The Startup
Published in

The Startup

Could your business withstand a $200,000 loss?

Could your business withstand a $200,000 loss from cybercrime?

I’ve been in the small business world for much of my professional career. As the President & CEO of The Penn Group, I’ve enjoyed my fair share of crisis. Owning several businesses in my life, I’ve become numb to the constant threats to small businesses over the years. Call me old fashioned, but one of my favorite morning routines is to read the news of the day. As a leader it is important to immerse yourself in current events to keep one step ahead of the world. Anyway, I read a headline that startled me. A small business had just paid a $150,000 ransom. As a cybersecurity expert, my heart immediately dropped. The enterprise was no longer the playing field. Small and midsized businesses are now on the firing line.

According to insurance carrier Hiscox, the consequences of cyberattacks continue to grow, with digital incidents now costing businesses of all sizes $200,000 on average. SMB (Small to Midsized Business) security has never been more important, but it remains extremely expensive to implement. A recent article published by infosecurity magazine concluded that for small businesses to implement effective cybersecurity measures, it would cost considerably more as a percentage of operational budget than it would for larger organizations — up to around 4% compared with 1–2% for enterprises.

Historically, cybercriminals have been focused on targeting the enterprise, but as information security has improved, criminals have turned their attention to smaller businesses.

Cyber-attacks on the SMB have jumped 15% over the past year. — Hiscox

SMB Security Impacts

The average cost of a security breach affecting small to medium businesses increased by 61% from $229k in 2018 to $369k in 2019, while a recent “Cost of a Data Breach” survey conducted by Ponemon Institute detailed how the healthcare industry faced the highest cost per record data breach cost, at $408 per compromised record; that’s nearly three times the average of $148. On top of the cost of remediation efforts, which can include providing identity theft protection, security upgrades, and 3rd party expenses, small to medium sized organizations are likely to also face many other indirect costs, some of which include, but are not limited to:

· Shutdown costs for remediation

· Lawsuits/fines from regulators

· Class Action Lawsuits

· Loss of brand value

· Increases in insurance costs

Improve Your SMB Security

Improving information security is an often-complicated process, requiring a significant amount of expertise in information security, information technology, and regulations. In order to further. Most of the time, SMB owners are just trying to get the mountain of tasks done for the day. With a lack of resources, it can be next to impossible to even consider improving security. But, improving security has to be done.

While it is impossible to stop every breach, small businesses should be prepared in the event of the unthinkable.

Cover Your Butt

Every SMB is different in operational capacity and security requirements. In order to meet the needs of your business from a security perspective, it is useful to evaluate your current security needs. Some businesses may need to be compliant with standards such as PCI-DSS, New York Cybersecurity Law, and CCPA. I would recommend that you reach out to a local security company to perform an assessment of your specific needs. Restaurants often process a large volume of card transactions and must be PCI-DSS compliant. Medical Practices must be complaint with HIPAA, and specific state regulations may apply. For each business type, hefty fines meet any business who happens upon an audit.

Secure Your Tech

Beyond compliance, your business’s technology is specialized for your needs. This technology must have proper security measures in place to ensure the protection of your customers. Securing your network, endpoints, operations, mobile devices, and your building is a tremendous challenge to take on without expert guidance. Unsecure technology can be an entry point for criminals to get into your network. At a basic level, your network should be locked down to the point where only absolutely necessary traffic can engage. Your endpoints, or computer systems that aren’t servers, should have anti-virus technology, access control, and data protection practices in place to protect your business. In any case, you should consult a professional security company that can provide specific guidance on your unique situation.

Train Your Liabilities

All businesses rely on great people to achieve the impossible. Fortunately, your people are your best defense against cybercrime. Unfortunately, they are also your greatest liability. One wrong click is all it takes for your systems to be compromised and your accounts drained. Adequate training must be in place to ensure the security of your systems. Even in a small business, 90% of security incidents are related to employees or vendors doing the wrong things at the wrong times. Awareness & Training is an often-overlooked security activity that must be taken seriously.


The risk of a loss of $200,000 or greater continues to grow for small and midsized business. While every security situation is unique, hackers have turned their attention to the SMB, and they aren’t going away. Everyone is at risk, and strong security practices are the only way to mitigate the risk. I recommend hiring a professional security company that is capable of meeting your needs and evaluating your risk. The Penn Group offers services in each of these categories.

Austin Harman is the President & CEO of The Penn Group. He currently holds the coveted CISSP certification, in conjunction with the CCSP, CAP, and Security+ certifications from ISC2 and CompTIA respectively. He resides in Columbus, Ohio.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Austin Harman, CISSP

Austin Harman, CISSP

An experienced cybersecurity leader serving as the President & CEO of The Penn Group. I hold the CISSP, CCSP, CAP, and Security+ certifications.