How Can You Show an SMB the Tangible Value of Cybersecurity?

Tangible Value Challenging to Demonstrate Ahead of a Breach

It is often hard to demonstrate to an owner or management team of an SMB (small-medium business) the tangible value of cybersecurity preventative measures ahead of a cybersecurity incident.

Inspiration for this article came from numerous actual SMB cyberattacks where Powersolution (an IT Managed Services Provider) was not involved with the companies … but learned of their cyber incidents and related costs after they occurred. These situations involved SMBs incurring hundreds of thousands of dollars costs, including one medical practice that was forced to go out-of-business. (Over a period of years, Powersolution has gradually evolved from using traditional IT security methods to implementing advanced multi-layered IT protection techniques for its clients, as described later in this article).

An Incident Can Be Expensive

Once an incident is suspected or detected, the steps in a company’s Incident Response Plan should be followed immediately, including:

Calling your appropriate manager and IT team (in-house and/or outsourced).
Call your insurance and/or cyber-insurance broker to inform them that you need help from their Incident Response team.

Unfortunately, once IT resources, attorneys, and other high-priority personnel are actively engaged to address an incident — it is likely the bills will begin racking up. Expensive activities associated with a cyber breach typically include things such as:

Communications (to authorities, customers, employees, and other 3^rd-parties)
Locking down the IT infrastructure
Preventing further attack(s)
Recovering critical systems and data

A 2023 IBM Cost of a Data Breach Report states that the average impact of a data breach for organizations of under 500 employees was $3.3 million, with an average cost of $164 per breached record.

A data record is an instance of a data type stored for an application. For example, a customer record would include data specific to each customer – such as name, address, and phone number. Categories of data records include employee, customer, financial, product/service, communication, and other records.

The number of total records held by a small business with 10-75 employees could be in a range from a few thousand to several thousand records. Assuming 2000 breached records, a small business might incur costs in the range of 2000 records x $164 = $328,000.

Ways to Demonstrate Value and ROI

It is important, ahead of an SMB cyber incident, to demonstrate to owners and managers the value and return-on-investment (ROI), associated with shoring up the company’s digital defenses.

Cyberattacks are often thought to be associated with very large organizations, such as big corporations and government. In reality, hackers frequently target small businesses – as SMBs also maintain valuable data and are often thought to have less cybersecurity protections, as compared to larger organizations.

According to a 2023 Netwrix Research report, 43% of data breaches involve small businesses. A recent Dell report shows that up to 80% of data breaches originate from common vulnerabilities, which are unrelated to business size.

Cybersecurity incidents can paralyze a small business, while compromising customer trust and incurring significant expenses to recover from a cyberattack.

Calculating the tangible value of cybersecurity protections for a small business involves assessing the potential cost savings and benefits that result from implementing and maintaining robust cybersecurity measures.

Cost Considerations

Consider factors such as the cost of data recovery, business downtime, legal consequences, and reputational damage.
Research industry benchmarks and case studies to get an idea of the potential financial losses associated with cyber threats in your sector.
Evaluate the costs associated with regulatory compliance in your industry. Non-compliance can result in fines and legal consequences. Implementing cybersecurity measures can help in meeting compliance requirements and avoiding such costs.

Our calculations shown below are just examples, to provide a basis for representative cost estimates. They are not designed to be comprehensive of the many possible cost categories, frequency, number of impacted users, and cost rates that might be applicable to a particular SMB.

Many cybersecurity experts state, “It’s not a manner of IF, it is a matter of WHEN.” Over the mid- to long-term, it is likely many, if not most, SMBs will experience a series of cyberattacks that will incur costs and negatively impact productivity. Some will be the victims of significant attacks that can result in major financial and other losses – potentially, to the level of putting an SMB out of business.

Example Cost Categories

Downtime. Calculate the potential financial losses due to downtime and disrupted operations.
- - An administrative team of 10 people earning $25/hour with 3-days of disruptive operations represents 240 hours of downtime, or $6,000 of lost productivity on an annual basis.
Revenue Loss. This can be the result of system downtime, missed business opportunities, delayed projects, and other cyber-related factors. Consider the long-term impact on your business’s reputation. Downtime can lead to negative reviews, social media backlash, and a loss of customer trust. While challenging to quantify, reputation damage can have lasting financial implications.
- - One-day of lost revenue for a $1.5 million company represents approximately $6,000 per workday.
  - A 1% loss in business associated with reputational damage over a 3-year period for a $1.5 million company would be 3 x $15,000 = $45,000 in lost revenue.
Recovery Costs: Consider the costs associated with recovering and restoring systems after downtime. This may include IT personnel overtime, third-party support costs, and expenses related to restoring backups or reinstalling software.
- - 40-hours of emergency/overtime IT costs at $250/hour = $10,000.
Legal Fees: Legal Fees associated with a significant cyberattack can be substantial. It is important for SMBs to work closely with legal counsel who specializes in cybersecurity to navigate the complex legal landscape associated with cyber incidents.
- - 80-hours of legal fees at $350/hour = $28,000.

