According to one recent study, it's now become the second most-common form of economic crime. And that's only going by the reported cases. While it's impossible to say for certain, it's entirely possible that between businesses that manage to successfully cover up intrusions and those who are simply unaware of an ongoing intrusion for years, it's even more commonplace than numbers can prove.
This is something no businesses, even small operations and startups, can afford to ignore. The costs of even a single data breach can be truly ruinous. So we wanted to take a look at the true cost of a data breach overall, as well as the major contributing factors, along with what (few) mitigation strategies are available.
This is an extremely difficult question to answer precisely, because it depends on a wide range of factors including both the number and type of records breached, the costs of "cleanup," and the long-term impact on the business's reputation.
However, there have been attempts to find some rough averages, and they aren't good. Probably the most credible is a recent IBM study which put the global average costs at $3.6 million in total, with an average cost of $150 per record compromised. And that's only talking about relatively small scale breaches, with "only" tens of thousands of records compromised. If you're talking about the sorts of high-profile major attacks global companies like Sony, Target, and Yahoo have suffered, the costs easily soar into eight- or nine-figure price tags.
So that's not a $3m+ loss for the big players. That $3+ million you could easily be on the hook for, in the case of a data breach. Needless to say, that's an amount that could easily ruin an SMB.
As we mentioned above, there are a lot of factors at play here which ultimately affect the long-term costs. These are the biggest determinants of the overall price tag:
This is the truly insidious thing about cybercrime. If your company is hit by a tornado or other "act of god," very few people will hold it against you. Such things just happen, as they say. Furthermore, once you've made the appropriate infrastructure repairs, the damage has basically been contained. But if you're hit by a cybercrime, you will take a major hit in the public eye, and the costs could continue to mount for years into the future.
Speaking of natural disasters...
Yes, but...
Cybercrime insurance has started to become a concern, with some insurance companies beginning to branch out into such areas. However, according to NPR, as of 2015 only about 20% of businesses have invested in it. Many companies, it seems, mistakenly believe themselves to be covered against cybercrimes when they are not in reality.
Further, there are issues in the market. Many insurers - especially the big names - are understandably reluctant to jump into such a volatile and unpredictable field of coverage. Actuarial tables on matters like life and health insurance are based on literal centuries of data. Cybercrime figures have maybe 20-30 years of numbers, and not very reliable numbers at that.
Some companies offering cybercrime insurance have extremely limited policies, full of loopholes, that may be nearly worthless in the case of an actual attack. Others may not have the financial backing to handle a major payout. And those who truly are offering robust coverage with the funding to back it up are asking extremely high prices, due to the risks they're under.
And just making things worse...
Don't expect the government to help you. The vast majority of cybercrime cases go completely unsolved, especially since estimates are that at least 70% cross international borders. Likewise, according to the UN, between 33-50% of countries don't even have sufficient laws covering cybercrime. On top of that, there are a staggering number of ways to launder money online these days, particularly with the rise of largely untraceable cyber-currencies like Bitcoin.
Basically, if you've been hacked by someone in the developing world, there's nothing that can be done about it. They won't be caught. Even if they're in a country with advanced legal protections against cybercrime, the chances of actual restitution are very slim.
If this all sounds grim, well, it is. And cyber-criminals are becoming increasingly bold thanks to it, as evidenced by the stunning rise in "ransomware" schemes in the past two years. Nowadays, it's often more effective for criminals to breach a company and use direct coercion to get payouts, rather than stealing records for themselves.
If you can afford cybercrime insurance and find a good policy, it's a good "safety net"... but it's not a permanent solution. Nor is "security through obscurity" a sufficient protection for small businesses and startups. Ransomware can target even the smallest of companies. There is simply no substitute for good internal security and good training of your staff in proper handling of data.
You are your own first line of defense, and often your only line of defense.
These are challenging times, given how reliant nearly all businesses have become on electronic record-keeping. Few expenditures can be more important to the future of your business than keeping that data safe.
For more information, or a security review, please contact Hummingbird Networks for advice.