Is Proactive Cybersecurity Worth the Cost for Small and Midsized Businesses?

When it comes to cybersecurity, the most important choice business leaders face is determining which risks to address proactively, with assessments, workforce training, policy preparation, and insurance, versus which risks to address reactively, in the form of breach remediation.

Recently, our security business got a call from a mid-sized company that lost $150,000 to a classic business email compromise. The hacker sent a phishing message to an AP clerk, who then gave up his login credentials. The hacker accessed the clerk’s emails and his OneDrive account. Combing through the data, the hacker identified a legitimate vendor receiving monthly payments of $50,000, and then posed as the vendor requesting payment. The company didn’t realize what was happening until three months later.

Could the attack have been avoided? Easily. But, the company reasoned that cyber prevention was just too expensive and they were small enough to escape the attention of hackers.

IBM noted that the average cost of a breach rose from $4.24 million in 2021 to $4.35 million in 2022. But let’s be real. These averages are skewed high because they factor in hefty losses by large businesses. Small and medium businesses are not likely to suffer such losses.

So let’s run some numbers for small and medium businesses based on the experience of the company above. The company lost $150,000 to the hacker, which was unrecoverable. There were also additional reactive costs on top of the initial loss:

• $42,000 for post-breach forensics;
• $50,000 for a breach coach;
• and $120,000 for client notifications and credit monitoring.

That’s a total loss of $362,000.

And that does not include costs that are more difficult to quantify, such as sunk employee time remediating the breach, and reputation damage.

Using the information from this loss, which is typical of those seen by small and medium businesses, we can make a loose extrapolation of the expected monetary loss to cyber-attacks over the course of a year. Let’s multiply that $360,000 loss by the annualized rate of occurrence (ARO) for cyber-attacks, which the Hiscox Cyber Readiness Report put at 23 percent in 2021. That gives us an estimated annualized loss expectancy (ALE) of $82,800 for a small-medium business.

In order to calculate the appropriate amount to spend on proactive cyber-attack prevention, we have to compare the ALE to the annual cost of cyber readiness for a small-medium business. Year one costs are typically higher because companies new to cyber readiness have not been assessed, and haven’t closed cyber gaps, drafted policies, or tested their workforces for social engineering. So in year one, a small-medium business can expect to pay $20,000 to $60,000 for an initial assessment, which usually includes vulnerability scanning. Then add $7,500 to $12,500 for regular phishing tests, and an additional $10,000 to $25,000 for the formulation of an incidence response plan and related tabletop exercises. That’s a total year one cost of between $37,500 to $97,500.

Successive years are typically half the year one cost. Extrapolating out to five years from the start of a business, the aggregate ALE would be $414,000, while the range for proactive cyber readiness costs could be between $112,500 and $292,500. These loose calculations illustrate that it can potentially pay for a small or medium business to undertake proactive cyber readiness measures, if it is able to make prudent decisions that keep it on the lower end of that spectrum while still effectively covering risk.

You may believe that cyber insurance will cover all breach-related expenses. Network Assured found that 25 percent of all claims are either partially or fully denied due to exclusions in the policy. And those figures assume your small-medium business is insurable. Many aren’t because they can’t demonstrate a reasonable level of cyber readiness.

Given the uncertainty of proactive measures as well as their associated costs, small and medium businesses may be tempted to just incur reactive costs if and when a data breach does occur. But odds are, that’s a bad call. In the long-run, preparing for a cyber-attack is nearly always going to be less expensive than simply reacting to a breach.