60% of small businesses fail after a cyberattack. Why?
According to the National Cybersecurity Alliance, almost two thirds of SMBs go out of business within six months of an attack. Here’s how to protect yourself.
According to IBM, the average cost of a data breach reached $4.35 million in 2022, presenting a 12.7% increase since 2020. The report also found that, once again, social engineering and compromised credentials were among the most common attack vectors. Even more worrying is the fact that up to 60% of small businesses end up filing for bankruptcy within six months of suffering a data breach.
In one recent case, a healthcare billing vendor American Medical Collection Agency (AMCA) filed for bankruptcy just months after a data breach that exposed personal and financial data belonging to over 20 million Americans. The hack happened in August 2018 and lasted eight months before it was finally revealed to the public. AMCA and its parent company, Retrieval-Masters Creditor’s Bureau, ended up spending $4.2 million just reporting the breach.
In a similar case reported in 2021, healthcare technology company CaptureRx suffered a data breach that impacted 2.4 million individuals. A few months later, the company found itself facing 10 lawsuits, many of which alleged improper data protection measures and negligence, as well as invasion of privacy. In February 2022, the company’s CEO claimed the company was considering filing for bankruptcy in the face of a potential $4.75 million settlement.
In Europe, Finnish psychotherapy service provider Vastaamo also suffered a data breach that resulted in the company’s bankruptcy. The company reported that their patient database had been hacked in October 2020 by cyber extortionists demanding €450,000 in bitcoins, while threatening to publish the stolen records. Vastaamo was fined €608,000 only a year later after failing to adhere to GDPR, ultimately declaring bankruptcy in February 2021.
The highly sensitive nature of healthcare data makes it a favorite target for cyberattackers. Of course, the same goes for other highly regulated industries, such as law and finance, although any small business faces a heightened risk of bankruptcy due to the enormous costs involved in a data breach.
So what exactly makes data breaches so expensive?
The cost of a data breach encompasses many elements, although reputational damage tends to get the most attention. That said, reputational damage is often quickly forgotten, given the 24/7 news cycle. While the cost of reputational damage certainly shouldn’t be underestimated, especially in the case of industries like law, healthcare, and finance, it’s often just the tip of the iceberg.
The initial costs of tackling a data breach are those associated with investigation and reporting. Whenever a breach is either suspected or confirmed, the targeted company must determine as quickly as possible which information was disclosed and which systems were affected. This is necessary for complying with data breach notification laws, which require organizations to inform their customers within a given timespan when there’s a reasonable suspicion that their data may have been compromised. Failure to do so can result in substantial fines, thus greatly increasing the cost of a data breach.
On top of this come the costs of remediation. Once the target organization has determined the ‘who, what, and when’, the focus shifts to salvaging their systems. Depending on the nature of the breach, this can also be very expensive, especially if it involves taking mission-critical systems offline for an extended period. Furthermore, compromised systems may even need to be purged, which could involve the permanent loss of valuable intellectual property.
In the case of ransomware and other cyber extortion attacks, victims may even opt instead to pay the ransom, although almost all cybersecurity experts strongly advise against this. That said, in industries like healthcare, in which patient wellbeing might be compromised, paying a ransom can end up being the only viable option.
Finally, there are numerous costs associated with data breaches that are difficult or practically impossible to accurately quantify. This includes the aforementioned reputational damage, loss of productivity, and damaged company morale.
Why good security starts with people and culture
Technological solutions are a critical enabler of any mature cybersecurity strategy, but they’re not enough by themselves. The main reason for this is that the vast majority of cyberattacks involve a phishing element, rather than hacking in the traditional sense. This is also why your team communications platforms tend to be one of the weakest points in your security environment.
Imagine, for example, if an attacker were to access your communications on Slack or Teams. They might do so by accessing an open account on a lost or stolen device or by compromising an old and unused account belonging to an employee who has left the company. Once they’re inside the system, they will be free to misappropriate proprietary information or carry out highly convincing social engineering attacks while masquerading as other employees.
Other incidents are entirely accidental and might not involve any foul play at all. For example, an employee might unwittingly send a sensitive document via an unsecured and unmonitored channel, at which point the company might find themselves dealing with a serious data leak.
These risks, not to mention the constantly rising cost of a data breach, make clear the need for a security-aware corporate culture empowered by multiple layers of protection. To that end, all business communications should be closely monitored, while proactive measures like data loss prevention (DLP) and zero trust security (ZTS) greatly reduce the chances of a successful breach. Moreover, by monitoring and archiving all your communications, you can quickly get to the root cause of an incident and take action before any further damage can be done. After all, the best approach to security is not to think along the lines of if a data breach will happen, but when.
Worldr provides an extra layer of security and compliance to Microsoft Teams, Slack, and WhatsApp by giving you complete control over your data while ensuring adherence with record-keeping laws. Book your demo today to see how it works.