Cost/Breach vs Cost/Audit

Which costs more ?

As a small to midsize business (SMB) owner in today’s economy, having a website and being connected to the Internet is essential. But a quick look through recent headlines is enough to scare most sane people into not taking the risk. There are ways to mitigate these risks, but most SMBs think the added expense of security audits is not worth the cost. While this is a very common belief, it is, unfortunately, a decision made without evaluating some critical information.

The Truth

Web site and network security is not a perfect world. This is an unfortunate truth that few security professionals will admit. Every day, another ne'er–do–well finds a new vulnerability to exploit, or a new angle to trick people into giving up their precious passwords. It is a constant never ending game of whack-a-mole. Security will never be “Set it and forget it”, it must be constantly monitored, updated, and verified. That last step is the most important, and the one most often skipped. Verification. Ensuring all the correct security controls are in place and configured correctly. This is the goal of a security audit.

How does it affect you?

Most small to medium businesses are on a tight budget and either assume what they have is good enough and doesn't need to be tested, or they know better but just don't want to spend the money on an audit when they could be putting that money into their business. Another common thought is “There’s no reason hackers would target me.” However, data from Symantec’s Internet Security Threat Report 2017 shows the hackers are just as likely to target SMBs and the cost of recovering after a breach could be much more detrimental than some people realize.

Lloyds of London recently released a report stating that large scale cyber attacks like wannacry and petya could cause as much financial damage as major natural disasters such as hurricanes.

But how does this affect the small business owner? In a 2016 study on The State of Cyber Security in SMBs by the Ponemon Institute, companies spent an average of $879,582 because of damage or loss of IT assets. This doesn’t include loss of work time or lost customers? The actual costs to your business will vary, but consider the following scenarios:

- If you found all the computers you need to run your business encrypted by Ransomware, could you restore them or would you have to pay the ransom? How long would it take you to restore them? In that time, how much business would you lose? How much of your normal work would not get done while you worked on restoring your systems? What if you paid the ransom, and the key doesn’t work?

- If hackers breached your business network with your clients' information and then started selling their personal information ( email addresses, phone numbers, addresses etc.) on the internet’s black markets, how would your clients/patients/customers react? Would they continue to do business with you?

- If your website is silently breached (Not changed in any visible way) by hackers and starts installing banking malware on the computers that visit your site, what would your clients' reactions be like?

- If you are a healthcare provider or deal with healthcare information, would you be able to pay the fines levied by the US Department of Health and Human Services(HHS) if they did an audit and found problems? (Read me about HIPAA here.) 

Consider:

There is a 2011 statistic that has been thrown around recently that says “60% of SMBs go out of business within 6 months of a cyber attack.” The supposed source of this statistic, the National Cyber Security Alliance (NCSA) , has recently stated they are not the source of this statistic. However, consider the average cost per breach and the scenarios above. Would your SMB survive? Most SMBs could have a quality audit performed for $5,000 - $10,000. This does sound like a great deal of money, but weighed against the possible expense of a breach, can you afford to take the risk?