2021 saw a marked upturn in the volume, creativity and audacity of hacks and mega breaches with CNA Financial, (1) Colonial Pipeline, (2) Kaysea, (3) Microsoft, (4) JBS USA (5) and even the Houston Rockets (6) all hitting the headlines as victims of cybercrime. Although such attacks hurt big businesses and test customer trust, they’re not typically an extinction-level event. For small businesses, however, the likelihood of some type of cyber incident is just as high, if not higher and their chances of making a full recovery considerably slimmer.
The top 5 business impacts of cyber security breaches
Each organisation is unique in terms of the impact of a breach, dependant on the timing and duration and the industry in which it operates. For example, a data breach may have more pronounced consequences for the financial sector than, say, in manufacturing. However, common impacts you should consider when evaluating your own security posture include:
Loss of customer and stakeholder trust can be the most harmful impact of cybercrime, since the overwhelming majority of people would not do business with a company that had been breached, especially if it failed to protect its customers' data. This can translate directly into a loss of business, as well as devaluation of the brand you've worked so hard to build. Although on a case-by-case basis it’s difficult to quantify the erosion of reputation due to a data breach, according to one industry insider speaking with ITPro, “we see a 60% failure rate among SMBs after a company discloses a breach within 6-12 months, partly due to confidence issues and partly due to recovery challenges.” (7)
While a cyber-raid on a big-name bank may net the attacker a sizeable haul, smaller businesses' defences are typically less sophisticated and easier to penetrate, making them a softer target. Cyber-enabled fraud leads to monetary losses, but stolen data can be worth far more to hackers, especially when sold on the Dark Web. A report by The Digital Shadows Photon Research team found that the average price for commercially traded logins on the Dark Web was a ‘modest’ $15.43; when it came to domain administrator accounts that give access to internal business networks, (typically sold by auction because of their value to hackers), the price spiked to an average of $3,139 and, in select cases, reached an eye-popping price of $120,000. (8) Intellectual property theft may be equally damaging, with companies losing years of effort and R&D investment in trade secrets or copyrighted material – and their competitive advantage.
Cybercrime costs small businesses disproportionately more than big businesses when adjusted for organisational size. For a large corporation, the financial impact of a breach may run into the millions, but at their scale, the monetary implications are barely a blip on the radar. According to the latest data breach report by IBM and the Ponemon Institute, the average cost of a data breach in 2021 is $4.24M, a 10% rise from its average cost of $3.86M in 2019. Even more troubling is the report’s finding that the longer a breach remains undetected, the higher its financial impact. For example, data breaches that were identified and contained within 200 days had an average cost of $3.61 million. But breaches that took more than 200 days to identify ad contain had an average cost of $4.87 million ― a difference of $1.26 million. (9)
As if direct financial losses weren't punishment enough, there is the prospect of monetary penalties for businesses that fail to comply with data protection legislation. In May 2018, the General Data Protection Regulation or GDPR went into effect in the EU. The enforcement powers associated with the law are significant. Fines for violations can reach up to 20 million Euros or 4% of a firm’s global annual revenue, per violation, whichever is larger. In 2020 European data agencies issued $193 million (€159 million) in fines in 2020 for violations of the General Data Protection Regulation where the single highest penalty imposed was a $57 million fine French authorities issued to Google. (10)
While in the US there is no true counterpart to GDPR, three states — California, Colorado and Virginia ― have enacted comprehensive consumer data privacy laws. The three laws have several provisions in common, such as the right to access and delete personal information and to opt-out of the sale of personal information, among others. (11)
In addition to the economic costs of incident response, there are several intangible costs that can continue to blight a business long after the event itself. The impact of operational disruption tends to be woefully underestimated – especially among firms that have little in the way of formal business resilience and continuity strategies – and small organisations that already struggle to manage cash flow may face crippling rises in insurance premiums or see an increased cost to raise debt.
Cyber security and cyber incident recovery isn't an IT problem. Instead, it's a business imperative. Adopting a comprehensive security strategy today can help you avoid having to shut up shop if hackers strike tomorrow.