Small businesses face constant cost pressures. While it’s easy to see cybersecurity as an unnecessary burden, it’s more important than ever for safeguarding business viability and profitability.
The situation regarding small business cybersecurity is much more serious than many people realize. Just one successful attack can be enough to cause lasting or even fatal damage to a small business - as many as 60% of small businesses close their doors within six months of suffering a cyberattack.
Despite the urgency of the issue, small businesses tend to allocate minimal budgets to cybersecurity. In many cases, this won’t be nearly enough to protect against new and existing threats — but accessing the best security skills and technologies is often beyond the financial reach of most smaller businesses.
The way forward is to make smarter investments, put the best possible security in place for limited cost, and make cybersecurity a net contributor that adds value and drives a business forward. To make that happen, an organization must understand how to maximize cybersecurity return on investment (ROI). In cybersecurity, this is often measured as a return on security investment (ROSI), which focuses on risk reduction and cost avoidance.
In this guide, we’ll explore how to do that, including how cybersecurity ROI can benefit an organization, the best (and worst) areas to invest in, and how to calculate potential cybersecurity ROI for your organization.
How do cyber attacks affect small business finances?
Many organizations think of cyberattacks in terms of a virus that infects a computer or other device, rendering it (or the data within it) unusable or stolen. This is a common and highly disruptive form of cybercrime, but the consequences of any kind of attack can hit a small or medium-sized business (SMB) in the pocket in several different ways:
Ransoms
Ransomware, where hackers seize control of data access and demand money in exchange for restoring it, is on the rise. This often puts small businesses in an impossible position: pay an unaffordable ransom or go a protracted period without access to essential data and applications needed day-to-day.
Lost sales and revenue
The impact on business profitability caused by a cyberattack can be lasting. In the short-term lengthy disruption and recovery time can hinder a business’s ability to receive and process orders and meet customer expectations. In the long term, this can cause real damage to an organization’s reputation, especially if customer data is lost or stolen.
Operational disruption and recovery costs
Connected to the previous point, recovering from an incident and restoring data, systems, and applications to their original settings can be an expensive and time-consuming endeavor. This is especially the case if there aren’t recovery plans and solutions in place beforehand, and everything must be worked out from scratch.
Legal sanctions
Businesses are legally required to keep information safe, especially sensitive customer data, and this is enforced by the likes of the General Data Protection Regulation (GDPR). Penalties and fines for non-compliance resulting from a data breach can be extremely severe, and cause further financial distress.
Common cybersecurity investment mistakes
With money often tight, SMBs can’t afford to get their decisions around cyber investments wrong. Too often, businesses make bad choices around security, and there are four main mistakes that regularly crop up. As you’ll realize, the common theme that unites them is a lack of balance through focusing on specific areas too much - or not enough:
Emphasizing prevention and neglecting response
Many business owners believe the best way to secure their organizations is to keep malicious actors out. This leads them to over-invest in defenses like antivirus and firewalls; while these solutions are important, they need to be followed up with a robust response plan that can swing into action as and when a breach does occur.
Choosing the wrong technology
Some organizations don’t look at the finer details of what a cybersecurity solution does for them: they may get taken in by brand recognition, attractive pricing, or bold promises of guaranteed protection. This means they might miss functions they really need, especially around support when things go wrong.
Overlooking workforce education and training
Human error remains a leading cause of cybersecurity breaches. Many employees still fall for phishing emails, which are becoming increasingly sophisticated with AI, making them harder to detect. Without proper awareness and training, employees are more likely to be deceived, often without realizing they’ve made a mistake until it’s too late.
Relying on insurance
There remains a perception that business insurance will help organizations recover from a cyber attack: however, this often isn’t the case, and business owners don’t realize until it’s too late. And while specialist cyber insurance can help with recovery funds, it will still take time to get operations back on track.
