Cost Benefit Analysis Proves the Necessity of Business Privacy Management

Budget Conscious Investments to Maximize Risk Mitigation for SMBs

In a series of recent white papers and resources, Privacy Bee clarifies the difference between traditional and emerging information security practices. Traditional efforts focus on internal data and network security.  Emerging threats are directed at the new “social engineering attack surface”.  And this attack surface expands vulnerability because it’s made possible by vast caches of unsecured, external data.  Privacy Bee defines “unsecured external data” as employees’ and vendor/partners’ personally identifiable information (PII), readily available for sale from Data Brokers, People Search Sites or easily scrubbed from social media, search engines, corporate websites and other public internet sources.  External data is routinely used by bad actors to develop and deploy social engineering attacks. Research confirms these attacks now comprise the majority of successful data breaches for organizations of all sizes and makeup and underscores the absolute imperative to improve business privacy management.

This recent Privacy Bee document provides a detailed explanation of the emerging threat and expanded attack surface posed by unsecured external data management.  In spite of this information, some organizations point to the already significant sum they spend on cybersecurity and question the value in adding additional budget to address business privacy management and shrink the social engineering attack surface.  This document illustrates the rising threat of data breaches – particularly those perpetrated using unsecured external data – and provides a cost benefit analysis proving the value and illustrating the imperative of business privacy management services and solutions.

The Latest Data on the Costs of Data Breaches and Poor Business Privacy Management

Business.com reports that about half of all cyberattacks target small businesses.  In 2017, the Hiscox Cyber Readiness Report revealed 68% of small businesses had experienced a cyberattack in the last 12 months.  Since that time, the number and frequency of these attacks has only increased. The average cost of a data breach in the US as of 2022 is greater than $9.4 million and has nearly doubled since 2013 when the average cost was $5.4 million. 

According to Verizon’s 2021 SMB Data Breach Statistics, 95% of cybersecurity incidents cost victimized organizations between $826 and $653,587.  More than half of SMBs victimized by ransomware attacks wind up paying the ransom out of operating capital.  Only a fraction of the SMBs carry cyber insurance and only 17% of small companies (according to a US-based small business survey from 2021) have cyber policies in place.   For those SMBs surviving a data breach, the reputational damage inflicted can be enough to depress revenues beyond sustainable operation.  A full 87% of small businesses are custodians of sensitive customer data like credit card information, social security numbers, phone, address, bank account information, etc.  Consumer trust is very difficult to regain once their confidence has been betrayed.  Those SMBs with some form of cyber insurance in place soon realize that the coverage does little to preserve their reputation as a trusted entity. Only robust business privacy management can protect the reputation of an organization.

Cost of a Data Breach in the US from 2006 to 2022

Source: Statista

For some industries, the average costs of a data breach are significantly higher.  $10.10 million is the average cost of a data breach in the US healthcare industry for example. Compounding the problem is the fact that data breaches in the US cost TWICE as much as the global average according to this recent IBM report.

For a mid-sized, $50 million organization, losing $9 million to $10 million because of a data breach due to insufficient business privacy management represents a gravely serious threat to their solvency.  For SMBs at the lowest end of the revenue spectrum, those earning between $1million and $10 million in annual revenue, the numbers are no less frightening.  Recent studies have shown that the average cost of a data breach to small business can range from $120,000 to $1.24 million.  For both the mid-sized and the small business, the damage inflicted by a single data breach is often fatal.

So, it is no surprise that 60 percent of SMBs victimized go out of business within six months of a data breach as reported by Cybercrime Magazine.  Considering the extremely high cost of data breaches, it would be safe to assume SMBs are spending appropriate levels of capital to protect themselves from attack.  Yet, frequently the opposite is true.

The Latest Data on Cybersecurity Spend for US Organizations

Let’s first establish how much the typical small to mid-sized business (SMB) spends (on average) on cyber security to protect itself from attacks and data breaches.  Gartner defines the SMB as an organization with less than $50 million in annual revenue. 

CIO magazine estimates small businesses spend roughly 7 percent of their annual revenue on IT.  For a $50 million company, that equals $3.5 million a year on all IT spend.  By some estimates, cybersecurity only makes up as little as 5% of the average SMB’s overall IT spend.  So, on average, the $50 million company spends approximately $175,000 on cyber security. (In many cases business privacy management isn’t even included at all in security spending.)

