About Us   |   Advertise

Understand Your Risk, Then Invest in Your Small Business Cybersecurity Plan

Understand Your Risk to Know How Much to Spend on Cybersecurity

Do you know the cost/benefit breakdown of the cybersecurity you have in place for your small business?

To be more precise, how much should you invest in cybersecurity protection in relation to your actual monetary risk? The findings of the new report from the Better Business Bureau, titled, “The State of Small Business Cybersecurity in North America” offers some hints.

The report was released as part of National Cybersecurity Awareness Month. And one of the more distressing data points regarding small businesses indicates half of them could only stay profitable for about a month after loosing critical data.

The BBB surveyed around 1,100 businesses in the U.S., Canada, and Mexico with 71.4, 28.5, and 0.1 percent of the respondents coming respectively from those countries.


How Much Are Small Businesses Losing?

According to the report, the annual average loss from cyber attacks is estimated at $79,841. The median loss came in at $2,000, with the maximum total loss at $1 million. This, of course, will vary greatly with the size of your company and the type of cyberattack you have sustained.

Still Bill Fanelli, CISSP, chief security officer for the Council of Better Business Bureaus and co-author of the report, emphasized the vulnerability of many small businesses. “Profitability is the ultimate test of risk. It’s alarming to think that half of small businesses could be at that much risk just a short time after a cybersecurity incident,” Fanelli said.

Do You Know How Much to Spend On Cybersecurity?

Fanelli still stresses small businesses must avoid going overboard. He explains “It doesn’t do any good for a small business to adopt a $10,000 solution if the potential risk reduction is only worth $5,000.”

With that in mind, the report used a formula created by two professors at the University of Maryland, Martin P. Loeb and Lawrence A. Gordon. Using this formula, a small business owner can calculate the best possible investment in prevention to safeguard their company from cybersecurity attacks.

The five step process begins by estimating the loss; estimating risks; identifying investments; estimating savings; and making the calculation. You can get details of the formula on the free download of the report here.

The report adds, “As long as the potential savings exceeds the cost of investment, then it is a cost-effective measure that should be implemented.”

Hacking Photo via Shutterstock


Michael Guta

Michael Guta Michael Guta is a Staff Writer for Small Business Trends focusing on business systems, gadgets and other small business news. He has a background in information and communications technology coordination.

4 Reactions

  1. Aira Bongco

    Security is really important. There is a risk of having everything that you worked hard on get taken away from you in an instant.

  2. I spoke with Bill about this report earlier in the year and was grateful to find someone else that understood cybersecurity was a business issue, and not just an IT issue. It resonated with me because I wrote a book on the subject that goes even deeper than the BBB report into how a business owner/executive decides what they should be doing/spending to protect themselves. The book, Cybersecurity: A Business Solution, is available from Amazon and Google.




  3. Hi Michael,

    Thanks for mentioning the Gordon-Loeb Model (see: https://en.wikipedia.org/wiki/Gordon%E2%80%93Loeb_model) in your article! If you are in the Baltimore-Washington area and have an interest in cybersecurity related issues, let me know. I would welcome the opportunity to have you as my luncheon guest at the Universtiy of Maryland’s Smith School of Business to discuss cybersecurity related issues.



    Lawrence A. Gordon, Ph.D. (http://scholar.rhsmith.umd.edu/lgordon)
    EY Alumni Professor of Managerial Accounting and Information Assurance
    Robert H. Smith School of Business, 4332F Van Munching Hall; (301) 405-2255
    Affiliate Professor, University of Maryland Institute for Advanced Computer Studies
    University of Maryland,College Park, MD 20742-1815

Leave a Reply

Your email address will not be published. Required fields are marked *