MANAGING OPERATIONS

The cost of a data protection plan for your growing business

When was the last time you thought about the effectiveness of your company's data protection program and its ability to fend off a cyber attack? Like most business owners, especially those experiencing rapid or sustained growth, worrying about the impact of a cyber attack that may never happen is usually not at the top of your priority list; fires need to be put out left and right. Success can often depend on the executive team's ability to ignore outside distractions and focus on the day-to-day challenges of running a competitive business.

Nonetheless, attacks against small and midsized businesses (SMBs) happen far more frequently than most people realize. And when they do happen, they often come with six- and sometimes seven-figure price tags. To underscore that point, according to the 2018 Cost of a Data Breach Study sponsored by IBM Security and conducted by Ponemon Institute, the average total cost of a data breach is $3.86 million. The impact of a cyber attack can be terminal. Despite their best efforts, many small companies struggle in the aftermath, with some forced to close their doors permanently. Consequently, while cyber attacks against big companies receive more coverage, the net effect of an attack against a small business is often far more damaging.

The benefits of a proactive approach

Some SMBs possess the financial wherewithal to recover from an attack. Instead of scrambling to repair the damage, however, small-business owners should set aside a portion of their budget to improve their ability to prevent and withstand a cybersecurity breach.

Adopting a proactive stance to data protection helps your company avoid the expense and inevitable disruption accompanying an attack. Furthermore, in an era when consumer expectations regarding data protection and privacy continue to grow in importance, the investment in a security program may also create a competitive advantage. Yet countless reports and articles highlight how little small businesses know about the threats they face. In fact, a recent global survey by Vodafone reported that 60 percent of small companies feel poorly informed about security.

To see where your organization stands, start with recording all of the security measures that your company has in place, such as a system for detecting unauthorized access to customer data. If you lack the time and expertise to lead the effort, bring in a suitably qualified third party to conduct an assessment of your current defenses. Shining a light on the inner workings of your security program may feel uncomfortable at first, but it's a critical move toward a more secure future. Furthermore, by taking the steps that other small businesses are unable or unwilling to take, which include embedding security into every product and service offered, your company will set itself apart from its competitors.

Justifying the investment

Acknowledging the threat of an attack and the benefits that come with a robust defense is the first step in the process of improving defenses from a cyber attack, and taking a deep inventory of current security protocols is a second one. The third — and most important one — is the hardest. Taking action.

Despite ample evidence of the hazards facing SMBs, and the importance customers place on securing their data, committing precious investment capital requires a compelling business case. That's where many businesses struggle. In practice, SMBs face a Catch-22 situation. It's hard to envision the cost associated with a potential attack. Yet without a detailed understanding of the expenses a business avoids by preparing for one, it's difficult to justify the investment.

To break the cycle, assign values to the outcomes associated with a cyber attack. For example, calculate how much revenue your company might lose if it had to cease operations for a week, which is not as unusual as you might imagine — especially if criminals perpetrate a ransomware attack that kidnaps data by encrypting it, forcing companies to pay to secure the decryption key to unlock it.

Along with lost revenue, identify the additional costs your business might assume due to an attack. If you're unsure how to calculate these, the IBM and Ponemon study lists the cost per record compromised at $148. As we've learned, for companies with extensive customer data stored on their servers, the price of a breach often runs to several million dollars.

When it comes to paying for a cybersecurity program, your company may decide to borrow the capital it needs to fund the investment. Search for a partner that understands the true threats that a cyber attack can wage on your business. When applying for the loan, remember the ever-growing expectations from customers regarding how companies gather, store and disseminate their data. Also keep in mind that regulators continue to adopt increasingly strict laws and regulations to protect consumer data, such as the European Union's General Data Protection Regulation, adopted in May 2018. Therefore, investing in data protection is becoming less of an option and more of a necessity. Explaining the investment in those terms might just be enough to convince a lender of the wisdom underlying your loan request.

The views expressed in the article are those of the author and/or person interviewed and do not necessarily reflect the views of SVB Private or other members of Silicon Valley Bank Financial Group. The materials on this website are for informational purposes only, are subject to change and do not take into account your particular investment objective, financial situation or need. Since each client’s situation is unique, you should consult your financial advisor and/or tax planning professional before acting on any information provided herein