A small business has suffered from a cyber-attack, what could be the resultant damage?

In part one of our article on the risks businesses face today, we discussed how you can protect the reputation of your business against damaging social media interactions. In this article, we explore a risk that can damage your business to the core - cyber-crime.

Digital disruption has powered the rapid rise of innovative start-ups - making it easier for agile businesses like Uber or AirBnB to enter the market with relatively low capital and infrastructure needs. But, with the rise of digital technologies comes a real risk for businesses - cyber-crime, hacking, viruses and malicious codes.

South Africans, for example, lose more than R2.2 billion to internet fraud and phishing attacks a year, and the country is ranked third on the Cyber Exposure Index.

What happens to a small business when they fall victim to a cyber-attack?

Discovery Insure CEO, Anton Ossip, says it is important that small businesses do everything in their power to protect themselves and their clients from potential cyber-attacks.

He says: "Small businesses will usually have a few computers they rely on for their daily operations. A cyber-attack to these computers will mean that the business cannot operate optimally until they can fix the affected computers. They could also lose essential data - including their clients' data - which could expose their clients to illegal activities."

"A cyber-attack on a small business will lead to interruptions in normal business operations," he continues. "This is likely to lead to loss of revenue or loss of profits, which may even cause the small business to fail."

The legal repercussions of a cyber-attack on your business

Human error by management or employees can lead to a cyber-attack like a hack, virus or malicious code affecting the computer system. However, cyber-attacks can happen even in the absence of human error.

Ossip explains that a cyber-attack can lead to system damage and to loss or theft of confidential and personal information stored on the computer system. This could be clients' information or information that belongs to the business.

If a cyber-attack happens, a third party whose data is compromised may sue your business, resulting in legal costs. The business may also be found liable to compensate the third party for any losses they incurred following the attack.

"For example," Ossip explains, "A computer system is hacked and as a result clients' credit card information is stolen. This leads to money being stolen from these clients. The business may be liable to compensate them for the financial loss they suffered."

How can SMEs safeguard themselves against cyber risks?

"SMEs are most vulnerable to cyber-attacks because they often do not or cannot invest in the appropriate security," Ossip says. "SMEs need to make sure they have sufficient cyber insurance cover according to their unique business needs."

Ossip says it is also important to have adequate cyber security to prevent a cyber-attack: "This is why we have partnered with an expert IT service provider, AVeS Cyber Security, to offer Discovery Business Insurance clients cyber protection packages at highly discounted rates to help our clients manage their cyber security and lower the associated risks."

Having cyber insurance gives SMEs the benefit of recovering quicker following an attack. "Small businesses need cyber insurance cover precisely because cyber-attacks can and do happen, even if the business has cyber security in place," concludes Ossip.

Don't let cybercrime end your business - make sure you and your clients are protected from these attacks.

2021 saw a marked upturn in the volume, creativity and audacity of hacks and mega breaches with CNA Financial, (1) Colonial Pipeline, (2) Kaysea, (3) Microsoft, (4) JBS USA (5) and even the Houston Rockets (6) all hitting the headlines as victims of cybercrime. Although such attacks hurt big businesses and test customer trust, they’re not typically an extinction-level event. For small businesses, however, the likelihood of some type of cyber incident is just as high, if not higher and their chances of making a full recovery considerably slimmer.

The top 5 business impacts of cyber security breaches

Each organization is unique in terms of the impact of a breach, dependent on the timing and duration and the industry in which it operates. For example, a data breach may have more pronounced consequences for the financial sector than, say, in manufacturing. However, common impacts you should consider when evaluating your own security posture include:

Reputational damage

Loss of customer and stakeholder trust can be the most harmful impact of cybercrime, since the overwhelming majority of people would not do business with a company that had been breached, especially if it failed to protect its customers' data. This can translate directly into a loss of business, as well as devaluation of the brand you've worked so hard to build. Although on a case-by-case basis it’s difficult to quantify the erosion of reputation due to a data breach, according to one industry insider speaking with ITPro, “we see a 60% failure rate among SMBs after a company discloses a breach within 6-12 months, partly due to confidence issues and partly due to recovery challenges.” (7)

Theft

While a cyber-raid on a big-name bank may net the attacker a sizeable haul, smaller businesses' defenses are typically less sophisticated and easier to penetrate, making them a softer target. Cyber-enabled fraud leads to monetary losses, but stolen data can be worth far more to hackers, especially when sold on the Dark Web. A report by The Digital Shadows Photon Research team found that the average price for commercially traded logins on the Dark Web was a ‘modest’ $15.43; when it came to domain administrator accounts that give access to internal business networks, (typically sold by auction because of their value to hackers), the price spiked to an average of $3,139 and, in select cases, reached an eye-popping price of $120,000. (8) Intellectual property theft may be equally damaging, with companies losing years of effort and R&D investment in trade secrets or copyrighted material – and their competitive advantage.

Financial losses

Cybercrime costs small businesses disproportionately more than big businesses when adjusted for organizational size. For a large corporation, the financial impact of a breach may run into the millions, but at their scale, the monetary implications are barely a blip on the radar. According to the latest data breach report by IBM and the Ponemon Institute, the average cost of a data breach in 2021 is $4.24M, a 10% rise from its average cost of $3.86M in 2019. Even more troubling is the report’s finding that the longer a breach remains undetected, the higher its financial impact. For example, data breaches that were identified and contained within 200 days had an average cost of $3.61 million. But breaches that took more than 200 days to identify ad contain had an average cost of $4.87 million ― a difference of $1.26 million. (9)

Fines

As if direct financial losses weren't punishment enough, there is the prospect of monetary penalties for businesses that fail to comply with data protection legislation. In May 2018, the General Data Protection Regulation or GDPR went into effect in the EU. The enforcement powers associated with the law are significant. Fines for violations can reach up to 20 million Euros or 4% of a firm’s global annual revenue, per violation, whichever is larger. In 2020 European data agencies issued $193 million (€159 million) in fines in 2020 for violations of the General Data Protection Regulation where the single highest penalty imposed was a $57 million fine French authorities issued to Google. (10)

While in the US there is no true counterpart to GDPR, three states — California, Colorado and Virginia ― have enacted comprehensive consumer data privacy laws. The three laws have several provisions in common, such as the right to access and delete personal information and to opt-out of the sale of personal information, among others. (11)

Below-the-surface costs

In addition to the economic costs of incident response, there are several intangible costs that can continue to blight a business long after the event itself. The impact of operational disruption tends to be woefully underestimated – especially among firms that have little in the way of formal business resilience and continuity strategies – and small organizations that already struggle to manage cash flow may face crippling rises in insurance premiums or see an increased cost to raise debt.

Cyber security and cyber incident recovery isn't an IT problem. Instead, it's a business imperative. Adopting a comprehensive security strategy today can help you avoid having to shut up shop if hackers strike tomorrow.

What are the effects of cyber attacks on businesses?

What type of damage can be done through a cyber attack?

What are the consequences of a cyber attack?

How has small business response time to cyber attacks changed?