With all the emphasis in the news on large, multinational corporations getting hacked, the plight of small- to medium-size businesses sometimes gets lost in today’s viral-driven news cycle. But a 2014 survey by the National Small Business Association uncovered the staggering costs smaller organizations face when they are hit by data hacks.
In fact, half of all small businesses reported being the targets of a cyber attack—and those attacks can mean considerable expenses. For instance, the researchers found that the average cost of an attack rose from $8,699 in 2013 to $20,752 in 2014. But it’s not just a cost in dollars; it’s also a cost in time and brand equity. One-in-three respondents reported that it took them at least three days to recover from an attack. Three days is lengthy in the business world, but this number doesn’t really tell the whole story. For example, how many people had to work to recover from the attack? And, how many hours were spent by employees in notifying customers, doing an extensive audit to determine how the attack happened and how much damage was done? One long term effect that face organizations, both large and small, is loss of trust. Depending on how serious the breach was it could take years for a company to regain the trust of its customers and partners and recovering from the hit the company’s brand may take as a result.
A data breach is not only a hazard to the security of an organization, but also a substantial financial drain. In the wake of a compromise, the company must pay forensics investigators and lawyers and upgrade security systems. The fallout may also lead to lawsuits and internal document leaks, which both require time and money to resolve.
The two following notable hacking examples and a national survey reveal the severity of the costs that come from cyber attacks.
Yes, You Can Be Sued for Cyber Attacks
The private intelligence firm Stratfor suffered a data hack in late 2011 and found itself facing a class action lawsuit filed by customers who pointed out, among other failures, that the company did not properly encrypt their identity records. Adding insult to injury, companies are not just responsible for recovering post-theft, but also are responsible to their customers in the aftermath.
In Stratfor’s case, a settlement was announced, requiring the company to pay hefty fines and fees. To summarize, Stratfor owed a $400,000 lump sum for legal fees as well as payment for credit monitoring services, free service access, and an e-book copy of the business’s The Blue Book to each class member requesting these forms of compensation. Both company products cost Stratfor approximately $1.75 million.
Sensitive Customer and Internal Data Could Leak Online
One of the most infamous hacking scandals occurred in 2014. Sensitive data from Sony Pictures was publicly released online, including employees’ Social Security numbers, unpublished scripts, salaries, and health test results. WikiLeaks compounded problems for Sony by publishing highly sensitive internal business emails and documents. The FBI suspected North Korea as the perpetrator of the attack, due in part to the hackers’ IP addresses. Although this theory was never proven, many theorized that Sony was targeted in retaliation for its 2014 film, The Interview, which focuses on a plot to assassinate the North Korean dictator, Kim Jong Un.
Sony’s senior general manager Kazuhiko Takeda said that the hack would cost Sony up to $35 million. These expenses largely pertained to restoring financial and IT systems. After some of the awkward and revealing emails that went viral after the cyberattack, the repercussions for Sony and its employees could reverberate for years.
Half of All Small Businesses Have Been Hit by Cyber Attacks
With all the emphasis in the news on large corporations and global giants like Sony getting hacked, the plight of mid-market organizations gets lost in the news cycle. But a 2014 survey by the National Small Business Association uncovered the staggering costs these organizations face when they are hit by data hacks.
According to the survey, half of all small businesses reported being the targets of a cyber attack—and those attacks can mean considerable expenses. For instance, the researchers found that the average cost of an attack rose from $8,699 in 2013 to $20,752 last year. But it’s not just a cost in dollars; it’s also a cost in time and hours spent on recovery efforts that could be better spent on creating and closing new business opportunities. In fact, one in three respondents reported that it took them at least three days to recover from an attack.
Mid-market organizations should not become complacent because they’re flying somewhat under the radar. On the contrary: the takeaway for smaller companies should be that even global corporations, which may have an IT security budget in the millions of dollars, are not fully prepared and protected against every potential security threat. The first step is to protect your business and brand from what could be a damaging attack is to develop a long-term IT security plan. Then, execute the plan with support from your employees. By equipping IT personnel with the software and services they need, and establishing a company-wide policy on handling cyber attacks, the necessary groundwork is established that will go a long way to protect business systems and networks. Ultimately, decreasing the risk that your company will incur extensive damages and costs associated with being hacked.