Yet as former FBI special agent, Scott E. Augenbaum notes, despite rising awareness of the threat, many SMBs aren’t equipped to do enough to protect themselves.  Working in Cyber Crime Fraud Unit for the cyber division of the FBI, Augenbaum identified the primary obstacle facing SMBs when it comes to protecting themselves from cyber attacks.

Augenbaum says, “Small and medium sized businesses lack the financial resources and skill set to combat the emerging cyber threat”.  Even for the SMBs that are able to allocate the tiny fraction of “financial resources” to cyber security practices, an even smaller percentage possess the ability to properly deploy the budget in ways that produce maximum cybersecurity results for the very minimal available budget.

Though the data in the chart below only reflects the growth of privacy and security investments through 2019, the trend is clear.   Business privacy management is a growing need for organizations of all size and composition.  The growth of investment into the privacy management industry reflects the increased demand for products and services designed to help protect privacy and information security. 

Dollar Volume of Investments in Privacy and Security Companies Worldwide from 2010 to 2019

Source: Statista

For some more contemporary evidence of the expansion of awareness and resulting growth of privacy and security investments, consider the following data about the US government’s growing focus on the new attack surface. The US Office of Management and Budget released its proposed spending across all US government agencies for 2022 and 2023.  With very few modest exceptions, nearly all agencies are expanding their spend on privacy and security activities. 

Proposed spending by the U.S. federal government on cybersecurity for selected government agencies from FY 2022 to 2023

Source: US Office of Management and Budget

The evidence is clear, external data privacy management is a critical success factor to avoid data breaches in 2023 and beyond.  Despite increased awareness surrounding the threat of data breaches and the rise of social engineering attacks as the predominant attack vector, SMBs continue to struggle with preparedness. 

Research from cyber insurance carrier Corvus Insurance suggests nearly half of businesses with fewer than 50 employees have no cybersecurity budget!  Digital.com’s March 2022 survey of 1250 businesses of fewer than 500 employees also revealed 51% fielding no cybersecurity measures at all. On a more positive note, the COVID pandemic seems to have prompted an uptick in cybersecurity spend among SMBs.  A 2022 poll of 600 small US businesses revealed the number of organizations spending more than $500 per month rose from 24% to 26% and those spending $1500 to $2000 per month rose from 19% to 24%.  However, the amount of spend alone is not the most relevant metric.  If cybersecurity spend does not include focus on improving external data privacy and hygiene, then it is largely wasted money.  As is the money spent on cyber insurance which closes the proverbial barn door after the horse has already escaped.

The Cost Benefit Equation for Privacy Bee Business Privacy Management Solutions

For SMBs, cost is always a predominant concern when it comes to allocating a limited budget in any area.  With the threat of cyberattacks and data breaches reaching acute levels, SMBs are being pressed to re-calibrate their IT spend – in particular, the allocation of spend for the update of information security policies and practices addressing the social engineering attack surface.  Resistance among IT budget leadership is often the result of a misconception.  The fact is, addressing data privacy management doesn’t have to blow up IT budgets.  In fact, the value these solutions deliver far outweighs the surprisingly modest investment.

Most IT leaders in small and mid-sized organizations naturally assume the cost of privacy solutions must be prohibitive.  The volume and availability of external data and the PII of an entire workforce (and that of vendors/partners as well) poses a seemingly overwhelming business challenge.  They assume solutions to the challenge must involve extensive, labor-intensive and costly resources. 

On the contrary, Privacy Bee delivers external data privacy management products and services to effectively neutralize a broad spectrum of threats to the social engineering attack surface.  These solutions have low impact to internal IT resources.  Plus, they don’t involve labor-intensive implementation or maintenance for the IT departments within SMBs.  Moreover, they are proven-effective at addressing the root cause of nearly all social engineering attacks and resulting data breaches: unsecured external data about the organizations’ workforce.

