The cost of a data breach for small businesses
Did you know that every business is at risk of experiencing a data breach? Contrary to what many assume, small businesses are actually highly targeted by thieves. As a small business owner, it’s important for you to know:
- What a data breach is
- How a data breach occurs
- What the risks are for your business
- How much a data breach could cost
- Signs of a data breach
Read along for the answers to these important questions and guidance on where to go next to make sure your business is prepared to fend off a data breach. In this article, we’ll examine the costs, factors, and fallout involved in a data breach.
Data breaches are painful and expensive
A data breach is defined as an event where a cardholder’s sensitive and confidential data is accessed by or disclosed to an unauthorized entity.
Keeping operating costs down while increasing revenue opportunities is one of the tenets for small business success. But when calculating fixed and potential costs, many merchants fail to plan for a potential data breach. And the results can be financially devastating.
Exactly how devastating? Estimates vary, but cybersecurity experts Kaspersky Lab report the average cost of a data breach for a small business in North America to be as high as $117,000. No doubt, the financial damages a breach inflicts can be equivalent to the total value of a small business, making recovery nearly impossible.
As a small business owner, are you taking the security of your business for granted and possibly opening your doors to a costly data breach? If you’re like many SMB owners, you may wrongly assume your business is unlikely to experience a data breach. So, what makes a business a good target? How vulnerable are you?
Small businesses are easy pickings for hackers
Small and medium sized businesses are among the most vulnerable to data breaches for a few reasons.
1st, they tend to think they are too small to be a target—nearly 90 percent of small business owners believe they are not at risk of a data breach.
2nd, they often lack the time, resources, and know-how to implement measures to protect themselves.
3rd, they don’t detect a breach quickly enough after one occurs, making it even more devastating.
One in three small businesses have no tools in place to protect against an attack.
When you take all of the factors into account, it’s no wonder that small businesses are on cyberthieves’ radars. More than 70 percent of attacks target small businesses, and an estimated 60 percent of those that experience an attack go under within six months. Businesses that operate in the retail, food and beverage, and hospitality industries are the most susceptible to a compromise.
The first step in preventing a data breach is knowing the root cause
As with most things, if you don’t know the cause of a problem, it’s more difficult to come up with a solution that effectively addresses it. Knowing where data breaches originate can help you plan and implement the proper protections for your business.
It’s easy to assume that proactive criminal attacks are behind every breach, but this isn’t always the case. While malicious or criminal attacks are the root cause of nearly half of data breach incidents, there are other factors that can lead to a compromise.
System glitches such as failures in IT and business processes account for 28 percent of breaches, and negligent employees or third party contractors lead to 25 percent of breaches.
The following types of attacks are the most costly for businesses, averaging $156 per record stolen:
- Malware or SQL injection that exploits a vulnerability in the POS system
- Criminals that work from the inside including employees
- Contractors or other third parties
- Social engineering or phishing scams
But errors caused by careless employees and third party contractors can also open up a business to an attack. Over 75 percent of small business employees surveyed report leaving their system unsecured, and 29 percent said cybersecurity is not a high priority.
If these statistics are surprising to you, consider that 41 percent of small businesses are unaware that human error can be a risk factor in a data breach. On average, system glitches cost $128 per record and human error costs $126.
The longer a breach goes undetected, the greater the costs
Like an undiagnosed illness, the longer a data breach remains undetected, the more damage it can cause. Unfortunately, small businesses are often unaware that a compromise has occurred until another party informs them. This happens when, for example, a financial institution discovers a sudden rise in cardholder fraud and traces the source back to a single merchant.
Although a breach can be contained up to 60 percent faster if a merchant identifies it first, Trustwave reports that 49 percent of data compromises were detected by the card brands, merchant banks, or regulatory agencies in the financial industry. Just over 40 percent of data compromises were detected by merchants first.
Using data encryption and having an incident response team in place can help increase response time and reduce the costs of a breach. Ponemon Institution reports that an incident response team can reduce the average cost per record by up to $19, while encryption can reduce the average cost by up to $16.
How can you tell if you are the target of an attack? Know the early warning signs.
5 warning signs that your business has been breached.
- Systems rebooting or shutting down for unknown reasons
- Unusual outbound traffic from your network
- Remote access or after-hours activity that you did not authorize
- New user accounts that you did not authorize
- Automatic malfunction or disablement of anti-virus programs
The costs of a breach are multi-fold
In 2017, the average cost to resolve a malicious or criminal attack in the U.S. was $244 per stolen record, and the average number of stolen records per breach rose 1.8 percent in the last year to more than 24,000 records. If your business is the victim of a data breach, the costs you will incur to resolve the situation span many areas, including the following:
- Notification costs. Notifying your customers that a breach has occurred is required in all but two U.S. states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands. Notification costs include creating customer contact lists, mail and email communication procedures, postage costs, consultant fees, and more. Notification costs are the highest in the U.S. at $0.69 million.
- Forensic investigation. This refers to the activities undertaken to determine the source and reach of a breach. Depending on their individual rules and thresholds, the payment brands and acquirers require engaging the expertise of a Payment Card Industry Forensics Investigator. By collecting and analyzing all the evidence related to a breach, a forensics expert pinpoints where the breach originated and who the likely victims are. These two pieces of information are critical for determining a breach remediation plan.
- Industry fines and penalties. These can make up some of the most significant costs to a small business that experiences a breach. The fines assessed include those from the PCI Security Standards Council, the payment card associations, government offices, and the merchant’s own financial institution. Additionally, card issuers such as Mastercard, American Express, and Visa can refuse to do future business with a business after a breach, which has a significant impact on a business’ bottom line due to lost sales from payment cards.
- Card replacement, credit monitoring, and identity theft repair. In many cases, a business may have to pay the cost of reissuing credit and debit cards to customers whose personal data was compromised. Additionally, providing credit monitoring and identity theft repair services is costly (costs are estimated at around $10 per cardholder), but can go a long way toward repairing customer goodwill after a breach.
- POS system upgrade or replacement. Depending on the source of the breach, a merchant may have to pay to upgrade or replace their POS system, payment software and hardware, server, and related peripherals in order to prevent future breaches.
- Additional security monitoring. After other post-breach activities have been performed, merchants are often required to implement additional security monitoring services that ensure ongoing PCI compliance
- Legal costs, settlements, and judgements. Lawsuits are a potential fallout of a data breach, particularly if the forensic investigation shows that the business was not in compliance with PCI mandates at the time of the compromise. Legal proceedings can take a lot of time, and the fees can add up quickly.
- Lost business. When customers patronize a business, they trust that their sensitive payment information will be kept safe and secure.Businesses that are victims of a data breach therefore face a public relations nightmare. The ding to their reputation often results in customers spending their money elsewhere. In fact, three out of four consumers would no longer patronize a company that has been breached.
When it comes to recovering from a data breach, the costs to a business’ reputation and bottom line are formidable enough, not to mention the time and energy it takes to get the business back on track.
The best way to help prevent customer data from being compromised is by taking preventative measures beforehand. To learn more about the processes, technologies, and strategies that keep small businesses safe from data breaches, read part two of our Preventing Data Breaches series.
Check with your payments provider and make sure that your data security program stays up to date. Preventative maintenance will not only save you money and time; it may save your business.