Analysts Challenge US House Data On SME Cybersecurity

Shutterstock

A U.S. House Committee passed proposed legislation last week that would require the National Institute of Standards and Technology (NIST) to create cybersecurity guidelines developed specifically for SMEs. As the NIST Small Business Cybersecurity Act of 2017 was debated by the U.S. House Committee on Science, Space and Technology — which ultimately passed the legislation — several lawmakers cited an interesting statistic that correlates cyberattacks to small business failures.

The thing is, though, that reports have dug deeper into the statistic and were unable to find out where it’s from or whether it’s accurate. Still, there are plenty of data points that show how damaging a cyberattack can be on a small business. PYMNTS offers a few of them below — plus the statistic in question discussed in the House.

$1,165,000 can be how much it costs a U.S.-based FI hit by a cyberattack, according to Kaspersky Lab. The firm released its 2016 Financial Institutions Security Risks report last week, which found that even for non-U.S. financial institutions, the cost of a single security incident could top nearly $1 million. Point-of-sale system attacks can top $2 million, attacks on mobile devices leave a $1.6 million hit and targeted attacks yield $1.3 million in damages, analysts calculated. Further, Kaspersky Lab found that 63 percent of FIs believe regulatory compliance doesn’t necessarily guarantee security.

80 percent of U.K. SMEs hit by cyberattacks don’t survive two years later, according to analysis from the Federation of Small Business (FSB) Home Office and MoJ Policy Unit. Its chairman, Richard Parlour, recently spoke at the Counter Terrorism Expo held in London last week and concluded that cybercrime is SMEs’ biggest threat “by far.” The risks include hacks, criminal fraud and corporate espionage, and the list of potential crimes is growing, the FSB said. Parlour highlighted research conducted by the FSB last year, which he found “disturbing” — 71 percent of SMEs at the time said they had been the target of some kind of security breach. Even more troublesome, he said, was that two-thirds of small businesses didn’t believe they were at risk of a cyberattack, and just one in seven told the FSB they were prioritizing cybersecurity.

80 percent of embezzlements happen at SMEs finds insurance company HISCOX, a statistic that certainly supports the FSB’s latest warnings. According to HISCOX’s 2016 embezzlement survey, companies with fewer than 150 employees were at the highest risk of being hit by embezzlement activity. Nearly a third of embezzlements led to more than $500,000 in losses. According to the report, one of the main reasons smaller companies are  targeted so frequently is because they lack the checks and balances needed to catch and prevent such activity.

72 percent of employees willingly share sensitive corporate data, found the latest research from Dell. While doing this is rarely with malicious intent — analysts found just 3 percent admitting malicious motivations behind their data-sharing behavior — many employees are still putting their companies at risk because, according to Dell, companies aren’t implementing standards for when and how their workers should share data. Instead, employees and their employers take on data-sharing scenarios on a case-by-case basis, and that could be dangerous. According to the survey, 43 percent of data-sharing employees said they would share data if their managers requested it, while 37 percent said they would share data with someone they know is authorized to receive it. About a fifth said they would share data if they concluded that the benefits of doing so outweighed any risks to the company.

60 percent of U.S. SMEs hit by a cyberattack shutter within six months — or do they? That statistic was cited by lawmakers in the House of Representatives last week as it approved legislation to help small businesses target cyberattacks. The NIST Small Business Cybersecurity Act passed a voice vote last week as policymakers look to have the NIST create cybersecurity guidelines specific to SMEs.

Interestingly, reports last week noted that the statistic, which was used multiple times as lawmakers debated the legislation, could not be confirmed, nor could its attribution, with analysts warning that it is difficult to correlate cyberattacks to a business closure.

“The 2011 statistic that ’60 percent of businesses close within six months of a cyberattack’ is not from NCSA, and its original source cannot be confirmed,” said the National Cyber Security Alliance (NCSA). Lamar Smith (R-TX), chairman of the House Science, Space and Technology committee, had attributed the data point during House discussions last week.

“We recommend that media, policymakers, small business and others not use that statistic and rely upon information that is current and relevant,” NCSA Executive Director Michael Kaiser stated. “Our team is working to proactively limit this stat’s further sharing and usage.”