Criminals looking to steal data or disrupt commerce don’t only hone in on large corporations. Small and midsize businesses (SMBs), in fact, are just as attractive a target.
In 2013, there were about 28 million SMBs in the U.S., two-thirds of which contributed about $7.5 trillion to the U.S. economy. This makes them a lucrative and vulnerable victim for cybercriminals simply because many of them are not paying attention.
Crime committed through the Internet falls into two broad categories: information theft and digital vandalism. Theft includes financial information, product or strategic proprietary information, customer records and transaction histories. Once stolen, this information is used to either directly steal funds from the SMB or its customers, or is sold to other criminals.
Phishing is a form of information theft that entices a user to reveal sensitive information such as passwords or credit card numbers by masquerading as a trusted entity. Digital vandalism includes denial of service (DoS) attacks, viruses or other types of malware, often intended to simply disrupt a business. All forms of cybercrime exact damaging costs.
Assessing costs to smaller enterprises
For a small business, customer information theft can paralyze operations or put a company out of business. A single incident that damages a firm's reputation or compromises the integrity of its electronic storefront could result in unrecoverable losses.
The average direct cost to a small business for a single attack in 2013 was almost $9,000, but that excludes brand damage and other soft costs. SMBs incur nearly four times the per capita cybercrime costs of larger firms, according to Ponemon.
To many SMBs, these costs can prove fatal. A 2012 National Cyber Security Alliance study showed that 36 percent of cyber attacks are conducted against SMBs. Of those, up to 60 percent go out of business within six months of an attack. Yet 77 percent of SMB owners believe their companies are safe from cyber security breaches.
Cybercrime is an unfortunate side effect of the information age. Where physical goods or cash once contained all the value targeted by thieves, today information holds even greater value. Businesses must be diligent to protect against electronic theft. SMBs must assess their potential exposure to cybercrime and take actions to prevent and blunt attacks.
Although the precise costs of an attack differ based on an SMB's size and circumstances surrounding that attack, the following sections describe the types of costs that could be incurred by an SMB in the wake of such an unhappy event.
1. Business lost during attack
A security breach often means shutting down the SMB's electronic operations for some period of time. An online retailer subjected to a DoS attack could be shut down for several days or weeks while determining the attack's origin and taking corrective action.
A customer data breach in which credit card information was stolen would likely cause a similar lock-down. Corrective action often depends on a service provider's responsiveness; a frustrating, time-consuming and costly affair. Costs are likely to result in total revenue losses for at least several days.
2. Loss of company assets
Bank account numbers and passwords stolen during a breach can cause theft of account funds. SMB owners may wrongly assume that banks will cover the loss, as do consumer credit card companies. In fact, an SMB will lose any stolen funds, which could cause a business to lose its working capital.
Proprietary information, such as product designs, customer records, company strategies or employee information, is often compromised or stolen outright. All of these assets have incalculable value to a business, and thus can inflict crippling losses.
3. Damage to reputation
Another cost that's difficult to quantify is reputation damage after an attack. The much-publicized Target breach that compromised 100 million customer records cost that firm roughly $148 million in direct cash costs, after insurance payments. Yet the damage to Target's reputation will linger for a long time, making people hesitant to share personal information, use their credit cards or shop at the store. Forrester Research estimated that Target's total costs would exceed $1 billion.
This scenario could be worse for an SMB. For example, consider a resort operator that relies heavily on its website to attract new customers, book reservations and maintain its brand. If that site is hacked and infected with malicious links, it will be quarantined—placed in a "sin bin”—for a fairly long period by search engines, making it harder for customers to find the website.
Even after the operator resolves the hack, it could take months for the resort's virtual reputation to be restored. And that's on top of losses in revenue and good will from customers affected during the attack.
SMB's aren't likely to be sued if their customers' information is stolen unless they failed to implement reasonable protection measures. In the Target case, for example, consumers, and the banks that held their credit cards, filed class action lawsuits.
In the latter case, a US judge ruled that Target played a "key role" in allowing hackers to gain access to its data center, which enabled the banks to continue their lawsuits. Certainly, Target is not an SMB, but a small business needs to recognize the need to protect its customers' information. Taking reasonable measures (“exercising due diligence”in legal terms) should offer protection against future litigation in the unfortunate event of a data breach.
5. Protection costs: staff, firewalls, encryption and software
The most important cost of cybercrime should also be the first outlay: prevention. Businesses of any size need to implement a strategy to protect against the reality of cybercrime. For the smallest of SMBs—a one-person proprietorship—that could be as simple as using robust password protection on all systems and utilizing low-cost protection software, perhaps as little as $50/year.
For larger businesses, costs scale with size. Use of security information and event management solutions (SIEMs), intrusion prevention systems (IPSs), network intelligence systems and data analytics can greatly reduce cyberattack costs, some report by as much as a factor of six.
Expert advice: Do something
The biggest risk facing an SMB manager is inaction. Ignoring cybercrime does not make it go away and places the business in jeopardy. Protective actions against cybercrime are now more important than the locks on a store's front door.
Failure to put an electronic protection plan in place appropriate to the SMB's size and business model is equivalent to leaving the front door wide open with a pile of cash in plain sight. Don’t let that cash get away: put it under lock and key.
Chris Janson is a technologist with over 25 years of industry experience working in engineering, marketing and management roles for companies large and small. He has published many articles on communications networks and their use in government, finance, education and other industries. He speaks at industry conferences, serves on the boards of OpenCape Corporation and Rural Telecom Congress and has taught courses at Northeastern University in Boston.
Ed Tittel has been working in IT for over 30 years. He's the author of over 100 computing books, including the Exam Cram series of certification prep titles. He also blogs regularly for the IT Knowledge Exchange ("Windows Enterprise Desktop"), PearsonITCertification, GoCertify and Tom's IT Pro. For more info about Ed, please visit his website at www.edtittel.com.
This story, "5 costly consequences of SMB cybercrime" was originally published by CIO.