This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies (with between 100 and 499 employees) in the U.S., U.K., and Australia. The survey focused on how these small businesses perceived new threats facing their organizations. Were they prepared to manage fallout and recovery process after a cyberattack? Did they understand the costs to their organization if they were victimized by a cyberattack? Some of the answers were surprising.
Key survey statistics:
- 96% of those surveyed believe they are susceptible to cyber threats.
- 80% use third-party IT security resources (mixed-use IT and security teams).
- 94% are updating their security budgets to account for mitigating new threats.
- 29% think they are ready to handle a cybersecurity-related incident.
- 89% are confident they have the staff or resources necessary to manage a cyber incident if and when it happens.
- 65% believe their brand reputation will be the most difficult thing to restore after an incident.
- Those surveyed believe the average total cost to their organization for a breach of customer data records would be:
- $580,000 U.S.
- £738,000 U.K.
- AUD 1,893,000
Why these numbers worry me
As a security professional with more than twenty years’ experience in the industry, I’m concerned about several issues these numbers bring to light. Let’s dive a little deeper into the statistics, and what they mean for small- and medium-sized businesses.
Almost all small businesses surveyed (96%) believe they’re susceptible to cyber threats, and 94% are adjusting their security budgets to mitigate these risks. In addition, more than 80% are using a third-party cybersecurity resource. Traditionally, small businesses expand their IT departments gradually and don’t have dedicated security staff. Many of these growing companies assign security duties to a senior IT technician or contract it out to a managed service provider (MSP). Often, cybersecurity is viewed as a drain on resources that doesn’t generate revenue. But whether you’re a home-based business with one employee or a large office with 450 endpoints, if your business connects to the internet, you’re a target. Simple as that.
Given that 80% of the small businesses we surveyed outsource their cybersecurity to trusted MSPs, I would expect that all 80% feel confident they have the resources necessary to manage a cybersecurity incident. That’s why the next number shocks me. Only 29% of those companies feel they’re ready to handle an incident. Why is that?
I believe it’s because they don’t feel their own staff is adequately trained to respond. As a small business, it makes sense to contract security and incident response services to an MSP rather than try to maintain in-house resources. However, as a business, you are still responsible for how you and your partners respond when you have a breach. You can’t contract away your accountability to your customers for due diligence. To me, these numbers indicate that many companies are paying for security resources, but still need to train their teams to improve confidence that they could triage a cybersecurity incident successfully.
The second survey point that concerns me is the estimated total costs respondents believe they will pay to resolve a data breach. In June of 2016, the Ponemon Institute published their global analysis on the cost of a data breach (Ponemon, 2016). This document estimated that the average cost of a breach was $158 per compromised record. This cost is based on numerous factors that impact the business as they try to recover from a successful breach, including:
- Notifying all customers that their data was compromised
- Hiring a Public Relations team to assist with the emergency
- Hiring forensics services to understand how the incident happened, what was compromised, and what needs to be restored
- Restoring data and cleaning up the enterprise networks that have been breached
- Recruiting legal services to deal with any lawsuits or government investigation
- Lost revenue due to reputation damage or loss of compliance certifications
Take a moment to imagine the cost if 10,000 records were compromised in a single breach. As you can imagine, the impact on any business could be devastating, particularly for smaller organizations with more limited budgets. But what can a business do to reduce their risk of exposure and prepare themselves for a cybersecurity-related incident?
Join us for part 2 in this blog series to learn three quick processes I recommend to help small businesses beat modern threats.