The Privacy Bee for Business solution is remarkably flexible and offers service levels and pricing to accommodate nearly any budget.  An SMB may use Privacy Bee for Business to simply perform External Data Privacy Audits and Privacy Risk Assessments.  These functions are available to use at no cost whatsoever!  After identifying vulnerabilities, IT departments can assume control over the process and leverage internal resources to scrub the unsecured data they find from the more than 350 People Search Sites and Data Brokers monitored by the solution. For the smallest operations, this is manageable and costs nothing.  For those organizations more toward the middle and upper end of the SMB spectrum, outsourcing the deletion of unsecured data discovered by the audits/assessments may make more sense.  For these organizations Privacy Bee for Business offers pricing for handling this process as well.

The pricing available for the Privacy Bee for Business suite offers an affordable option for every organization.  The range of costs is influenced by which elements of the solution the customer engages.  Beyond the no-cost External Data Privacy Audit and Privacy Risk Assessment tools mentioned earlier, Privacy Bee for Business also provides Vendor Risk Management tools to help extend external data privacy management to cover external vendors and other business partners.  There are Employee Risk Management tools to help keep the workforce compliant with any corporate privacy governance rules your organization may institute.  There are Trust Badging offerings to help convey to customers the organization’s emphasis on privacy management.  Privacy Bee University provides workforce training and best practice management to help keep the workforce engaged and focused on proper data hygiene. 

Many of the offerings are free to use.  Some are provided at no cost as upgrades for users that engage sufficient levels of exposure removal and scrubbing services.  Removal service costs range in price depending on how aggressive the customer wishes to be about removing unsecured data.  There are more than 350 sources of data for sale and counting.  Privacy Bee helps companies decide, based on the results of free assessments and scans, how aggressive each unique organization should be with respect to removal of found PII.  Other solution facets include Dark Web monitoring, exposure notifications, HR Poach Defense and other elements of the comprehensive Privacy Bee for Business solution are all available.  Each SMB is able to configure a solution and service level that best addresses their privacy management needs and budgetary requirements. 

To illustrate the cost benefit of the solution, consider the following hypothetical organization and solution cost.  Then weigh the cost against the average loss incurred due to lack of an effective privacy management solution.

Hypothetical Organization #1:  ChickenTronics, Inc.
Number of Employees: 225
Number of Vendors/Partner employees with information systems access: 50
Annual Revenue: $50million
Total number of annual Privacy Bee licenses: 275

Solution Deployed:

• Data Broker and People Search Site Scans
• Exposure Removal and Scrubbing (unlimited)
• Dark Web Monitoring
• Company Trust Management
• Exposure Notifications
• Mass Marketing Opt Outs
• Google Search Monitoring
• HR Poach Defense

Estimated Annual Solution Cost: $28,875

Based on these estimates and using the average values illustrated in the earlier section on costs of data breaches, a data breach for ChickenTronics could cost $9.4 million. 

Investing $28,875 in data privacy management from Privacy Bee represents only .31% of the potential loss.  The cost also works out a mere .06% of overall top line revenue. 

The value is indisputable. 

Hypothetical Organization #2:  Consolidated Widgets LTD
Number of Employees: 25
Number of Vendors/Partner employees with information systems access: 10
Annual Revenue: $2.5 million
Total number of annual licenses: 35

Solution Deployed:

• Data Broker and People Search Site Scans
• Exposure Removal & Scrubbing (limited)
• HR Poach Defense
• Dark Web Monitoring
• Company Trust Management
• Exposure Notifications
• Mass Marketing Opt Outs

Estimated Annual Solution Cost: $1225

Even for the smallest of SMBs where the average Cost of Breach to a $2million SMB in 2023 is at a minimum, $124,000 according to the data cited earlier, the benefit is there. 

In this calculation, the cost of the Privacy Bee solution as configured in the hypothetical example represents one percent of the cost of a single data breach.  The cost of the service is .05% of top line revenue for Consolidated Widgets. 

Again, the value in undeniable.

Consider connecting with a Privacy Bee representative to consult on the needs of your small to mid-sized organization and its data privacy management requirements.  More effective and less costly than cyber insurance.  More effective at shrinking the social engineering attack surface than traditional information security methods.  Privacy Bee is the right solution to mitigate the risks associated with the rising threat of social engineering cyber attacks.