Hidden Costs of the Small Business Data Breach

Small business data breach cost

It’s easy for small businesses to believe that they’re below the radar of cybercriminals. We picture hackers as having their eyes on a larger prize, potentially the customer files of a high-profile enterprise organization like Equifax, Facebook, and Marriott.

More than 65 percent of senior decision-makers at small businesses still believe that they’re unlikely to be targeted by cybercriminals. About 60 percent of those businesses have no defense plan in place and an estimated 14 percent are insufficiently prepared to respond if an attack does occur.

And yet, statistics show that small business data breach is a common occurrence.

  • Approximately 43 percent of all cyberattacks are directed at small businesses.

  • Half of all small businesses have experienced a breach in the past year

  • 40 percent of small businesses have been attacked multiple times

  • These attacks cost an average of $200,000 for hacked small businesses in the US, but the global average is much higher at $3.92 million.

  • 60 percent of affected small companies go out of business within six months of being attacked.

The bottom line is that if you own a small business, you’re more likely than not to be the victim of an attack, and it can bring you down. 

The Costly Fallout of Small Business Hacking

The average total cost of a small business data breach is increasing. Globally, the cost increased 6.4 percent from 2017 to 2018, while the per-record cost rose 4.8 percent from $141 to $148. Costs are highest in the US, where companies pay $233 per affected record.

So what goes into this total?

Data Breach Fees

These are what some experts call “hard costs” – the ones that have a price tag and are directly related to fixing the breach. The costs of containing and repairing the breach are perhaps the most obvious. They include money paid out to developers and related service providers as well as the retailers of any components that need replacement.

Customer Damage Control  

The law mandates reporting of a breach to all customers affected. The sooner a company can do this, the better customers tend to perceive the company’s handling of the matter. 

Affected companies are required to send a written notification to every affected customer and tell them:

  1. When the breach happened

  2. What category of information was compromised – social security numbers? Credit card information?

  3. What the company is doing to remedy the situation

  4. What the customer can do to protect themselves

The costs of sending these notifications can run into the hundreds of thousands. Some states allow notices to go out electronically if the cost of sending them would exceed $250,000 or involve more than 500,000 targets. Small businesses may not reach this level, so they end up responsible for higher print costs.

Credit Card Monitoring and the Hacked Organization

The states of Massachusetts, Delaware, Connecticut, and California currently require businesses to offer free credit reporting and/or identity theft services after a data breach. Other states don’t yet require this service, but companies offer it approximately 60 percent of the time after a breach happens. As a result, customers often expect it as a condition of restoring goodwill.

The cost of these services can vary. In a survey by US government researchers, one service estimated that businesses pay an average of $4 to $15 per customer affected. Another quoted $10 to $30 per affected person. 

To put this into perspective, a company with 1,000 affected customers could pay $30,000 per year as long as customers receive monitoring services. Covering 5,000 affected customers would cost $150,000.

Keep in mind that this total only includes the direct cost paid to the identity protection service provider by the affected company. It doesn't include the revenue loss due to customer attrition or the loss of new business due to reputational damage.

From Data Breach to Closure

In 2014, code host and project management services group CodeSpaces.com hit the news when a hacker destroyed all of the company’s customer data as well as its internal backup. The company’s closure announcement cited the cost of dealing with the breach as the reason why the company was unable to continue operations.

MyBizHomepage also folded because it couldn’t afford to recover from an attack. This attack came from inside – from disgruntled IT executives who had recently been let go, to be specific. The company spent $1 million to try and fix its infrastructure and recover from the compromising of data, but it proved impossible.

These are only a few of the more well-known companies that folded after a security breach. Part of the reason why this can happen is that companies often have a hard time getting insurance compensation for their losses after a breach. If a policy doesn’t mention cybercrime, even well-documented expenses can be difficult to recoup.

An Ounce of Prevention  

Quick identification and mitigation of a breach can reduce the expenses associated, but prevention is much more cost-effective. Companies that can effectively prevent data breaches avoid not only the direct expenses associated with mitigation but also the indirect costs.

It’s impossible to predict how much business a company can lose due to a data breach. We know, for example, that the 2013 Yahoo breach led to an estimated value loss of at least $1 billion, but how many customers avoided signing up for an account because of the bad publicity?

At Alpine Security, we’re committed to helping small businesses avoid the devastating effects of a data breach. We offer a comprehensive Breach Prevention Audit (BPA), a proprietary tool that touches on all aspects of threat detection and recovery. We help you:

  • Identify and Protect your assets

  • Detect any vulnerabilities

  • Respond to threats and incidents more effectively

  • Recover efficiently and get you back to business faster

We make use of all data breach prevention best practices for management, operational, and technical controls. After the audit, we provide you with a complete report with risk assessment and recommendations.

Find out how we can protect your assets and even your business from attack. Contact us today and a representative will be in touch.