The financial impact of data breaches on small businesses (SMB) increased by 4% from $101,000 in 2020 to $105,000 in 2021, according to the Kaspersky report titled “IT Security Economics 2021: Managing the trend of growing IT complexity.”
The global cybersecurity company found that in Southeast Asia, the average cost of a data breach against an enterprise increased slightly at $716,000 this year from $710,000 in 2020. There is, however, a huge drop when it comes to the financial impact against SMBs. From $92,000 two years ago, it is only at $74,000 in 2021.
Kaspersky also found a notable 15% decrease for enterprises which fell to $927,000 from $1.09 million in 2020, below the previous lowest figure from 2017, which is $992,000.
“The significant drop in the cost of data breaches against SMBs here is due to the fact that some of these businesses had to close shops during the height of this health emergency,” said Yeo Siang Tiong, GM for Southeast Asia at Kaspersky. “It took a while before they were able to re-open and start their recovery. The financial impact of data breaches against enterprises has not skyrocketed as we continuously see improvements on businesses’ detection capabilities.”
Protecting corporate and personal data has become a necessity for modern businesses in Southeast Asia (SEA), especially for the past two years. Unfortunately, with new threats emerging during the pandemic and the extended period of remote work it introduced, businesses have to tackle both internal financial risks and external cyber threats.
State of IT security
A total of 4,303 interviews from businesses with more than 50 employees were conducted across 31 countries in May-June 2021. Respondents were asked about the state of IT security within their organizations, the types of threats they face, and the costs they have to deal with when recovering from attacks. Throughout the report, businesses are referred to as either SMBs (small and medium-sized businesses with 50-999 employees) or enterprises (businesses with over 1,000 employees).
“During our customer interactions and also due to the increased media coverages about cyberattacks, more companies are now aware of the price they may pay if they let their guards down. However, once an attack is exposed to the press, the aftermath significantly increases,” Yeo said. “Reputational impact comes into play and this proves to be more damaging than the upfront monetary aftermath.”
The average breakdown of the additional cost of a data breach against an enterprise in the region showed that the bulk of the money goes to improving software and infrastructure ($98,000), extra PR to repair brand damage ($93,000), training existing staff ($90,000), employing external professionals ($88,000) and damage to credit rating or insurance premiums ($84,000).
Digital payments and e-commerce
In Kaspersky’s other research, “Mapping a secure path for the future of digital payments in APAC” found out that almost half (42%) of users in SEA will not purchase from an e-commerce provider or any seller which was subjected to a data breach or any form of cyberattack.
A company’s history with data leaks also plays a role when users are choosing their mobile wallets. Almost 2 in 5 noted that they will opt for a digital payment provider that was not involved in any kind of data breaches or attacks before. With the financial and reputational aftermath of a data breach, both enterprises and SMBs are urged to follow the advice below to help them mitigate cyberattacks and potentially reduce costs if they suffer a data breach:
- Ensure the organization is using the latest version of its chosen operating systems, with auto-update features enabled to ensure the software is always up to date.
- Adopt endpoint solutions, like Kaspersky Integrated Endpoint Security. It enables vulnerability assessment and patch management, to reduce the risk of vulnerabilities being exploited by cybercriminals. This can automatically eliminate vulnerabilities in infrastructure software, proactively patch them and download essential software updates. It also provides behavior detection and exploit prevention mechanisms that discover and stop suspicious endpoint activity.
- Educate employees on the importance of regularly updating technology and software. For example, IT training courses from the Kaspersky Automated Security Awareness Platform and Kaspersky Adaptive Online Training cover this topic.
- Develop a special crisis management plan for cybersecurity incidents and ensure that it integrates participants from key departments, including IT Security, IT, legal, government relations, investor relations, customer support and corporate communications.
- Consider specific training for all of the parties involved, including communication specialists and head of IT security such as Kaspersky Incident Communications.