Small Businesses Still Mean Big Risks – Listen to Economists

Cyber risk is one of the, if not the, most critical risk factors confronting companies in today’s world of interconnected digital communication systems. Unfortunately, the frequency and magnitude of cyber breaches are increasing at an alarming rate. As a result, large companies (e.g., publicly traded corporations) are spending millions of dollars annually on cybersecurity-related activities designed to prevent potential cyber breaches and to identify any actual breaches.

These activities include data encryption, purchasing sophisticated cybersecurity software and hardware, and hiring cybersecurity experts.  In addition, a major cyber breach in a large company usually results in costly recovery activities that include hiring cybersecurity consultants and lawyers, as well as a significant investment in an up-grade to the firm’s activities intended to prevent future breaches. Large companies are also spending large sums of money on cyber insurance.

Publicly traded corporations usually experience negative short-run stock market declines after a major cyber breach becomes public knowledge. Accordingly, once an actual breach becomes public knowledge, it is common for publicly traded firms to engage in an expensive marketing campaign that is geared toward offsetting the negative reputation effects of the breach and to the recovery of the firm’s stock price.

As indicated above, the total cost of a major cyber breach can be quite substantial to a large company. Nevertheless, large companies can, and almost always do, survive a major cyber breach. In fact, large firms not only survive a major cyber breach, but they also become savvier about preventing future cyber breaches.

However, large firms make up only a tiny percentage of the world’s total businesses. For example, according to the U.S. Chamber of Commerce, there are over 33 million small businesses in the U.S., and they account for over 99% of U.S. businesses. Furthermore, these businesses account for over 40% of the U.S. GDP (gross domestic product).

Why Small Is Big When It Comes to Cyber-Risks?

Although the percentages vary, small businesses account for a large percentage of the economy for nearly every country. This point is especially true in countries considered to have a developing economy, where small businesses play a critical role in the country’s economic development. As noted by the SME Chamber of India, “Micro, Small and Medium Enterprises (MSME) are the backbone of the socio-economic development of our country”

Most small businesses have fewer than 50 employees. In many countries (e.g., India) small businesses are dominated by micro-businesses that usually have less than 10 employees. Unlike large companies that spend millions of dollars a year on cybersecurity, it is well known that small businesses have very limited financial resources to spend on cybersecurity. This resource constraint also means that most small companies could not financially survive the costs of a major cyber breach. In fact, a major cyber breach in a small company could easily result in a financial disaster (i.e., financial bankruptcy).  

Being Small Does Not Mean You Are Hacker-Proof

The concern that a small company might experience a financial disaster due to a major cyber breach tends to be minimized, or even ignored, by many small companies. This situation seems to stem from the myth that cybercriminals spend all their time attacking large organizations, where the payoff derived from a successful cyber-attack is substantially more than from a successful cyber-attack on a small business. Thus, many small companies assume they are not on the radar screen of cybercriminals.

This assumption is flat-out wrong! More to the point, cybercriminals consider the expected payoff relative to the effort expended from their nefarious cyber hacking activities. In other words, cybercriminals consider the cost-benefit aspects of cyber-attacks. As a result, cybercriminals often prefer to direct their cyber-attacks on small, rather than large, companies.   

The cost-benefit perspective (i.e., an economic perspective) considered by cybercriminals in choosing where to direct their cyber-attacks can be explained by the following hypothetical scenario. Assume a cybercriminal plans on spending 100 hours of her/his time attacking a large company and that our cybercriminal estimates the probability of a successful cyber-attack on the large company to be 2%.

Let’s also assume that our cybercriminal estimates that the amount obtained from a successful attack on the large firm would be $1,000,000. Since the expected payoff (i.e., benefit) from a cyber-attack is derived by multiplying the probability of a successful attack by the amount (i.e., value) the attack could yield, in this scenario the expected payoff would be $20,000 (i.e., 2% X $1,000,000) or $200 per hour of work (i.e., $20,000/100 hours).

Now let us assume that our cybercriminal also has the option of devoting the same 100 hours of work to attacking five small businesses (i.e., spending roughly 20 hours per small business). Since our cybercriminal realizes that small businesses don’t have the same level of resources to devote to cybersecurity-related activities as do large firms, our cybercriminal estimates the probability of a successful cyber-attack on each of the small businesses to be 10%.

In other words, our cybercriminal estimates the probability of a successful cyber-attack on an individual small business to be much higher than it would be for a successful attack on a large firm, and the time involved in conducting such an attack is estimated to be much less.

Let us also assume that our cybercriminal estimates that the amount obtained from a successful attack would be $100,000 from each of the five small businesses. Given the above assumptions, the expected payoff from the cyber hacking effort directed at the five small businesses would be $50,000 (i.e., 10% X $100,000 X 5) or $500 per hour of work (i.e., $50,000/100 hours). The $50,000 is essentially the opportunity cost incurred by our cybercriminal by spending 100 hours attacking the large firm in the above scenario.

In the above scenario, our cybercriminal would be better off spending her/his 100 hours attacking the five small companies! Of course, there will be other situations where the expected payoff is greater for our cybercriminal by attacking a large firm. The latter point notwithstanding, it is imperative for small businesses to recognize that they too can be, and often will be, an attractive target for a future cyber-attack.

Everyone’s On This Radar

Although the above discussion focuses on private sector companies, it would also apply to small government municipalities and enterprises. For example, in many countries (e.g., India, U.K., U.S.), there are thousands of incorporated small municipalities (e.g., cities, towns, villages). Unlike large national government agencies or departments that spend millions of dollars annually on cybersecurity, most small municipalities have limited resources to spend on cybersecurity.

However, like small businesses, there is a tendency for small municipalities to assume they will not be a primary target for cybercriminals. This too is a myth! For the same reason that small private sector companies are often attractive targets for cybercriminals (i.e., the cost-benefit aspects of cyber-attacks), small government municipalities can be, and often will be, an attractive target for cybercriminals.

Once recognizing that it is a myth to assume that cybercriminals only attack large organizations, the next step is for small organizations (i.e., small companies, municipalities and government owned enterprises) to figure out a way to secure their computer-based information systems at a cost that is within their financial constraints. In some countries, government programs exist that provide free services that will assist these organizations in this endeavor.

Where they exist, these organizations should take advantage of the programs. Where such programs do not exist, it is incumbent upon these smaller organizations to find alternative means for securing their cyberspace. 

-By Prof. Lawrence A. Gordon is the EY Alumni Professor of Managerial Accounting and Information Assurance at the University of Maryland’s Smith School of Business and co-author of the Gordon-Loeb Model for cybersecurity investments.

The author is Alumni Professor of Managerial Accounting and Information Assurance - Robert H. Smith School of Business, University of Maryland (UMD), USA; Affiliate Professor in UMD Institute for Advanced Computer Studies.