How Small Businesses can Leverage Risk to Identify Priorities
"The greatest victory is that which requires no battle.” — Sun Tzu
A general understanding of risk can help give small business owners a starting place for understanding how to start thinking about cyber attack from a business and strategic perspective.
Risk is the likelihood or probability an event will happen multiplied by the impact of the event so LIKELIHOOD x IMPACT = RISK. Let's explore an example to see how this works.
HYPOTHETICAL RANSOMWARE ATTACK on an Office Furniture dealer with 10 employees and $3 million in annual revenue. Let's say the company is prepared more than most with: ransomware resistant backups; a business continuity plan; data breach insurance; and no cyber attack insurance.
IMPACT
From Figure 1 – Estimated direct costs associated with a hypothetical ransomware attack include restoration costs of $23,000 and revenue impact of $250,000. So total impact is $273,000. Without cyber attack and associated business interruption insurance, this is a reasonable estimate of impact for this hypothetical case. Note that the business will still have ongoing fixed expenses including salary expense during recovery.
LIKELIHOOD
We'll use some recent statistics to estimate the likelihood of an attack resulting in revenue loss.
■ 13% of Small Businesses with fewer than 100 staffers were Hit by Ransomware in 2022 [1]
■ 42% of cyberattacks resulted in revenue loss for small business [2]
Using these statistics, the likelihood of a revenue-impacting ransomware attack occurring each year would be 42% of 13% which is 5.5% per year.
IMPACT x ANNUAL LIKELIHOOD = ANNUAL RISK
(Impact of $273,000) x (Annual Likelihood of 5.5%) = $15,015
Again, we're talking an average business using average risk. The result of $15K gives the owner a reasonable starting point for annual spend to reduce exposure to cyber attack. Adjustments upward are appropriate if the business processes or stores significant amounts of very sensitive PII or Protected Health Information (PHI).
Of course we're not talking about precise calculations here, but it's a helpful starting place for a general business that size for planning purposes.
Principle: You can avoid the battle Sun Tzu mentioned by lowering the likelihood of an event occurring using business resources (time, money, expertise). You can change the example to fit your business circumstances and get a starting point on what you should budget.
If like most small business owners you lack the resources and skill to reduce your risk, please message me. Our tactics reduce attack exposure using resources already owned by most small businesses and require no intrusive software or special training.
Please comment – will knowing more about business risk help you make better resource allocation decisions for defensive measures?
We can work with you to rapidly achieve a stronger defense by booking a discovery meeting