The Cost of a Breach

Cybercrime is big business, and it’s paying well. Even when they aren’t demanding ransom to restore stolen data, criminals can sell it on the dark web or use social engineering tactics like BEC scams to trick companies into sending them money. Recent research by Acronis suggests that in 2023, the average cost of a data breach will reach $5 million. The study found that more than 22% of companies that experienced malware attacks in 2022 were in the U.S., making U.S. companies the leading targets of malware worldwide. 


Are SMBs at risk? 

Although some leaders in small to medium-sized businesses (SMBs) may think their companies aren’t big enough for cybercriminals to worry about, nothing can be further from the truth. Smaller businesses are highly attractive targets because they don’t have the vast resources that large enterprises do for internal IT departments and sophisticated security solutions. Research by Coro found that attacks against SMBs increased 150% between 2020 and 2022, so they now face attacks about as often as large enterprises. 


What do data breaches cost small businesses? 

While small businesses aren’t likely to suffer the multimillion-dollar losses that large enterprises often do, a data breach can do more harm to a small business than a larger one. Because they tend to be less prepared, it often takes small businesses longer to recover after a breach, which means they lose more as a result of downtime. Many don’t recover at all; frequently cited research shows that 60% of small companies go out of business within six months of an attack. 

The costs to small business can add up in unexpected ways. Even if you never pay a ransom for your data, recovery involves multiple steps. The U.S. Federal Trade Commission (FTC) recommends the following measures after a data breach: 


Securing Operations 

After a breach, businesses must move quickly to secure systems and remedy vulnerabilities that may have enabled a successful attack. This includes locking physical areas that may have been involved, mobilizing teams to prevent further data loss, and promptly removing any data that was improperly posted on your company’s website or elsewhere. You should immediately take all affected equipment offline, but leave devices turned on until forensic experts have an opportunity to examine them. 

Depending on your operation and the nature of the breach, you may need an incident response team that includes a variety of experts.  

  • All U.S. states have notification laws that businesses must follow after a leak of personally identifiable information, especially if the leak involves health records. Consult with an attorney who is familiar with these requirements to ensure you’re following them. Failure to do so may result in substantial fines and leave your company vulnerable to lawsuits. 
  • Forensics experts may be needed to determine how the breach originated and identify all the systems and data that were affected. 
  • IT experts may be needed to locate and remove improperly posted data. 
  • If employee data was leaked, you may need to consult human resources experts. 
  • It’s critical to have a communication plan to clearly share information with all stakeholders. This should include any information that could help victims of the leak protect themselves. You may need to work with a communications expert to ensure your communications are clear, complete, and reaching the correct audiences.

Remedying Vulnerabilities 

Once your systems are secure and you’ve taken steps to gather and preserve evidence, it’s time to fix the problems that may have allowed the breach in the first place. For example, if you know an employee fell victim to a phishing attack, you’ll want to make your staff aware of how to recognize these scams and avoid falling for them in the future. Create a strong security culture by adopting and training your employees in best practices like using strong passwords, properly using two-factor or multifactor authentication, and using only secure internet connections to access company systems. 

The FTC recommends the following steps when assessing vulnerabilities: 

  • Review who has access to which of your systems and why. Eliminate any access that isn’t needed. 
  • If service providers were involved in the breach, ensure they are also addressing vulnerabilities in their systems. 
  • Review the effectiveness of network segmentation in limiting the extent of the breach. 
  • Review the use of and need for encryption of sensitive data. 
  • When you receive forensics reports, take the recommended remedial actions as soon as possible. 


Be prepared with an incident response plan. 

Even the best prevention plans can fail. An incident response plan is critical to limiting your losses in the event of a breach. It ensures your team is ready to leap into action, taking immediate steps to secure operations and minimize damage to your organization. Pendello specializes in providing managed IT services to SMBs, including cyber threat management. For more tips on protecting your business, browse our blog.