Calculating cybersecurity ROI
Cybersecurity ROI can be difficult to calculate in exact terms. The generally accepted formula is to divide the amount invested in cybersecurity by the number of breaches and attacks prevented and to compare this to the likely costs to the business of those breaches if they had been successful. However, if those breaches never occurred in the first place, then it’s hard to pinpoint how much financial damage they would have caused.
Nevertheless, it is possible to come up with an approximation. Kaspersky’s research provides this example of a business with two offices and 100 endpoints. Their security is cloud-based, meaning their annual costs are as follows:
- Admin resources: $24,000 ($2000 per month)
- License fees: $2500 ($208 per month)
- In-house skills required: $7000
This works out at an annual cost of $33,500, which can then be compared against the average cost of a breach for an SMB, which varies depending on how long it takes to be identified. The average is $27,542 for a breach detected almost instantly, but if it takes over a week to be identified (which can easily be the case without security provisions in place), this rises to $104,730.
Therefore, if the cloud-based security option shuts down just one threat per year, its total return on investment can be calculated at $104,730 minus $33,500, which gives a cybersecurity ROI figure of $71,830. That kind of money can make a real difference to any small business - and that’s before considering the knock-on benefits of business continuity, compliance, and brand reputation.
Maximize Your Cybersecurity ROI
Safeguard your small business in the long-term. Protect your computer against dangerous network activity and attacks.
How cybersecurity investments pay off
If you can avoid those pitfalls and get your cybersecurity investments right, then the benefits for your organization can be transformative:
Reduced risk of cyberattack
The first benefit is the most obvious: with a more balanced and rounded approach to cybersecurity investments, the chances of a cyberattack being successful are substantially reduced. While it’s impossible to reduce this risk to zero, at least the risk can be brought down to as low as is practical.
More resilient business and income streams
With a lower risk of cyberattack and with proactive recovery plans in place in case one does get through, the potential scale and timespan of operational disruption are greatly reduced. This ensures that revenue and sales can continue to flow as smoothly as possible and lessen the impact on the bottom line.
Employee security and confidence
Employees will feel safer knowing that there is a better security provision in place; furthermore, their own digital lives will also be better protected if they use personal devices as part of their work. In turn, this can make it easier to retain and attract talented staff who can add extra value to the business in the long term.
Company reputation maintained
Brand perception has never been more important to SMBs, given the ease with which people can shop around and switch to a competitor in the online marketplace. Avoiding data breaches that become public knowledge can ensure that customers only think of an organization positively rather than negatively.
Stronger compliance
Robust security measures backed up with technology and reporting capabilities, can make it easier not only to comply with data protection and other regulations but also to demonstrate that compliance.
In summary: where to invest for the best return on security
So, you’ve read about the importance of cybersecurity investments, how to estimate cybersecurity ROI, and how many organizations get it wrong, but what do you need to do to get it right?
Four key areas should each receive investment so that robust security is maintained business-wide in the long term:
Regular security awareness training ROI
Every member of the workforce should receive security training when they join. They should receive regular refreshers that cover new threats and tactics, and that remind them of the importance of remaining as vigilant and careful as possible in all their online activities.
Backup, recovery and response
A good backup solution will routinely create backup copies of all essential business data and store it securely in the cloud, in case an attack renders main data unavailable. This should form part of a wider response and recovery plan, reviewed regularly, that can help minimize disruption in the event of a breach.
Kaspersky Small Office Security (KSOS): Comprehensive protection for SMBs
For small businesses, an integrated approach to cybersecurity is essential. Designed specifically for SMBs, Kaspersky Small Office Security provides enterprise-grade security that maximizes cost-effectiveness and by extension, cybersecurity ROI. It brings together password management, a premium VPN, malware and ransomware protection, and much more, with prices applied on a per-user basis to eliminate unnecessary spending.
Related Articles:
Email Security for Small Businesses
Privacy First: How to Protect Your Privacy Online for Personal and Business Use
Related Products:
Kaspersky Cybersecurity Awareness Training
