The other day I made a passing reference to the financial consequence of the Experian breach, which was its tumble in value on the stock market.
Most SMBs don’t have to worry about their businesses crashing on Wall Street, but the costs involved in a breach and its aftermath are very real. According to a new study by Kaspersky Lab, enterprises can expect to spend, on average, a half million dollars to recover from a breach. For small businesses, that dollar amount is around $40,000, but that may as well be a half million or more. For smaller businesses, it’s a devastating amount.
Downtime is the biggest loss when looking purely at the financial side of a breach. The study also broke down the areas you might not be thinking about during the aftermath—the costs of the professional services needed to clean up the mess, upgrades to the security infrastructure and employee training, which can also add up to tens of thousands of dollars. No wonder so many smaller businesses have to shut down after a breach!
As Chris Doggett, managing director of Kaspersky Lab North America, said in a formal statement:
Businesses have known for a long time that any cyberattack has its consequences, but the high costs associated with addressing a cyberattack after an incident occurs is quite alarming. IT security needs to become a more common priority for organizations and it is our hope that these numbers will motivate businesses to take the necessary steps to implement effective cybersecurity technology and strategies to prevent having to pay an enormous cybersecurity bill.
Except, the study also found, IT security isn’t a priority. Even the companies that have suffered a breach aren’t doing much to prevent another. In fact, only half of the respondents in the survey said that preventing breaches is a top concern and 44 percent admit to not taking as simple a step as adding anti-malware software to prevent future threats.
Why isn’t security a higher priority? A TechRepublic article may have provided an answer, at least where larger enterprises are concerned: It’s cheaper to be breached than to provide the security protection. As Benjamin Dean, Fellow for Internet Governance and Cyber-security, School of International and Public Affairs at Columbia University, was quoted:
‘When we examine the evidence, though, the actual expenses from the recent breaches at Sony, Target and Home Depot amount to less than 1 percent of each company's annual revenues. After reimbursement from insurance and minus tax deductions, the losses are even less. This indicates that the financial incentives for companies to invest in greater information security are low and suggests that government intervention might be needed.’
This is not the case for SMBs, who are likely not implementing better security processes because they don’t have an IT staff or anyone available in-house to handle it or they don’t have the funds to outsource IT security. But no matter the reason, thinking that a breach is cheaper than actual data security is a moral or ethical lapse. Financial loss isn’t the only consequence of a breach; the personal information of customers and employees is also at risk. Shouldn’t that factor into the security decision? It does in the Kaspersky Lab study, which also accounts for dollars lost because of the hit to the company’s reputation.
Also consider this: These studies focus on what happens in the aftermath of the first breach. What happens when the second or third one occurs? How long can a business sustain breaches and not suffer true loss?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.