BLOG: Cost of Cyber Crime to Small Businesses

Part 1 of a 3 part series on cybercrime and small business

No one thinks cybercrime will affect their business. Then the news reveals that seemingly impenetrable companies like Netflix, Sony, Disney, Equifax, and the New York Times have experienced a cyber hack.

Dig a little deeper and reports show that breaches occurred due to criminals hacking these corporations’ small business contractors, who have little-to-no cyber protections. Small-to-mid sized businesses (SMBs) currently have a virtual target on their backs because of their supply chain connections to multi-national corporations.

With the business world becoming increasingly dependent upon the Internet, cybercrime is a rapidly expanding enterprise. Cybercriminals now make more money than illegal drug traffickers. Without a sophisticated security package, it only requires four minutes or less to hack a computer connected to the Internet. Based on some estimates, cybercrime will cost the global economy $2 trillion by 2019.

According to the Ponemon Institute’s 2016 Cost of Data Breach Study, the average cost of one cyber breach is $4 million globally and $7 million in the United States. While smaller companies may feel that they have nothing worth stealing, cybercriminals use their systems as a secret doorway into their corporate partners’ networks. SMBs currently face an onslaught of spam, ransomware, and phishing attacks. The World Economic Forum classifies cybercrime as a “Top Global Risk”. Last year alone over 430 million new versions of malware launched on the open web; this is in addition to older, pre-existing software. Small businesses experience the disruptive effects of data breaches both immediately and in the long term.

 Immediate costs:

  • Customer breach notifications
  • Post breach customer protection
  • Regulatory compliance fines
  • Public relations/crisis communications
  • Attorney fees and litigation
  • Technical investigations
  • Loss of customer trust
  • Disruption of normal business operations
  • Immediate financial losses

Long term costs

  • Increase in insurance premiums
  • Operational disruptions
  • Lost value in customer relationships
  • Value of lost contract revenue
  • Devaluation of trade name
  • Loss of intellectual property
  • Loss of future business contracts and relationships

Firewalls exist to block criminals attempting to hack business networks; but they are hackable and require consistent updating. Malicious software mistakenly downloaded by employees is often the culprit behind data breaches. Criminals also exploit unsecured laptops and smartphones to gain entry into business accounts and cloud storage. Top data targets include intellectual property and databases containing personnel information on employees, partners, suppliers, and customers which can then be used for identity theft and business fraud. According to some cellular industry studies, over 75%  of smartphone users do not secure their phones or know how. Obviously banning smartphones is not a viable solution, but protocols should be established to protect employee and business data from phone hacking.

Any device connected to the Internet can be hacked. Due to the increasing popularity of internet of things (IoT) devices-including DVRs, printers, Smart TVs, and thermostats-they now offer hackers quick access to businesses’ data through unsecured Wi-Fi networks. If successfully hacked, criminals can compromise IoT devices and turn them into “bots” to use in future attacks. Since many of these devices are new to the market, adequate security protocols do not yet exist. Over 75% of all cyberattacks target known vulnerabilities, including unsecured smartphones and IoT devices.

Smaller organizations experience a higher proportion of cybercrime costs related to malware, web-based attacks, and phishing/social engineering.  A cyber breach will result in a long-term loss in revenue if customers refuse to share their sensitive personal information with a company vulnerable to attacks. The time needed to contain an attack significantly affects the total cost. For example, if it takes less than 30 days to contain a cyberattack, the average cost is approximately $7.7 million. In contrast, if the time to contain an attack is greater than 90 days, the average cost increases to $12.2 million. While installing and maintaining cybersecurity software remains expensive, keep in mind that one cyberattack can result in millions of dollars in expenses, loss of reputation, and decreased revenue due to hampered day-to-day business operations.  Due to a lack of resources and misunderstanding of the real threat of cybercrime, small businesses represent an easy target for cybercriminals.

Taking into account all the expenses related to cybercrime, can your company afford to be hacked?

Want more information? Check out this helpful resource on small business cyber security:


Virginia SBDC