SMBs Severely Underestimate Data Breach Costs

It’s National Cyber Security Awareness Month, and industry leaders are zeroing in on some of the most vulnerable targets of cyber scams: small businesses.

Stronger passwords. Paying closer attention to suspicious emails. Using public Wi-Fi with caution and safeguarding mobile apps. They’re just a few basic rules of thumb for small business owners to help mitigate the risk of a cyberattack, according to Matrix Integration; however, as President Nathan Stallings warns, as cyberattacks become more sophisticated, so much small businesses’ mitigation tactics.

“Cybercriminals continue to be creative in their attacks, turning their attention to industries such as manufacturing to retail, and using cloud technology and software like common mobile apps to their advantage,” he said in a statement last week. “All these threats mean that businesses need to cast a wide net and use a variety of tools to keep their businesses and their customers safe.”

The U.S. Small Business Administration estimates that there were almost 42,000 online security incidents around the globe last year — and about 43 percent of those cases targeted small businesses. In this context, the House Financial Services Committee’s Task Force on Artificial Intelligence met earlier this month to discuss the rising threat of small business cyberattacks, the role of technology in combatting it, and the potential for regulation to address security risks.

As lawmakers ponder this risk, PYMNTS highlights some of the newest data points uncovered by researchers examining small business cybersecurity.

$149,000: the average cost of a data breach for a small-to-medium-sized business, according to AppRiver. Even more troubling, however, is the cloud security company’s finding that most SMBs estimate the cost of a data breach to be just $10,000. The firm’s Q3 Cyberthreat Index for Business Survey concluded that small businesses severely underestimate the financial damage a cyberattack can impose on their company: Only 19 percent of survey respondents acknowledged that costs could surpass $100,000.

$3 million in grant money will be used by IBM to develop a threat intelligence sharing platform, according to GovTech reports last week. IBM is collaborating with the City of Los Angeles’ LA Cyber Lab to develop their LA Cyber Threat Intelligence Sharing Platform (TISP), with funds granted by the U.S. Department of Homeland Security. The solution will aim to enable information sharing between small and medium-sized businesses to track cyber threats and trends — a solution, reports noted, often only accessible for larger enterprises. Information on phishing email or business email compromise (BEC) scam campaigns, for instance, can be shared to help small businesses protect themselves before an attack occurs.

60 percent of small businesses would rather give up as much as half of their revenue than lose half of their data following a cyberattack, researchers commissioned by Logically found. Unfortunately, two-thirds of survey respondents say their companies are not keeping pace with IT infrastructure investment demands to stay protected and prevent data theft — a problem that Logically Chief Marketing Officer Jeff Loeb said in a statement is even more acute for small businesses.

20 percent of Business Email Compromise scams request payroll diversions, new data from the Anti-Phishing Working Group (APWG) revealed in a report published last week. Nearly two-thirds of BEC scams analyzed requested gift cards for victims to purchase and send to the attacker, and 15 percent requested direct bank transfers — a tactic often targeting accounts payable departments. While gift cards may seem an unlikely strategy, analysts note that for attackers, they are “more anonymous, less reversible, and do not require the use of a mule intermediary,” explained Crane Hassold, senior director of threat research at APWG member Agari.

11 percent of businesses surveyed in Microsoft’s 2019 Global Cyber Risk Perception Survey said they are confident about their cyber resilience. Confidence in companies’ ability to understand cybercrime declined from 18 percent to just 9 percent in 2018, researchers noted, and 43 percent of firms said they have “no confidence” in protecting their businesses from cyber risks exposed via their commercial partners. Only 15 percent say they are confident about supply chain cyber risk mitigation strategies.