5 costly consequences of SMB cybercrime

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cio.com/article/2908864/security0/5-costly-consequences-of-smb-cybercrime.html

Criminals looking to steal data or disrupt commerce don’t only hone in on
large corporations. Small and midsize businesses (SMBs), in fact, are just
as attractive a target.

In 2013, there were about 28 million SMBs in the U.S., two-thirds of which
contributed about $7.5 trillion to the U.S. economy. This makes them a
lucrative and vulnerable victim for cybercriminals simply because many of
them are not paying attention.

Crime committed through the Internet falls into two broad categories:
information theft and digital vandalism. Theft includes financial
information, product or strategic proprietary information, customer records
and transaction histories. Once stolen, this information is used to either
directly steal funds from the SMB or its customers, or is sold to other
criminals.

Phishing is a form of information theft that entices a user to reveal
sensitive information such as passwords or credit card numbers by
masquerading as a trusted entity. Digital vandalism includes denial of
service (DoS) attacks, viruses or other types of malware, often intended to
simply disrupt a business. All forms of cybercrime exact damaging costs.

Assessing costs to smaller enterprises

For a small business, customer information theft can paralyze operations or
put a company out of business. A single incident that damages a firm's
reputation or compromises the integrity of its electronic storefront could
result in unrecoverable losses.

The average direct cost to a small business for a single attack in 2013 was
almost $9,000, but that excludes brand damage and other soft costs. SMBs
incur nearly four times the per capita cybercrime costs of larger firms,
according to Ponemon.

To many SMBs, these costs can prove fatal. A 2012 National Cyber Security
Alliance studyshowed that 36 percent of cyber attacks are conducted against
SMBs. Of those, up to 60 percent go out of business within six months of an
attack. Yet 77 percent of SMB owners believe their companies are safe from
cyber security breaches.

Cybercrime is an unfortunate side effect of the information age. Where
physical goods or cash once contained all the value targeted by thieves,
today information holds even greater value. Businesses must be diligent to
protect against electronic theft. SMBs must assess their potential exposure
to cybercrime and take actions to prevent and blunt attacks.

Although the precise costs of an attack differ based on an SMB's size and
circumstances surrounding that attack, the following sections describe the
types of costs that could be incurred by an SMB in the wake of such an
unhappy event.

1. Business lost during attack

A security breach often means shutting down the SMB's electronic operations
for some period of time. An online retailer subjected to a DoS attack could
be shut down for several days or weeks while determining the attack's
origin and taking corrective action.

A customer data breach in which credit card information was stolen would
likely cause a similar lock-down. Corrective action often depends on a
service provider's responsiveness; a frustrating, time-consuming and costly
affair. Costs are likely to result in total revenue losses for at least
several days.

2. Loss of company assets

Bank account numbers and passwords stolen during a breach can cause theft
of account funds. SMB owners may wrongly assume that banks will cover the
loss, as do consumer credit card companies. In fact, an SMB will lose any
stolen funds, which could cause a business to lose its working capital.

Proprietary information, such as product designs, customer records, company
strategies or employee information, is often compromised or stolen
outright. All of these assets have incalculable value to a business, and
thus can inflict crippling losses.

3. Damage to reputation

Another cost that's difficult to quantify is reputation damage after an
attack. The much-publicized Target breach that compromised 100 million
customer records cost that firm roughly $148 million in direct cash costs,
after insurance payments. Yet the damage to Target's reputation will linger
for a long time, making people hesitant to share personal information, use
their credit cards or shop at the store. Forrester Research estimated that
Target's total costs would exceed $1 billion.

This scenario could be worse for an SMB. For example, consider a resort
operator that relies heavily on its website to attract new customers, book
reservations and maintain its brand. If that site is hacked and infected
with malicious links, it will be quarantined—placed in a "sin bin”—for a
fairly long period by search engines, making it harder for customers to
find the website.

Even after the operator resolves the hack, it could take months for the
resort's virtual reputation to be restored. And that's on top of losses in
revenue and good will from customers affected during the attack.

4. Litigation

SMB's aren't likely to be sued if their customers' information is stolen
unless they failed to implement reasonable protection measures. In the
Target case, for example, consumers, and the banks that held their credit
cards, filed class action lawsuits.

In the latter case, a US judge ruled that Target played a "key role" in
allowing hackers to gain access to its data center, which enabled the banks
to continue their lawsuits. Certainly, Target is not an SMB, but a small
business needs to recognize the need to protect its customers' information.
Taking reasonable measures (“exercising due diligence”in legal terms)
should offer protection against future litigation in the unfortunate event
of a data breach.

5. Protection costs: staff, firewalls, encryption and software

The most important cost of cybercrime should also be the first outlay:
prevention. Businesses of any size need to implement a strategy to protect
against the reality of cybercrime. For the smallest of SMBs—a one-person
proprietorship—that could be as simple as using robust password protection
on all systems and utilizing low-cost protection software, perhaps as
little as $50/year.

For larger businesses, costs scale with size. Use of security information
and event management solutions (SIEMs), intrusion prevention systems
(IPSs), network intelligence systems and data analytics can greatly reduce
cyberattack costs, some report by as much as a factor of six.

Expert advice: Do something

The biggest risk facing an SMB manager is inaction. Ignoring cybercrime
does not make it go away and places the business in jeopardy. Protective
actions against cybercrime are now more important than the locks on a
store's front door.

Failure to put an electronic protection plan in place appropriate to the
SMB's size and business model is equivalent to leaving the front door wide
open with a pile of cash in plain sight. Don’t let that cash get away: put
it under lock and key.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!