When an SMB experiences a major cyberattack, the role of the SMB’s attorney is crucial in managing legal aspects and mitigating potential liabilities. Here are some tasks that may be performed by the SMB’s attorney:

➡️ Incident Response Coordination: Work closely with the internal incident response team to coordinate legal aspects of the response plan. Assist in managing communication with law enforcement agencies, if necessary.

➡️ Legal Compliance: Ensure that the company complies with legal obligations related to data breaches and cyberattacks, such as notifying affected parties, regulatory bodies, and other stakeholders as required by law.

➡️ Contractual and Insurance Review: Review relevant contracts, including cybersecurity insurance policies, to assess coverage and liabilities. Work on claims and liaise with the insurance company to facilitate the claims process.

➡️ Regulatory Compliance: Ensure compliance with industry-specific regulations (e.g., GDPR, HIPAA) and other relevant laws governing data protection and privacy.

➡️ Communication Strategy: Develop a communication strategy to manage external communications, including press releases and responses to media inquiries. Advise on the content of public statements to avoid legal implications.

➡️ Evidence Preservation: Assist in preserving digital evidence to support potential legal actions and investigations.

➡️ Legal Privilege and Confidentiality: Establish and maintain legal privilege over certain communications and documents to protect sensitive information from being disclosed in litigation.

➡️ Liaison with Law Enforcement: Serve as a liaison between the company and law enforcement agencies if a criminal investigation is underway.

➡️ Litigation Preparation: Assess the potential for legal action against the attackers or third parties, and prepare the necessary documentation for potential litigation.

➡️ Employee Training and Compliance: Work with the company to develop and implement training programs to enhance employee awareness of cybersecurity issues and compliance with legal obligations.

➡️ Government Relations: Engage with relevant government agencies and authorities to stay informed about the evolving legal landscape related to cybersecurity.

➡️ Post-Incident Review: Conduct a legal review of the incident response process to identify areas for improvement and to strengthen the organization’s resilience to future attacks.

What is the average IT budget for a small business?

Industry research indicates small businesses spend about 2-7% of revenue on IT-related costs. For example, a business earning $1,000,000 in annual revenue can be expected to be investing in a range of about $12,000 – $42,000 per year (or, $1,000 – $3,500 per month) on information technology. Others, such as Statista (a leading global statistics provider) estimates that 12% of IT budgets, on average, are associated with cybersecurity. Generally, the range is considered to be 7% to 20%, dependent upon relative risk exposure, potential costs of a data breach, and budget.

The ChannelPro Network reports that SMBs are projected to increase their IT spending by 6% to 7% in 2024, based on industry consultant studies. In 2027, they anticipate that IT spending to increase to an 8% year-over-year rate. Cybersecurity is one of the main drivers of this expected growth in spending, along with artificial intelligence investments and other factors.

Advanced Protection Techniques – Supplement Traditional Methods

With the proliferation of increasingly sophisticated hackers over the last few years – and their using more advanced cyberattack techniques, it has become necessary for IT providers to implement more advanced protection techniques, as compared to traditional methods.
These techniques include things like advanced email protection, next generation anti-virus, endpoint detection and response (EDR), managed extended detection and response (MXDR), and security information and event management (SIEM). Without going into the details of each of these solutions, key characteristics of these methods include traffic and network analytics, artificial intelligence (AI), and human-staffed network operations center (NOC) personnel. It should be expected that these methods will add another 10-25% to the IT budget – often easily justified when determining the tangible value of cybersecurity.

RETURN-ON-INVESTMENT:

Return-on-Investment (ROI) = Net Gain from Investment / Costs of Cybersecurity Protections x 100 = ROI Percentage

For SMBs, what constitutes a good ROI depends on factors such as the industry norm, economic conditions, and the goals of the business. A positive ROI is generally considered a good thing, meaning that the return is greater than the initial investment. A further generalization would be that ROIs in the 10% to 50% range are commonly considered “good” to “excellent.” The example below, which is designed to be conservative, shows an ROI far better than this “good” to “excellent” range. Consequently, calculating an ROI using your own SMB metrics and further conservatism are likely to result in a favorable ROI for your particular company.

Example, assuming 10-year outlook:

Annual Revenue: $1,500,000

IT Annual Budget: $35,000

Cybersecurity Annual Investment: $7,500

Breach Cost: $150,000 (annualized average = $15,000)

Over a 10-year period,

Annualized Cost Avoidance = $15,000

Annualized Cybersecurity Investment = $7,500

ROI = $15,000 / $7,500 x 100 = 200% (a NET return of 100% annually)

For every $1 invested, the company gains $200 in savings ($100 in NET savings).

The assumptions shown above, as an example, are designed to be conservative relative to the cybersecurity-related industry metrics that we have cited. Despite our goal to be conservative, the resulting ROI of 200% (100% NET) is impressive and compelling. SMB owners and managers should plug-in their own assumptions to calculate numbers that are most appropriate for their specific business.

A Cybersecurity Budget Has Become Necessary

If you’re not convinced, consider that your business won’t be the only victim of a cyberattack. Your employees, customers and strategic partners can be negatively impacted as well. It is important to strengthen your understanding of your cybersecurity posture, risk exposure, and the costs and benefits of appropriate cybersecurity protections.