Data Breach: 10% of affected businesses closed down in 2019…or did they…?
I know there is a rush to get things out the door and I am very grateful for those who report on data breach stats but this article from Dark Reading piqued my interest: 10% of Small Businesses Breached Shut Down in 2019. Whenever I see a statistic like this I am always a little nervous. That said a couple of things perked me up…
Link to the commissioning source
The first thing that cheered me up is the Dark Reading author had placed a link to the original source of the data breach stats. Great, I can at least check if this is some kind of circular reporting article where one source quotes someone else who in turn quotes someone else. On clicking the link this was not a circular article, the link went straight to the commissioning source. The National Cyber Security Alliance. All good so far…
Link to the data breaches survey datasets
The thing I was now looking for was whether there was any raw data supporting the data breach claim made on the Dark Reading article that 10% of small businesses did indeed go out of business in 2019. There it was, an executive summary and a pdf containing the data crosstabs. The 10% assertion is based on an online survey of 1,006 small business decision-makers on the topic of cybersecurity. The survey was conducted by Zogby Analytics who was commissioned to conduct the survey by NCSA. That’s when it started getting a bit disappointing…
What did the data breach stats actually say…
Firstly, there was no methodology attached to the data sets so it’s hard to validate the findings in any meaningful way. It appears to be a US-only survey and a small business appears to be a company with between 1-500 employees. The survey does do some further sub-categorisation by industry. All in 1,006 answered the survey.
One thing I found quite surprising was that anyone in a small business who had gone out of business would be taking the time to fill in an online survey at all but perhaps they are civic-minded and wanted to warn others of their plight…however…When you read the dataset what you actually see is the question asked is:
To the best of your knowledge, has your business experienced an official data breach in the last 12 months?
The question appears to be pretty subjective and I’d be interested to know how many really understood the question. That said, of 1,006 small businesses surveyed 27.9% reported an “official breach”.
Now, I am not exactly sure what is classed an “official data breach” because the majority of US states have their own law governing security breach notification but I would hypothesise it likely means that the organisations surveyed have some requirement to notify their customers that personal data has, in some way, been compromised. At the time of writing this article, it is still not clear…feel free to add in the comments if you know more! If it does mean a compromise of personal data, then it could mean data breaches where non-personal data was compromised or where an IT service outage caused availability issues have not been included. The data is not clear.
So back to the data. The figures do show 27 (9.6%) small businesses closed their doors, citing the impact of an official data breach. Therefore, as far as the survey recipients can be trusted, the statement is accurate. Of those who were aware they experienced an official data breach, approx 10% reported it caused their organisation to go out-of-business. So, if the data supports the conclusion we can now all add it to our marketing material…well, maybe…
Is that the end of the data breach story?
Whilst it’s a good start we now have some data on the impacts pertaining to cyber breaches, the data is based on an online survey and there is insufficient supporting information on the methodology. Without sufficient peer review of the methodology, I would caution too much reliance on the data. Another issue is there doesn’t appear to have been any follow-up to check other sources of information (i.e. interviewing those people from companies who went out of business). The other issue is that businesses operate differently across the world so statistics derived in the US may not necessarily apply to those operating say in Asia-Pacific or Europe.
A different US survey reports that 31.3% of respondents selected ‘other reasons‘ so it is entirely plausible that a data breach could fall within the category.
Is the 10% data breach statistic the most important statistic?
Whilst 10% of businesses experiencing a data breach closing down is something we all should take seriously. The more interesting figure is that:
“1 in 3 small businesses in the US have experienced an official data breach in 2019”
That means for every three US small businesses a person shares their personal data, one is quite likely to compromise customer data. Whilst this research focuses on US Small businesses, businesses across the world clearly need more help in locking down their infrastructure, raising awareness with their staff and Fox Red Risk are there to help!
About the Author
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy. Stephen has worked in the information security risk, business continuity and data protection world for nearly 20 years. Stephen has delivered complex security programmes across defence, real estate and financial services. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both paperback and Kindle eBook.
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301:2019 accountability article 25 article 28 article 35 awareness bcms breach ciso contracts controller cybersecurity data breach data privacy Data Protection data protection officer data protection service Data Subject Access Request DPIA DPO DSAR encryption GDPR incident management information security leadership management Pentest Privacy processor resilience risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools transparency vciso virtual ciso