For Small Businesses, Cyberattacks Are Felt Long After A Data Breach


In the wake of some high-profile cyberattacks on small businesses and local governments, new research suggests that the pain points of such incidents last long after systems are back up and running.

Earlier this month researchers at Symantec warned of a security flaw in WhatsApp and Telegram that allows hackers to manipulate a file when sent from one user to another. Experts warned that this could be exploited in several ways, including to change details of an invoice.

“In one of the most damaging Media File Jacking attacks, a malicious actor can manipulate an invoice sent by a vendor to a customer, to trick the customer into making a payment to an illegitimate account,” Symantec said in its blog post at the time.

With more small businesses and freelancers embracing WhatsApp and other messaging platforms to conduct business, the vulnerability reflected the rising threat of cyberattacks in general against small businesses.

Small government entities, too, are facing these risks.

Most recently, a string of ransomware attacks hit local government entities that ultimately decided to pay off the attackers to regain access to computers. Analysts warned that local and state-level governments, much like small businesses, often lack the sophisticated cybersecurity technology required to avoid such attacks in the first place.

Both cases reflect not only the growing risk of cyberattacks facing small businesses and government entities today, but the financial ramifications of being a target. The cost of cyberattacks is massive, whether accidentally losing money when a scammer changes bank account information on an invoice, or paying hundreds of thousands of dollars to take back systems from a ransomware attacker.

But new research from IBM finds that it’s not just the cost of cyberattacks that cause pain for small businesses — and nor does that pain end once company systems are back up and running.

“Cybercrime represents big money for cybercriminals, and unfortunately that equates to significant losses for businesses,” said IBM X-Force Incident Response and Intelligence Services global lead Wendi Whitmore in a statement announcing IBM’s new research. “With organizations facing the loss or theft of over 11.7 billion records in the past three years alone, companies need to be aware of the full financial impact that a data breach can have on their bottom line — and focus on how they can reduce such costs.”

IBM’s latest report calculated that small businesses with fewer than 500 employees averaged $2.5 million in losses stemming from a cyber event, “potentially crippling” those companies, IBM said.

According to the analysis, small businesses hit by a data breach can face years-long consequences: in two-thirds of scenarios analyzed, small businesses realized the full extent of financial losses within a year. But in 22 percent of cases, the full cost of a data breach was not realized until year two — and 11 percent didn’t experience the full extent until year three. Analysts warn that small businesses in highly regulated sectors like financial services, health care and pharmaceuticals are more likely to experience the long-term impacts of a cyber incident.

Beyond finances, the reputational damage can last years, too. It’s unclear how the local governments recently affected by ransomware attacks will feel the longer-term effects of the incidents, or of using taxpayer money to pay off the attackers. But experts agree that the threat of cyberattacks — and the costs associated with them — are on the rise for small businesses, in some cases threatening the very existence of a targeted business.