The Catastrophic Effect of Cyber Incidents and ‘Black Swan’ Theory
Cybersecurity is one of the most glaring challenges faced by companies and government today, and yet visibility and public awareness remains limited. It is evident that the Black Swan Theory prevails, and businesses globally simply see the chances of an attack as highly improbable and their cybersecurity as an afterthought. To put this to you in plain figures, findings from an article in Hashed Out, illustrate that two in five companies in the UK and America, with 50 or fewer staff, do not have any form of cybersecurity defences in place.
And so, it comes as no surprise that many small and medium-sized businesses (SMEs) do not have the funds put aside to deal with such attacks should they occur, nor the funds to pay the regulatory fines incurred when their customers’ data is leaked. Paul Lipman, CEO of BullGuard, explains:
“Small businesses are not immune to cyber-attacks and data breaches and are targeted specifically because they often fail to prioritize security. Caught between inadequate consumer solutions and overly complex enterprise software, many small business owners may be inclined to skip cybersecurity. It only takes one attack, however, to bring a business to its knees.”
Data collected by Keeper Security and the Ponemon Institute illustrates the number of SMEs that experienced data breaches increased to a staggering 63% in the last 12 months and, according to CNBC, the average cost of a cyberattack was more than $200k, putting as many as 60% out of business.
To evaluate the situation with clarity, we must also consider the changes brought on by coronavirus. The shift to remote working had to be undertaken quickly, forcing many companies into unknown territory, often without initiating appropriate cybersecurity measures. Cybercriminals are taking advantage of this and other insecurities to line their pockets. An article by Interpol describes the latest threats faced by businesses due to Covid-19 and how hackers are using public fear around the pandemic to maximise phishing and phone scamming opportunities. Cybercriminals are using creative, coronavirus-themed attacks, causing a major rise in disruptive malware and data breach incidents.
Behind the scenes and further perpetuating the issue, the large number of unreported incidents reveal that many organisations go to some lengths to conceal attacks to their business for fear of reputational damage. In fact, figures in a report by IT governance watchdog ISAC for HCL Technologies, suggest around half of organisations say their own cyberattacks are under-reported, even when reporting is required and seventy-five percent say these incidents are intentionally suppressed. And is it any wonder when according to the Small Business Reputation and The Cyber Risk report, a surprising 58% of consumers say they would be less likely to use a company’s services if an incident happened? Furthermore, 89% of the small businesses surveyed who had experienced a breach, said it had impacted their reputation, with 31% having reported brand damage, 30% indicated a loss of clients and 29% struggled with the ability to win new clientele. And so, it seems that while behind closed doors business’ that experience a breach are concealing the truth of the matter, to the outsider, it is simply a Black Swan event, a rare occurrence.
How to take charge of your business’ cybersecurity
A solution to the hidden truths of cybercrime and its proliferation within the SMEs business sector is transparency in the event of an attack. However, with the reputational damage illustrated in so many reports, it is clear to see why so many businesses are averse to publicly reporting cyber incidents.
It is vital that business leaders appreciate that the reported cyber incidents are just the tip of the iceberg and that cybercrime incidents are much more likely to affect their operations than they may think and that being ready to respond to what is now that inevitable incident must be a regular board meeting agenda item.
STORM Guidance has pioneered incident response for corporates and insured businesses with the ReSecure service and has recently launched its CyberCare service offering an immediate quality, technical response to small businesses in the event of a breach; subscribing members have access to a range of services to help them recover fast, for a low monthly or annual subscription.