X
Régis Desmeules

Costs of a Cybersecurity Incident in SME

Sponsored article
This article is sponsored by Cyberswat group: https://www.cyberswat.ca/.

Introduction to Cybersecurity Incidents

Small and medium-sized enterprises (SMEs) should no longer question whether or not they will one day be victims of a cybersecurity incident. Instead, they need to consider when such a high-impact incident will occur within the company.

The media regularly report that the average cost of a cybersecurity incident causing security breaches and data breaches is in the millions of dollars. The latest IBM study from 2023 mentions an average cost of approximately 7 million Canadian dollars.

These figures are global and occur to large enterprises, which means they do not convey much to SME leaders in terms of raising awareness about potential costs and financial impacts. In fact, the costs of certain incidents are so significant that some SMEs that fall victim to a major incident struggle to recover.

The intend of this article is to present the types of expenses associated with a cybersecurity incident as well as a high-level estimate of the costs incurred by a major cybersecurity incident occurring in a SME. The estimates provided are based on averages observed in Quebec/Canada from true cybersecurity incident cases.

Cyber Threats in SMEs

There are several threats causing a cybersecurity incident in an SME. The most common ones mentioned in the news are: 

  • software vulnerabilities associated with outdated or unpatched software; 
  • phishing attacks; 
  • ransomware attacks; 
  • poor password and access management strategies; 
  • intrusions into the IT systems; 
  • human errors due to lack of training and awareness; 
  • misconfigured systems; and
  • several others.

Types of Expenses Related to a Cybersecurity Incident

From the moment a cybersecurity incident is detected, crisis management is enabled, and the situation will incur several types of expenses, costs, and financial impacts.

Direct Costs

  • new urgent expenses incurred when the incident occurs; 
  • costs related to internal and external IT specialists working overtime during evenings and weekends; 
  • external cybersecurity specialists; 
  • forensic investigator; 
  • procurement of equipment, software, and licenses to replace or add missing controls during emergency; 
  • administrative overtime costs associated with crisis management, that should not be overlooked.

Indirect Costs

  • productivity losses resulting from partial or total IT outages; 
  • several dozen employees unable to work on their computers for days;
  • overwhelmed customer and internal support;
  • legal and communication costs to manage the crisis; 
  • some employees often have to fallback to manual processing when feasible, leading to a collapse in productivity.

Hidden Costs

Other costs that are very difficult to assess can cause serious long-term damage. These are the consequences of disruptions and cessation of business activities:

  • interruptions in receiving and processing customer orders; 
  • manufacturing and/or delivery delays resulting in financial penalties if production lines are affected; 
  • brand devaluation of the SME; 
  • non-renewal of contracts; 
  • loss of customer trust; and
  • several others.

Case Study : Ransomware Attack

In order to illustrate the magnitude of the costs a cybersecurity incident can represent for an SME, let’s take the example of a ransomware attack. This type of attack accounts for up to 20 % of the types of incidents reported in businesses.

What is a Ransomware?

A ransomware is a malicious software used for extortion by cybercriminals:

  • it encrypts the local files on the computer as well as all other files accessible via the network and in file repositories (SharePoint, OneDrive, file servers, backups, etc.);
  • once files are encrypted on one or several computer systems, the normal operation of various software, files, and processes is disrupted, causing partial to total paralysis of the IT environment;
  • in the end, this malware demands a ransom of tens to hundreds of thousands of dollars, payable in cryptocurrency within a relatively short timeframe, in order to obtain the key to recover all the files.

The ransomware can penetrate the IT environment of an SME in various ways. There are several “doors” that allow it to install itself and cause damage. Here are some examples, though not limited to these cases:

No 1 – An employee receives an apparently harmless email. He clicks on the link or download the attachment. The ransomware is brand new for the antivirus software to detect, so it installs itself.
No 2 – An employee browses the Internet and inadvertently lands on a malicious website that detects an exploitable vulnerability in the employee’s web browser. The malicious site forces the installation of the ransomware without the employee’s knowledge. 
No 3 – The IT environment of the SME is connected to the Internet, but some exposed systems have technical vulnerabilities or misconfigurations. A botnet discovers these vulnerabilities, infiltrates the network of the SME, and installs the malicious software on several computer systems.
No 4 – An employee uses Facebook on its work computer and downloads a seemingly harmless file from a post received from a friend via Messenger. Unfortunately, the malicious software is hidden in the harmless file and installs itself on the computer.

Impacts and Costs  of a Ransomware Attack

On average, a crisis following a ransomware attack lasts between 5 to 30 days until a full recovery. During this period, the IT environment of the SME may remain paralyzed until all potentially infected computer systems are reinstalled from the latest clean backups free of the malicious software.

The following table illustrates ranges and orders of magnitude of costs generally applicable to the case of a small SME victim of a ransomware attack, and whose IT systems are crucial to its business activities and operations. Costs vary according to the severity and aggressiveness of the malware.

