Defense Secretary Leon Panetta recently made some provocative statements about cybersecurity. He said we were on the verge of a cyber Pearl Harbor. That enemies of the United States are working overtime to take down major electrical grids, transportation systems, and the financial infrastructure. He also mentioned that while the US government is taking a defensive stance, businesses are also under threat and should take decisive action.
There are two scenarios a business might take in response to this very real cybersecurity threat. The first scenario would be to make sure all systems and software are upgraded and the best cybersecurity is put in place to protect the company. The next scenario is to do nothing, keep in place current infrastructure, and hope that the business doesn’t come under attack.
There are many companies that have taken aggressive steps to protect themselves against cyber attacks. When questioned about why they are so “on the ball” with their security, the answer is usually a resounding, because we’ve already been attacked. The monetary costs of being attacked are staggering. They far outweigh the cost of implementing a cyber defense system. Let’s examine the cost of implementing cyber security versus the cost of getting attacked.
Cost of Cyber Attacks
There’s no doubt cybercrime is on the rise. Small businesses are being targeted because they don’t have the necessary security in place to protect themselves. Most of these attacks can be avoided. Verizon started keeping track of attacks in 2004 and they have reported that most of the the attacks were not complex and 97% of them could have been avoided.
According to a recent survey, from the Ponemon institute, the average cost of cybercrime per year was $8.9 million for businesses. The range was $1.4 million to $46 million according to the survey. It is not large companies that are under the most threat, its small businesses.
Once a company has been attacked it takes an average of 24 days to even realize there has been a problem. The cost to clean up the debris is around $600,000 per incident. In other estimates, like a recent report from FCC, the average cost per incident for a cyber attack was right around $200,000. These costs are very large and could easily put a struggling business in financial peril if a successful attack is perpetrated.
Cost of Cyber Defense
For business owners to protect their company against cyber attacks it costs time and money. Businesses must implement comprehensive cyber security plans to protect their company, employees, and customers. Part of that plan means upgrading computers and networks with the latest antivirus software. It also means having the latest versions of operating systems installed on networks and computers. Employees must be properly trained in cyber security defensive strategies. Consequences for breaking the rules must be enforced on employees.
The cost of implementing a cyber security plan for a business varies depending on the size and type of company. Gauging the actual cost of cyber defense is a difficult task. We do know that spending in the IT security industry is on the rise. In 2011 US companies spent a total of $76 billion on IT security. The IT security annual spending has been rising dramatically over the last 5 years.
Using a complete security software protection suite for a small business has a price tag of several hundred dollars annually. In addition, it will cost several thousand dollars per year to have the hardware to ensure PC data is backed up on site, or the backup can be outsourced to the cloud at the price tag of several hundred dollars annually. As I mentioned earlier, employees must be trained to implement security strategies to avoid risky behavior. This all costs the company time and resources to implement, but the cost is not as high as weathering an attack.
The facts are clear. It is much cheaper to implement a cyber security strategy than risk being attacked. The cost of losing not only money but also loosing good faith among the public if the leak is exposed are too great to ignore. Unfortunately most small and medium sized businesses are doing just that, ignoring the risks.
83% of small businesses in the US report having no formal cyber security strategy or contingency plan if they are attacked. 70% report not even having outlined internet use policies for employees. These reports are alarming to think about because recent models are showing that small business cyber attacks have doubled in the last year. Trust me when I say that the bad guys are gunning for small businesses everywhere.
Unfortunately, even having a strong security plan in place doesn’t make a business immune from attack. But like Verizon reported, 97% of all attacks could have been thwarted if basic security was in place. Small business should take heed before they have to deal with the inevitable expensive cleanup that comes after an attack.