In a famous incident, in June 2011, hacktivist group Lulzsec broke into Sony Pictures’ network by exploiting an almost embarrassing security vulnerability, and stole a substantial amount of data which included not only email addresses, but also names and home addresses of Sony’s customers. However, Sony Pictures seems alive and well. If such a large company managed to get away with such a high-profile breach, it would be tempting to think that smaller players can afford their share of incidents.
In practice, cybersecurity incidents have a much stronger impact on SMEs. Security expert Dr. Jane LeClair noted, in her testimony before a U.S. House of Representatives Committee4, that half of the small businesses affected by a data breach go out of business within six months.
The reason why a data breach can have such a disastrous impact of a small company today is that the mounting value of data held by SMEs – and, implicitly, the mounting cost of compensating for its exposure – is becoming more and more difficult to absorb for SMEs.
A study published by security solution vendor Kaspersky5Â showed that the average cost of a single security incident exceeds $30,000, and that even some of the most technically trivial, such as denial-of-service (DoS) incidents, can cost more than $50,000. Another study6Â found that, in Italy alone, while the financial losses due to cybercrime totaled just $875 million, the costs associated with recovery and missed or failed business opportunities was almost ten times as large, at $8.5 billion.mattis, pulvinar dapibus leo.
Data breach cost is not incurred only by the incident and the post-incident activities (closing security backdoors, implementing new security measures, legal proceedings etc.). A study published by network equipment vendor Cisco7Â reveals that more than 40% of breached organizations lost more than 20% of their customer base shortly after a cybersecurity incident. The damage in reputation alone was sufficient to lose almost one fifth of the customer base.
Why these figures? As we mentioned earlier, SMEs hold highly valuable data: credit card data, personal information such as names and home addresses – all of which are regarded as highly important by a company’s customers.
In some cases, companies are literally required by law or industry partners to safeguard this information according to specific standards and regulations, such as the PCI DSS (Payment Card Industry Data Security Standard), a security standard for companies that handle payments made with major branded credit cards. But more often than not, while there are no specific regulations which require data to be safeguarded, the informal – and often legally enforced – expectation of customers is that their data is handled and kept safely. A rule of thumb regarding the level of safety is that customer data should only be accessed by the parties that are allowed to access it in your privacy policy, and only within the limits expressed in that policy.
Any kind of data access – internal or external – is your responsibility. This is why it is imperative for any SME to protect any data that is related to its customers, services and partners, regardless of how these assets are held and of their nature.