Why should I care about cybersecurity?
Hackers ...
Hackers and criminals target small and medium businesses, especially businesses which have significant reliance on computers, as these businesses are the most likely to fall victim to ransomware or are more susceptible to blackmail over the exposure of their customers' personal information; thus they are most likely to pay a ransom.
Hackers don’t care who you are or if your business goes bankrupt because of their actions.
Hackers typically do one or both of the following:
Hackers steal the personal data of you and your customers. If the data is valuable for identity theft or for use in stealing from others, they sell it on the dark web. If the data contains your customer’s information, they will sometimes blackmail you by threatening to inform all of your customers (typically via an email, since they obtained your customer’s email when they stole all of your customer information) that they have the customer’s personal information which will be sold on the dark web unless you, the business owner, pays. The hacker may direct the customer to contact you, the business owner, requesting you pay the blackmail fee to keep their information private. It goes without saying your customer will know that your business’ poor cybersecurity is the reason they are in this situation.
Hackers encrypt and render useless, your business data and your computers. They will then demand payment of a ransom (typically a crypto-currency such as bitcoin) before attempting to decrypt the data and restore your computers. All of the business’ data is effectively lost, including your list of accounts payable to you, payroll information, tax liabilities, tax filings, customer contacts -- everything -- just gone. The computers are locked-up, no longer useful to conduct business – effectively the computers themselves are just gone, too.
Even if the business had cybersecurity insurance, the loss may not be covered for situations in which the business did not take reasonable precautions or follow industry-standard cybersecurity practices. However, most small and medium businesses do not have the expertise to identity industry-standard cybersecurity practices, much less implement them in the context of their businesses. Thus, in addition to the loss of revenue from being unable to transact business while the computers are down, the business has substantial costs in trying to recover the information and in damage to the business reputation when customers find out what happened. An unexpected denial of a cybersecurity insurance claim could be devastating.
Equipment Failures ...
When a business fails in its prudent maintenance and system's support (a foundational component of cybersecurity), it increases the likelihood of a sudden catastrophic failure. For example, the hard drive which holds tax records or customer account information crashes and cannot be recovered. Murphy’s law will guaranteed that your computer’s failing will be at the absolute worst possible time.
What's a business to do?
This problem of small and medium business not understanding cybersecurity and not protecting themselves was recognized by the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST), which after years of effort, published what could be characterized as industry-standard cybersecurity recommendations and guidance for small and medium businesses: the NIST Cybersecurity Framework 2.0: Small Business Quick-Start Guide with a supporting reference library.
The problem of ransomware is so pervasive that the U.S. Cybersecurity & Infrastructure Security Agency (CISA) created a Stop Ransomware website containing educational information and resources.
Both of these efforts illustrate that, even for businesses which are not in the process of being prepared for sale or acquired, the risks and financial impacts arising from cybersecurity shortcomings are real and ever present.
The Business Acquisition Problem
For those who are acquiring a business, in addition to the physical assets of the business and its customers, you are purchasing the cybersecurity state of the business, including all of its weaknesses, shortcomings, and business resilience risks.
There are numerous public illustrations of a buyer failing to consider the acquired company’s cybersecurity posture; subsequently resulting in a costly hack of their computer systems. Publicly available examples of business purchase/acquisition cybersecurity failures are for larger businesses who are subject to public breach notification requirements and shareholder informing requirements. In addition, these companies have capital reserves sufficient to overcome cybersecurity incidents and continue as a viable business, avoiding bankruptcy.
Small and medium businesses typically have not reported their cybersecurity failures, including the cases in which the financial impact bankrupted the business.
A public example of a larger business acquisition in which proper due diligence was NOT done was Marriott’s acquisition of Starwood Hotels.
In 2016, Marriott purchased Starwood Hotels and, along with it, Starwood’s poor cybersecurity and hacked computer systems.
In 2018, the hacker’s activities were discovered, originating from the Starwood computers, in which Marriott's guests’ personal information was stolen (names, phone numbers, physical and email addresses, birth dates, passport numbers, etc.).
Marriott was fined hundreds of millions of dollars by multiple different country governments and subjected to multiple class-action lawsuits, including suits that the buyer (Marriott) did not perform proper due diligence in assessing Starwood’s cybersecurity posture during the acquisition process.
For those interested, a couple of more extensive articles:
In contrast to the Marriott/Starwood acquisition due diligence failure, in 2017 Verizon acquired Yahoo, however, the acquisition due diligence process identified multiple cybersecurity shortcomings and data breeches. Verizon reduced its purchase price for Yahoo by $350 million, more than paying for the cost of the assessment.
For those interested, a more extensive article: After data breaches, Verizon knocks $350M off Yahoo sale, now valued at $4.48B.
As recently summarized by Reuters:
“When acquiring a company through a stock purchase or merger, the buyer generally steps into the target's existing cybersecurity posture, including its vulnerabilities, past breaches, and latent threats... Undiscovered cyber risks can significantly diminish the value of the deal or, worse, lead to post-acquisition crises that more thorough due diligence might have prevented. Failing to adequately identify and address cybersecurity risks can result in substantial financial losses, legal repercussions, and irreparable reputational damage for both sides.” From Reuters: Invisible threats: Why cybersecurity due diligence is nonnegotiable in M&A – January 24, 2025 by Anjali Das and Gregory Parker.
Why should I care about cybersecurity during a business acquisition?
Failure to assess a business’ cybersecurity posture prior to acquiring the business exposes the buyer to
Significant financial liabilities arising from cybersecurity shortcomings within the purchased business’ computer systems.
Overpaying for the business.
Why should I care about cybersecurity of an existing business?
Failure to assess business’ cybersecurity posture in the context of normal business operations exposes the owners of the business to
Significant financial liabilities arising from hackers, ransomware, and business interruptions.
In extreme cases, bankruptcy of the business.
In both cases, the cost of cybersecurity assessment is minimal, potentially on the order of a rounding error, when compared with the financial liabilities and/or the reduction in the business acquisition price.