October marks National Cybersecurity Awareness Month, but the reality is it’s crucial that small business owners understand the need for robust data security all year round. A data breach can hit at any time, and a single incident can spell disaster for your company. In many cases, these crises could have been avoided but, unfortunately, too many businesses lag in cyber readiness.
Making matters worse is that cyberattacks have risen consistently in both overall quantity and sophistication. This marks a foreboding trend in and of itself. Furthermore, recent surveys have shown that a rising share of these attacks are aimed at small businesses. The upside? Companies can take concrete steps to increase their cyber readiness and implement the cybersecurity best practices necessary to defend themselves fully.
Cybercriminals, by and large, are most interested in attacking the easiest targets available. While a successful attack on a large bank may earn a hacker significantly more money than going after small businesses, the chances of success are substantially smaller. As such, attackers have increasingly targeted small businesses in recent years.
Many of these companies, unfortunately, have yet to increase their cybersecurity practices — either due to a lack of funds, a lack of education or a misplaced belief that they are of no interest to cybercriminals. This is especially dangerous as cyberattacks are becoming more complicated, meaning that even basic data security software may be unable to secure a business fully.
Overall, deployment of data security software remains extremely low across small businesses. In a 2022 CNBC|Survey Monkey Small Business Survey, less than half of respondents said they’d taken concrete steps toward implementing data security measures, such as installing antivirus or anti-malware software, employing data backups or mandating the use of strong passwords. Similarly, only 33 percent of respondents have taken steps to mandate the use of multifactor authentication (MFA) or enable automatic software updates.
This problem is compounded by multiple related issues. According to a 2021 survey conducted by Corvus Insurance, 63 percent of small and medium-sized businesses (SMBs) with more than 250 employees noted that the complexity of cybersecurity and a lack of knowledge prevented improvements in their overall cybersecurity. Astonishingly, 86 percent of respondents indicated that internal resource constraints were also a major factor.
Due to these challenges, it’s unsurprising that many SMBs are lagging in cybersecurity best practices. According to a 2022 poll by business-to-business resource provider UpCity, 50 percent of SMBs still don’t have a cybersecurity plan in place. Additionally, only 43 percent of businesses surveyed believed they were financially prepared to recover fully from a cyberattack. More positively, 37 percent said they are investing more in new cybersecurity technologies and products.
However, counterintuitively, investing in new products and technologies can actually make a business less safe and add to the overall cost of a data breach. IBM’s 2022 Cost of a Data Breach Report found that added system complexity was the single greatest factor in increasing the cost of data breaches. This is because too many systems can cause “alert fatigue,” which can make information technology (IT) and security teams overwhelmed and more prone to miss the first signs of a cyberattack.
Most small businesses aren’t taking concrete steps toward implementing data security measures and many don’t have a cybersecurity plan in place.
Lax cybersecurity measures can affect small businesses in a range of ways. Most obviously, lax security can lead to otherwise preventable cyberattacks and data breaches. But that’s not the end of the story. Cyberattacks can also prompt fines, lawsuits, negative public opinions and customer loss. It can even cause a business to close.
The primary risks of lax cybersecurity are cyberattacks and data breaches. In 2021, the FBI’s Internet Crime Complaint Center (also known as IC3) found overall cybercrime increased by 7 percent in 2021 compared to 2020. In the same time period, potential losses increased 64 percent to $6.9 billion. There is no indication cybercrime will become less likely in the years ahead. Instead, those potential losses all but guarantee cybercrime will continue to entice hackers and likely increase in dollar size for the foreseeable future.
As attacks become more common, the likelihood of any single business being targeted increases. In 2021, for instance, the FBI saw both the prevalence of business email compromise (BEC) scams and ransomware attacks increase dramatically. These schemes are particularly costly and dangerous for small businesses: BEC scams caused $2.4 billion in potential losses in 2021. Meanwhile, ransomware attacks can cause prolonged system downtime and also lead to data breaches.
