading the way, company cybersecurity maturity, and geography.  Failing to maintain Personally Identifiable Information (PII) can cause compliance headaches and significant liability costs when dealing with the European Union General Data Protection Regulation (GDPR) or California’s Consumer Privacy Act (CCPA).

Reduce Cost Exposure With a Cybersecurity Strategy

One factor that benefits a business by helping to reduce the overall cost of a breach is the cybersecurity maturity of a business.  A mature corporate cybersecurity program significantly improves resiliency by having in place processes and technologies to discover a breach earlier in an attack cycle.  When processes are in place, quicker decisions can be made to stop the attack and begin remediation.  Without a cybersecurity program, a breach could cost 50% more.  These factors contribute to the overall average cost for a record; a single healthcare record lost during a breach can range from a low of $129 per record for businesses with a cybersecurity program in place to $355 per record for businesses without.

3rd Party Risks Can Be A Hidden Liability

An often-overlooked risk for small businesses that don’t possess PII is 3rd party risk to their clients or suppliers.  Cyber-criminals are not content with solely ransoming your data and are always on the lookout for larger payouts.  Even if valuable data is not held by your organization and a robust backup system is in place to restore in the event of an attack, a criminal accessing your computer system may be provided a pivot to your suppliers or clients.  The legal liability for the breach to another organization could be overwhelming.  The 2013 Target breach was due to a third-party access to their computer networks, costing Target upward of $300 million to remediate. This is another argument for taking your cyber risks seriously.

This leads into the conclusion of this article.  60% of small businesses go out of business within six months of falling victim to a data breach or cyber-attack.  With nearly 45% of small businesses having experienced a cyber-attack each year, each business is likely to experience at least one cyber-attack every three years.  A business that has just begun thinking about their cybersecurity should first begin with a cyber risk assessment and develop a strategy.  The risk assessment will help identify the financial exposure from the threats against your information assets and data.  This will allow you to focus limited investment dollars for greatest strategic impact to mitigate them.  As a small business, cybersecurity may be one of the last to-dos on a long list.  However, it’s not only a legal requirement for compliance purposes to protect customer data, it helps with an organization’s reputation.