In a famous incident, in June 2011, hacktivist group Lulzsec broke into Sony Pictures’ network by exploiting an almost embarrassing security vulnerability, and stole a substantial amount of data which included not only email addresses, but also names and home addresses of Sony’s customers. However, Sony Pictures seems alive and well. If such a large company managed to get away with such a high-profile breach, it would be tempting to think that smaller players can afford their share of incidents.
In practice, cybersecurity incidents have a much stronger impact on SMEs. Security expert Dr. Jane LeClair noted, in her testimony before a U.S. House of Representatives Committee4, that half of the small businesses affected by a data breach go out of business within six months.
The reason why a data breach can have such a disastrous impact of a small company today is that the mounting value of data held by SMEs – and, implicitly, the mounting cost of compensating for its exposure – is becoming more and more difficult to absorb for SMEs.
A study published by security solution vendor Kaspersky5 showed that the average cost of a single security incident exceeds $30,000, and that even some of the most technically trivial, such as denial-of-service (DoS) incidents, can cost more than $50,000. Another study6 found that, in Italy alone, while the financial losses due to cybercrime totaled just $875 million, the costs associated with recovery and missed or failed business opportunities was almost ten times as large, at $8.5 billion.mattis, pulvinar dapibus leo.
Data breach cost is not incurred only by the incident and the post-incident activities (closing security backdoors, implementing new security measures, legal proceedings etc.). A study published by network equipment vendor Cisco7 reveals that more than 40% of breached organizations lost more than 20% of their customer base shortly after a cybersecurity incident. The damage in reputation alone was sufficient to lose almost one fifth of the customer base.
Why these figures? As we mentioned earlier, SMEs hold highly valuable data: credit card data, personal information such as names and home addresses – all of which are regarded as highly important by a company’s customers.
Any kind of data access – internal or external – is your responsibility. This is why it is imperative for any SME to protect any data that is related to its customers, services and partners, regardless of how these assets are held and of their nature.