Just how frequently are cyberattacks happening? According to a new Osterman Research study, U.S.-based organizations experienced an average of 1.8 very serious security events in 2017, more than twice the global average (0.8 percent). These are events that disrupted normal operations or completely shut down an organization’s IT infrastructure for at least one day.
Just 27 percent of companies reported no data breaches in the past 12 months – that they were aware of. Although phishing emails (44 percent) were the most common form of attack, organizations were also victimized by adware/spyware (41 percent), ransomware (26 percent), and spear phishing (20 percent). Insider breaches, both accidental (17 percent) and intentional (9 percent), continue to be a serious problem.
Midsize companies face the greatest security challenges in terms of both attack frequency and security costs. For example, midsize companies were targeted with slightly more phishing attacks than larger companies and significantly more than small businesses in 2017. Overall, midsize and large companies dealt with about the same number of attacks on average – 0.9 and 1.0, respectively. However, midsize companies can’t take advantage of the economies of scale that large enterprises can to distribute security costs across a much higher number of employees.
Not only is the cost of security more prohibitive, but the cost of a breach is going through the roof. A study from Kaspersky Lab found that the average cost of a data breach for small to midsize businesses (SMBs) spiked 36 percent over the past two years, compared to a 24 percent increase for enterprises. One data breach incident costs SMBs $120,000 on average with another $149,000 for recovery.
Recovery costs include technology improvements, employee training, additional labor and external consulting, penalties for compliance violations, higher insurance premiums, a lower credit rating and, of course, lost business. Damage to an organization’s reputation, while difficult to precisely quantify, makes it more difficult to find new customers and secure funding from investors.
The takeaway here is clear. Although preventing a data breach is not cheap, it’s certainly less expensive than recovering from one. This explains in large part why SMB cybersecurity budgets have increased 6 percent, according to Kaspersky Lab data. However, throwing money at the problem isn’t enough. Cybersecurity must be a board-level issue. IT leaders who understand the threat landscape, available security solutions, and how to effectively modernize IT infrastructure with security in mind need to be part of the decision-making process.
SSD recommends answering a number of questions related to governing policies, compliance, network security and security testing to determine how prepared your organization is to prevent an attack.For example:
- Do you have policies for network security, employee separation and device security?
- Are they supported by executive management?
- Can you verify that compliance requirements are being met?
- Are you using firewalls, content filtering and monitoring solutions to secure the network?
- Are your passwords strong?
- Do you have an incident response plan that has been tested within the past 12 months?
Cybersecurity can be a lot less painful for midsize organizations if the focus is more on planning and breach prevention than responding to breach and hoping for the best. Let us help you assess the state of your security strategy and infrastructure and develop a plan to strengthen your defenses.