For any organization a data breach is a disruptive experience. Besides the distraction from daily operations, and unwanted publicity, a data breach brings a huge financial burden as well. Most large businesses have the resources to weather the storm, but many small and mid size businesses aren't as fortunate. Most SMBs don't have the capital or technical talent on staff to properly respond to a data security breach. Given that 71% of data breaches target small businesses, I thought it would be beneficial to discuss the fallout of a security breach and the impact it could have to a small business.
One of the reasons I felt compelled to discuss this topic is that there seems to be a cyber security disconnect amount small business owners. The National Cyber Security Alliance conducted a study of small businesses. The questions addressed their security practices as well as their thoughts on how vulnerable their business is. The results showed a clear disconnect between the the perceived threat to their business and what actually exists. Here are some of the numbers from the study:
SMB Threat Perception:
- 77% say their company is safe from cyber threats
- 66% say they are not concerned with hackers, cyber-criminals, or even employees stealing data
- 47% believe a data breach would have no impact on their business
SMB Security Program Status:
- 87% do not have a formal written security policy
- 59% do not have a security incident response plan for a data breach
- 50% of users still use poor passwords
- 83% do not have a system to require employees to periodically change passwords
SMB Threat Reality:
- 71% of data breaches target small businesses
- 69% of cyber attacks target retail and restaurants
- 96% of data breaches target payment card data
- 60% of small businesses close within six months of experiencing a data breach
I think that last statistic about the small business survival rate is the most telling. The threat to small businesses is real, and the majority of small businesses that experience a data breach won't be around six months later. There are many factors that contribute to this fact. The fallout from a data breach comes from many directions. There are both direct and indirect costs associated with a data breach that a SMB must combat to survive and stay in business.
Fines and penalties
Once breached you will most likely be required to conduct a forensic investigation to determine the cause of the breach. Then you will need to conduct a PCI assessment to ensure all issues have been fixed and your network is secure. The card brands can levy fines against you starting around $5,000/month. There are also the cost of reissuing payment cards to those that have been affected in the breach. The average cost per record stole is estimated at $188. With the average breach affecting 28,765 records, the cost of a breach can add up very quickly.
It becomes very difficult to sustain a business when you can't make sales. In the wake of a data breach several things may affect your business revenue. First, there is the impact to your reputation. Customers will become reluctant to use their credit card at your location, and sales will suffer. Second, is the inability for your to even accept credit cards. Usually once a data breach has been discovered, your merchant account provider will suspend your account, leaving you with no way to take credit card payments from your customers. This can even result in funds in your merchant account being help in limbo until the financial obligation for the breach is resolved.
Higher Costs Moving Forward
Even after the breach has been resolved, the effects may continue to haunt your business. Because of the data breach, your payment processor may impose stricter requirement for PCI compliance, which of course comes with a higher cost. Given the higher level of risk now associated with your business, your processing fees may increase, cutting into your profits and the success of your business.
When you add all these together its no wonder 60% of small businesses don't survive long after a security breach. For most SMB owners, they have invested their own time, money and love into their business. It would be tragic to see all that lost because the risks facing your company weren't properly assessed and given the needed attention. Taking the time to address the security risks facing your company, will go along way to protect what you've built and provide peace of mind. Here are three simple things that will help get you started:
Provide security awareness training for your employees -People that are aware of the risks tend to do less risky things. A simple security training program that covers the basics and teaches your employees what to look out for, will go a long way in protecting your business.
Establish a clear and simple security policy - The policy should address such things as Internet usage, password policies, and acceptable use of company resources. Conduct period checks that the policy is being followed, establish consequences if its not, and hold people accountable
Put someone in charge of security -This doesn't have to be a dedicated resource, but is should be clearly defined as someones responsibility. For many small businesses without any internal IT staff, outsourcing, or engaging with as managed security service provider might be the best option. The security threats to small businesses aren't going away anytime soon. As security awareness grows, the level of protection continues to increase. Those that don't keep up will be left behind and become the easy targets.