The Truth About Small Business and Cybersecurity?

Recently, CNBC published an article with a headline claiming “Cyberattacks now cost small companies $200,000 on average, putting many out of business.”

It sounds shocking, but it’s not accurate.

First of all, cyber attacks do NOT cost small companies $200,00 on average. That’s a misinterpretation of the data referenced in the CNBC article—but we’ll get to that later.

The bigger problem is the article’s use of a dubious statistic to justify its claim that many small companies are being put out of business by cyber attacks. The statistic always goes something like: 60 percent of small businesses fail within six months of a cyber attack.

To illustrate:

Fake news: (clockwise from top): Inc., Denver Post, CNBC

The figure has taken on a life of its own, bouncing from one website to another without anyone bothering to check where it came from. For example, this USA Today article refers to this UPS Capital cyber insurance advertisement, which sources it from this Champlain College infographic, which credits this 2013 PC World article, which links to the front page of the National Cyber Security Alliance which has repudiated the statistic.

To make matters worse, the unsubstantiated statistic has also shown up in statements before congress and was once used in a statement by the commissioner of the U.S. Securities and Exchange Commission (SEC).

So, what is a small business anyway?

Whenever we encounter this statistic, we never know the baseline for how a small business is being measured. Small businesses are often defined as those with up to 99 employees, but it’s not uncommon for definitions to reach up to 500.

The U.S. Small Business Administration (SBA) defines a small business as having fewer than 500 employees. Meanwhile, the U.S Census Bureau defines a small enterprise as 20-99 employees. So not only do different government agencies define small business differently, they don’t even agree on the vocabulary used to describe them.

All of this to say, the 60% statistic is meaningless without knowing how a small business is defined.

Small businesses close for various reasons

Even if it were true that 60% of small businesses fold within six months of a cyber attack, there’s still no evidence to prove that these businesses failed because of the cyber attack. Small businesses face an array of challenges and a lot can happen in six months.

Furthermore, the statistic does not control for the overall failure rate of small businesses, which includes countless companies that close for reasons other than cyber attacks. In fact, according to the U.S. Small Business Administration, approximately 20% of all new businesses do not survive their first year, and about half don’t make it past their fifth.

How to turn $9,000 into $200,000

The CNBC article referenced above used a $200,000 statistic from a survey by insurance provider Hiscox to bolster and elevate the debunked 60% small business failure rate. The reader is supposed to come away thinking “well yeah, obviously a lot of small businesses are going to fail within 6 months of a $200,00 cyber attack—makes perfect sense.” Unfortunately, the statistic has been misinterpreted.

To clarify, $200,000 is the average cost of a cyber attack for all respondents in the Hiscox survey:

  •  Only 39% of respondents are classified as small businesses (which Hiscox defines as 1-49 employees).
  • The sample includes numerous companies with thousands of employees.
  • The report specifies that the $200,000 average was “strongly influenced” by the biggest single incident reported.

In fact, the Hiscox report states explicitly that “the comparable figure for small firms is $9,000, up from $3,000 in 2018.”

Perhaps “Cyber attacks now cost small firms $9,000 on average—impact unknown” isn’t a sufficiently compelling headline. Although, “Costs of Small Business Cyber Attacks Triple in One Year” is intriguing.

Back up your data to protect against cyber attacks

If you are a small business owner worried about cyber attacks wrecking your company, the first thing you should do is ensure a proper data backup plan is in place. The biggest cyber threat to your business is losing all of your precious data due to a natural disaster, system failure, or cyber attack such as ransomware.

Remarkably, a recent GetApp survey found that only 69% of respondents report that their company uses a data backup system. That means nearly a third of businesses could be risking it all by failing to back up their most valuable resource.

Whatever you do, be sure to make decisions about cyber security based on reliable information. That means checking the source and methodology for any alarming cybersecurity statistics you see on the internet.

Zach Capers is a Senior Content Analyst at GetApp (a Gartner Company) where he covers IT management and security. Formerly an investigator at Sprint and a writer for the Association of Certified Fraud Examiners (ACFE), he’s spent his career thinking about data security issues. His work has also appeared in Ladders, Dataconomy, STORES Magazine, and the Journal of Accountancy.

Cyber security stock photo by Titima Ongkantong/Shutterstock