There are many costs associated with cybersecurity. From anti-malware software subscriptions, professional security assessments, and cybersecurity insurance to the costs of dealing with actual attacks, protecting business data occupies an ever-increasing chunk of an organization’s operating budget.
Unfortunately, theses costs have a disproportionate impact on small- and medium-sized businesses (SMBs). There are several reasons for this.
Breaking Down Cybersecurity Costs
First, there are costs related to prevention. Most of these costs are more or less proportional to the size of a business. For example, anti-malware software subscriptions are usually charged per computer protected, so a larger business with many computers will pay more than one with few computers. (The larger business, of course, may get a volume discount.) Likewise, assessing the security stance of a small business with a simple IT environment takes less of a consultant’s time than that of a larger organization, so this cost should be proportionally smaller as well.
Things get out of kilter, however, when it comes to items such as cybersecurity insurance. It seems counterintuitive, but a small business in many cases has a higher cybersecurity risk than a large one. Here’s why:
- Although small businesses may not have as much valuable data to steal as a large company, it’s still valuable, and hackers will still try to get it.
- Small businesses do not usually have IT security experts on staff (or any IT staff), and those who don’t outsource this function to a professional managed IT provider—those who try to save a few bucks by doing it themselves, or not at all—are more vulnerable than larger companies with in-house or outsourced IT security expertise. Hackers know this, and insurers know that the hackers know it.
- Small businesses in the medical field, such as individual doctor’s offices, small group practices, and clinics, are of particular interest to hackers because medical information is especially valuable; as a result, these organizations are more likely to be frequent targets.
If that weren’t enough, medical organizations in the U.S. are subject to the extra burden of HIPAA regulations, which means that these small businesses need to budget for recordkeeping, reporting, and audits that the muffler shop next door doesn’t need to worry about.
The cost of prevention may be high, but it’s peanuts compared to the cost of being hit with a successful data breach, ransomware attack, website hack, or other cybercrime. Depending on the nature of the event, a business that suffers a hack may have to spend money for some or all of the following:
- System restoration
- Forensic analysis to determine and address the vulnerability that the hackers exploited
- Identify theft monitoring for customers whose data was stolen
- Increased cybersecurity insurance premiums
- For ransomware, paying the ransom; this isn’t recommended, but it sometimes is the most expedient (or only) way to get back in business quickly
Throw in the loss of productivity, lost sales, and lost trust among your customers, and it all adds up to an extraordinary financial burden from which many small businesses never recover.
An Extra Burden for Medical SMBs: HIPAA Fines
Again, medical SMBs have an extra potential expense to be concerned with, even when there’s no hacking involved: HIPAA fines. Although HIPAA is a federal law, state attorneys general are empowered to charge organizations with HIPAA violations. The resulting fines can run into the hundreds of thousands of dollars. A large hospital network might be able to absorb this type of financial hit, but smaller organizations will definitely feel the pinch.
What’s Your Readiness Level?
It’s a sad fact that cybercrime will be an increasing problem for the foreseeable future, and as long as that happens, the costs of cybersecurity will also continue to increase. If you haven’t thought about the state of your firm’s IT security lately (or ever), the time to start is now—not after a breach or fine (or both) that you can ill afford. A good place to start is our free cybersecurity checklist. Download it today to gauge your readiness and where you need to focus your efforts. The threat of cybercrime is real and constant; your IT security should be too.