60%
60% of SMBs Go Out of Business Within 6 Months of a Cyber Attack?
I frequently encounter this statistic in the media surrounding the topic of cyber security and small/medium businesses. Although a part of me was a bit skeptical, I have always taken this as fact. This is a pretty unnerving statistic. If this is true- wouldn't we see small business owners taking cybersecurity a little more seriously? So I decided to look into it and I was surprised with what I found.
I recently read a white paper from an industry leader in cyber security which stated “research indicates that 60% of SMBs in the U.S. that experience cyberattacks go out of business within six months.” There it is again. Where did they say that stat came from? Let’s check it out and follow the trail of information. Their reference was from a CPO Magazine article:
SMB Study Reveals Majority of Small Businesses Aren't Taking Cyber Attacks Seriously - CPO Magazine
This article states the same statistic comes from “research from 2018” which leads us here:
60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here's How to Protect…
This article finally says “according to the National Cyber Security Alliance 60 percent of small and midsized businesses that are hacked go out of business within six months”. According to the NCSA it turns out “this statistic was not generated from NCSA research, and we cannot verify its original source.” But a quick google search shows that CNBC, Vox and Cybercrime Magazine all continue to state that same stat within the past year. So where did this come from and how did it become so pervasive?
“this statistic was not generated from NCSA research, and we cannot verify its original source.”
60% of Hacked Small Businesses Fail. How Reliable Is That Stat?
The statistic seems to have gone mainstream when it was repeated several times by committee members and policy makers during congressional hearings in 2015. The topic of cybersecurity tends to be a magnet for sensational stories in the media and this can be misleading to organizations who reside outside this space. This is the kind of fear-mongering rhetoric I find a lot of players in the industry use to sell their products or expertise. I understand the spread of misinformation may not always be intentional but nonetheless I am very disappointed to see organizations marketing this information to small and medium businesses in order to sell their product.
With that said, I am by no means trying to downplay the very real cybersecurity risks SMBs face and the harmful financial effects they can experience as a consequence of those risks. On the contrary, I believe small and midsize businesses face some, if not all of the same risks larger organizations encounter and they need all the help they can get. What we don’t need in the industry is the prevalence of FUD marketing and the use of specious statistics, whether its intentional or the product of misinformation. It is very easy to take advantage of businesses outside the field of cybersecurity who are not familiar with the nature of the work and the technologies involved.
That is why at 2n2, instead of using fear to sell silver-bullet solutions, I hope to help businesses by showing them techniques that are low cost and high-impact. These include fundamental controls like security awareness training, two-factor authentication and others that are rooted in people, processes and technologies. So next time you find yourself questioning something that appears a little outlandish, do a little digging and chances are you’ll be just as surprised as I was.
Maybe 10% seems more like it?