Costs/ExpensesEstimates
External IT experts $5,000 to $30,000
Internal IT experts – overtime $5,000 to $20,000
Cybersecurity experts$5,000 to $20,000
Forensic investigator$5,000 to $15,000
Purchase of software/hardware/licenses in emergency$10,000 to $100,000+
Crisis Management – communications firm$5,000 to $10,000
Crisis Management – legal firm$15,000 to $40,000
Crisis Management – overtime$10,000 to $50,000
Forced employe leave (5 days++)Hidden costs
Customer support overwhelmed with callsHidden costs
Disruption of order reception from customersHidden costs
Contract penalties – Manufacturing/delivery delaysHidden costs
Reputational damageHidden costs
Incident costs range$60 000 to $285 000
Table 1 – Cost estimation of a cybersecurity incident

An wise reader will note that the cost of the ransom demanded by the cybercriminals is not indicated in the table. This is based on the assumption that the ransom will be recovered from clean, unaltered backup copies of the malware.

Despite not paying a ransom and excluding hidden costs, the total cost in this example can easily range from $60,000 to $285,000 for the SME. This is a significant amount of money for a small business.

Benefits of Cybersecurity for Countering Incidents

Incident costs can be devastating for a small SME that is highly dependent on IT for its business operations. To mitigate the risks of an incident occurring and, most importantly, to limit its costs, it is crucial to rely on cybersecurity.

Cybersecurity is the most powerful means to provide an SME with cyber resilience to remain operational despite the risks of outages due to cyberattacks. Cybersecurity also provides a shield to mitigate or even completely block cyberattacks and incidents that could lead to outages, disruptions, and service breakdowns. Finally, cybersecurity, through its solutions, services, policies, processes, and controls, helps to reduce financial losses and damage resulting from incidents.

Cybersecurity: Where to Start?

When it comes to cybersecurity, there are countless possibilities for improving your posture, but generally speaking, the budget for cybersecurity in SMBs is very meagre, if non-existent. At Groupe Cyberswat, we generally recommend five (5) strategies to SME customers who are less mature in cybersecurity, to prioritize in order to put in place a minimum of cybersecurity:

  • If you are an SME with fewer than 50 employees, start by allocating a budget for cybersecurity. Request assistance to help evaluate an initial budget. Often, the initial budget is high due to the need for ramping up the posture from a very low maturity. 
  • Request a third part in cyber to conduct a cybersecurity assessment or general diagnostic to identify high-level weaknesses and establish an initial cybersecurity plan or program for the SME. This is a practical, low-cost action to help you budget for cybersecurity for the first time.
  • Launch a cybersecurity awareness program for all your employees. This is often the most cost-effective investment in cybersecurity, as a large proportion of incidents in SMEs are caused by human errors.
  • Implement a security policy, security guidelines, and an incident response plan.
  • Request a third part in cyber to conduct penetration tests on your most critical business assets, applications, and systems before vulnerabilities are discovered and exploited by malicious actors.

PlanetHoster’s Cyberdefense : a Solution Within Reach!

If your company has not subscribed yet to PlanetHoster’s Cyberdefense service, it would be beneficial to do so. This specialized cybersecurity service automatically detects and blocks malicious Distributed Denial of Service (DDoS) traffic attacks targeting your business network. Such attacks create cybersecurity incidents for your company by saturating your Internet connection and causing downtime. This protection, offered exclusively to PlanetHoster customers, ensures the business continuity of your operations and Internet connectivity, helping to avoid interruptions that could lead to revenue loss. Contact your PlanetHoster representative to learn more about this solution.

Conclusion

The costs of a cybersecurity incident can be catastrophic for SMEs, ranging from $60,000 to $285,000, with lasting impacts on their operations. Investing in proactive cybersecurity is crucial to minimize the financial and operational risks associated with such incidents.

About the Author

Régis Desmeules is a serial entrepreneur in cybersecurity, a cybersecurity consultant since 1998, and partner at Groupe Cyberswat, a cybersecurity firm in Quebec/Canada. 

For any questions or clarifications related to this article, please do not hesitate to contact him for more information or to receive a proposal for cybersecurity services.

Thank you for your feedback.

Contact point: Régis DesmeulesEmail: rdesmeules@cyberswat.ca
Groupe Cyberswathttps://www.cyberswat.ca
Linkedinhttps://www.linkedin.com/in/regisdesmeules/

About Cyberswat

Cyberswat is a cybersecurity service provider able to help you protect your company’s and your customers’ data. When you do business with Cyberswat, you get a partner relationship. Cyberswat is there to support you in implementing security measures so you can concentrate on your business.

Sponsored article
This article is sponsored by Cyberswat group: https://www.cyberswat.ca/.