What is the Cost of a Cyberattack for an SMB?
Do you have an extra $200,00 – $850,000 laying around? Because that’s what a cyberattack could cost your small/medium-sized business (SMB). According to IBM’s 2023 Cost of Data Breach Report that amount could go as high as $4.45 million. In fact, SMBs are becoming more attractive as a target, as most SMBs have a weak or non-existent cybersecurity posture and hackers are exploiting this weakness.
As a SMB, you might be willing to take the risk, but if you consider the ramifications of a breach and compare it to the cost of cybersecurity protection, you might find the cost-benefit analysis, is not in your favor. Once you’ve been compromised hackers have access to just about everything relating to your business including PII, your customer lists, your vendor lists (supply chain), your financial information, trade secrets/proprietary information and other sensitive data.
Considerations for SMBs:
As a small business and you feel that you have nothing that a cybercriminal would be interested in. But you may have information of interest to hackers:
- HR records that contain PII
- Vendor or customer lists that can be used to leverage payment or disrupt supply chain
- Financial information that cybercriminals use to see your cash reserves and use that as their target ransomware payment
- Your cyberattack may be used as a gateway to your customers’ or vendors’ systems (a phishing email from your hacked email account or exploit a link to their customer portal).
- How will your customers or vendors react when they discover you’ve been hacked?
- Trade secrets or intellectual property are at risk.
- Your cybersecurity insurance (if you even have it) may not cover a breach if you can’t verify what actions you took to prevent the attack.
- How long can your business survive without access to your data?
A Quick Look at the IBM Report:
- 1 in 3 In-House Detection: Just one-third of an organization’s in-house security teams detected the data breach. Over two-thirds of the breaches were discovered by a third party or by the hackers themselves. When disclosed by the cyberattackers, the cost of the breach increased by an additional $1 million, as compared to those detected by the internal team.
- $470,000 Additional Cost Without Law Enforcement: Additional cost when law enforcement was not involved in a ransomware attack. Organizations that did not involve law enforcement paid 9.6% more and took 33 days longer to resolve the breach.
- 3% Increase in Healthcare Breaches: Healthcare breaches have increased by over 53% since 2020. Although it is strictly regulated, the healthcare industry has seen a significant and steady rise in the cost of data breaches, with the average cost of $10.3 Million.
- 82% of Breaches were in the Cloud: Breaches that involved data stored in the cloud (public, private or multiple environments) accounted for 82% of breaches. 39% of breaches included penetrating multiple environments, with a higher that average cost of $4.75 million. Cloud breaches typically were not only more expensive but had a longer lifecycle.
- $1.68 Million Savings with DevSecOps : Organizations that practiced high Integrated security testing in the software development process (DevSecOps) saved $1.68 million as opposed to those who did not.
- $1.49 Million Savings with Incident Response (IR) Planning: Organizations that had a solid IR plan and testing saved $1.49 million. Additionally, breaches were discovered earlier (16 fewer days) and were resolved quicker than average.
- $1.44 Million Savings: Organizations with high levels of security system complexity paid an average cost of $5.28 million while those with low levels of security complexity paid an average cost of $3.84 million. Procedures to achieve high levels of security include:
- Threat Intelligence (additional measures beyond relying on CVE/CVSS scores)
- Vulnerability/Risk Management:
- Vulnerability testing
- Penetration testing
- Proactive risk assessment
- Attack Surface Management (ASM)
- Managed Security Service Providers (MSSP)
Impact to SMBs (Small to Medium-sized businesses)
Organizations with 5,000 or less employees saw significant increase in the cost of a data breach in 2023
- The average cost: $850,000 (as compared to $6,733 in 2018)
- The mean cost: $200,000
Average Data Breach Life Cycle – 277 Days:
- Average Days to Identify: 204
- Average Days to Mitigate: 73 Days
Initial Attack Vectors:
Many of these attack vectors are human-error related and may be avoidable. Phishing (16%) and stolen/compromised credentials (15%) lead with cloud misconfiguration (11%) in third place, and business email compromise (9%) in fourth place. The 2023 report is the first time that zero-day (unknown) attacks (5%) were tracked. And although considered unlikely, malicious insiders (6%), were the most expensive, averaging $4.9 million which is 9.6% higher than the global average of $4.76 million.
Recommendations to Reduce the Cost of a Data Breach for SMBs:
Technology is integrated into our everyday lives at home and at work, allowing hackers more opportunities than ever before. Here are the minimum procedures that SMBs need:
- Implement a robust vulnerability management program that covers all your devices and applications:
- All organizations, whether large or small, use some type of commercial off-the-shelf software and steps must be taken to ensure cyber safety.
- Protect your devices including: servers, routers, PCs, printers, VoIP phones, printer, operational technology (OT) and Internet of Things (IoT-cell phones, tablets).
- Not mentioned in IBM’s 2023 report is the importance of monitoring your hardware for compromised firmware.
- Protect your email with a cybersecurity tool that detect and quarantine malicious attachments.
- Implement strong identity and access management (IAM) strategies
- Multifactor authentication (MFA)
- Manage privileged user accounts
- Modernize data protection across hybrid cloud environments
- Utilize data protection and compliance technologies
- Deploy data monitoring tools for early detection of suspicious activities and prevention of real-time threats
- Use data security management to help detect and resolve vulnerabilities within your cloud environment
- Strengthen cyber resiliency and reduce risk by employing a multi-layered disaster recovery plan. Hiring an MSP/MSSP can help with:
- Educating leadership and prioritizing your cybersecurity strategy for the most relevant cyberattacks for your industry.
- Security awareness training for all end users.
- Implementing a regular schedule for backups of all critical files and systems
- Ensuring that regular testing and maintenance on all back-up and restorations processes are up to date.
Even with the strongest possible cybersecurity plan in place, your SMB will still likely encounter a cyberattack at some point. While this strategy won’t prevent all cyberattacks (zero day vulnerabilities, human error, entry points not protected), having a solid cyber plan will help reduce your risk and help with your recovery.
The Spry Cyber team is standing by to help. Our cyber coverage plans are affordable and customizable. Contact us today for a no-cost, no obligation consultation.