Aside from the loss of funds and potential system downtime, cyberattacks can also lead to data breaches. In that case, on top of the negative publicity that typically comes from a data breach and the associated costs, businesses can face a range of soft costs. These may include lost productivity, increased employee workloads and decreased morale.
According to Verizon’s 2022 Data Breach Investigations Report, at least 14 percent of recorded data breaches affected SMBs; however, the true number is likely higher as 81 percent of recorded data breaches affected businesses of unknown size.
A successful cyberattack or data breach is only the beginning when it comes to the potential consequences of lax cybersecurity. Depending upon the type of data a small business handles, the company could face regulatory fines and lawsuits following an attack, not to mention a significant loss in revenue and profit.
Fines and costs: A small business that handles credit card info and is attacked by a hacker could find itself having to pay heavy fines to credit and debit card companies, especially if the impacted organization wasn’t in compliance with Payment Card Industry regulations. In the event of a breach, credit and debit card companies have a right to level fines on merchants, as well as charge a business for any fraudulent purchases on stolen cards. Depending on the scope of the breach, the Federal Trade Commission could also leverage fines on the business.
Companies could face additional fines depending on the type of information they handle. For instance, a business handling protected health information could have to pay additional fines for violating Health Insurance Portability and Accountability Act. There’s the possibility of additional, miscellaneous costs following a data breach. For example, if stolen data in a breach included personally identifiable information, the impacted business may find it necessary to purchase identity theft protection services for its affected clients.
Lawsuits: Besides fines, small businesses could be hit with lawsuits following a cyberattack or breach. These could arise in various ways, such as impacted clients launching a class action suit over improperly secured data. Another company could also sue an SMB impacted by a cyberattack if the attack rendered the impacted business unable to complete contractually agreed-upon business terms.
Lost business: Lastly, cyberattacks and data breaches are likely to cause the company to lose business. Research from security company Palo Alto Networks found that 87 percent of businesses took longer than a month to fully recover from a ransomware attack. Even if a small company can recover its data and restore its systems more quickly than that, 55 percent of people surveyed by CNBC|Survey Monkey revealed they would be less likely to continue to purchase services from a business that suffered a cyberattack.
A comprehensive cyber insurance policy can help cover the costs of a cyber incident or data breach, including those associated with regulatory fines and legal fees. Learn more in our detailed look at the types of business insurance companies need.
Frankly, any cyberattack or data breach runs the risk of forcing a business to close. This is especially true if a company doesn’t have the necessary data security software and cybersecurity best practices in place. Without any sort of cyber readiness, the combined effects of business downtime, fines, lost business, reputational damage and potential lawsuits can overwhelm a small company.
From a purely economic perspective, a small business can expect to pay, on average, $105,000 following a data breach, according to a 2021 IT security economics report by the cybersecurity company Kaspersky. While this cost is down from a high point in 2018, the current trend is for data breaches to become more expensive with each passing year. Also worryingly for SMBs, Kaspersky found that the cost of cybersecurity incidents was, on the whole, significantly higher than the cost of a data breach. For instance, an attack on an SMB’s point-of-sale systems had an average financial impact of $211,000.
With devastating costs like that, it is perhaps unsurprising that many businesses close within six months of a cyberattack or data breach.
Securing your small business can be confusing and requires an investment in time, money and manpower. Fortunately, there are multiple options and best practices available to help protect your company and prevent worst-case scenarios.
SMBs can apply the following strategies to help enhance their overall cybersecurity.
Also, check out our roundup of quick cybersecurity tips to improve your business’s security in only an hour.
As you shore up your small business to protect it from cyberattacks and data breaches, don’t forget that on-premises servers, devices and software are not the only aspects of your business at risk. In today’s modern work environment, more employees are working from home or other non-office locations. That’s why it’s critical that you also protect your remote workforce from hackers and require remote workers to follow cybersecurity best practices. Otherwise, your business may pay a steep price.