A black and white image showing white hands holding a phone

How much does a data breach cost a small business?

October 27th, 2021 By Kaytieduffield

You may be aware of specific difficulties that a business could suffer after a data breach, but how much would an attack really cost? According to the latest report from IBM, while bigger companies face larger costs from data breaches, there is also an increase in costs associated with small businesses – “small businesses saw an increase from $2.35 million in 2020 to $2.98 million in 2021, a 26.8% increase.”

However, there are additional costs to consider, such as lost revenue or reputation. According to IBM, there are four process related activities that drive a range of expenditures associated with an organisation’s data breach:

  • Detection and escalation: costs associated with reasonably detecting a breach
    • Forensic and investigative activities
    • Assessment and auditing services
  • Notification: costs associated with notifying data subjects, regulators, and other third parties
    • Emails, letters, outbound calls, or general notice to data subjects
    • Determination of regulatory requirements and communication with regulators
  • Lost business: costs associated with loss of customers, business disruptions, and revenue lost
    • Business disruption and revenue losses from system downtime
    • Cost of lost customers and acquiring new customers
    • Loss of reputation
  • Post breach response: costs associated with helping victims of a breach
    • Legal expenditures
    • Regulatory fines

Out of these four categories, “lost business continued to represent the largest share of data breach costs for the seventh year in a row”, comprising 38% of the average total cost ($1.59 million). “The second most costly detection and escalation costs, which had an average total cost of $1.24 million, or 29% of the total cost.” To review all costs outlined by IBM, you can download the full report here.

Get your free quote for ISO 27001

Which industries are most vulnerable to a costly data breach?

While any business that holds data could be at risk of a data breach, certain industries are most vulnerable to attacks. According to IBM, “healthcare was the top industry in average total cost for the eleventh year in a row.” They outlined the top five industries with the highest average total costs:

  • Healthcare
  • Financial
  • Pharmaceuticals
  • Technology
  • Energy

It’s worth noting that while the industries above saw the highest average cost, several other sectors experienced large increases to their average total cost involved with a data breach. IBM identify these as:

  • Services (7.8% increase)
  • Communications (20.3% increase)
  • Consumer (42.9% increase)
  • Retail (62.7% increase)
  • Media (92.1% increase)
  • Hospitality (76.2% increase)
  • Public sector (78.7% increase)

What are the most significant threats facing businesses?

With hackers advancing their techniques, there are many more threats facing businesses today. Depending on the type of attack vector, or specific path/method exploited, you may encounter different costs to resolve the breach.

According to IBM, the most common initial attack vectors in 2021 are:

  • Compromised credentials (accounted for 20% of breaches)
  • Phishing (accounted for 17% of breaches)
  • Cloud misconfiguration (accounted for 15% of breaches)
  • Business email compromise (accounted for 5% of breaches)

Interestingly, while business email compromise was responsible for only 5% of breaches, this attack had the highest average total cost associated with it, at $5.01 million.

According to the report, the highest average total cost of data breaches by initial attack vectors in 2021 were:

  • Business email compromise ($5.01 million)
  • Phishing ($4.61 million)
  • Malicious insiders ($4.61 million)
  • Social engineering ($4.47 million)
  • Compromised credentials ($4.37 million)

“The top four initial attack vectors were the same in 2021 as compared to the 2020 study, but slightly re-ordered. Phishing moved up from fourth to second most common, and cloud misconfiguration fell from second to third most common.”

How can small businesses prevent cyber-attacks?

It is your responsibility as a business to protect your data and train your staff to understand their role in securing data and information. The best way to protect your business is to improve your current security systems and review what processes you have in place. One of the most straightforward ways of doing this would be through performing a gap analysis.

Businesses serious about committing to a cyber secure environment should incorporate an information security management system (ISMS). This decision helps your company manage security threats by giving you the necessary processes and controls to protect your data and information. Management systems are not new and have been used to solve a multitude of business problems. ISO/IEC 27001 is considered the gold standard for security frameworks and serves as the ultimate benchmark for businesses to establish, implement, operate, monitor, review, maintain, and continually improve their information management system.

If you’d like to discuss your business needs and find out if ISO/IEC 27001 would suit your company, our experts are here to answer all of your questions.

Get your free quote for ISO 27001

Contact Us

For a free Quotation or Remote presentation by an ISO Specialist, contact us today!

IMSM Ltd Head Office
The Gig House
Oxford Street
SN16 9AX

Tel: +44 1793 296704
ISO Consultants