A common misperception about Security is that, if my company has employed a certain collection of security “things” (anti-virus, data encryption, a few cameras, locks on the doors…), then we should be OK. This new series – Security by Design – will guide the small/medium business to a more complete understanding of the need for a security strategy and how to go about developing an appropriate program that matches company culture and the related risk environment.

As is all-too-frequently reported in news headlines, security events continue to impact businesses. In 2017, 76% of data breaches were financially motivated and 75% were perpetrated by outsiders2. Ransomeware, though shifting in nature, has held many organizations hostage at one point or another over the past number of years.

While cybersecurity events continue to grab headlines, more traditional forms of security events are still very real and very impactful to business. In fact, US businesses that were affected by employee theft lost an average of $1.13M in 20164 and the Association of Certified Fraud Examiners reported on nearly 2,700 cases of occupational fraud in 2017, which resulted in $7B in losses, globally3.

Unfortunately, over 70% of cyber attacks target small businesses1 and 58% of confirmed data breaches were at companies with less than 1,000 employees2 last year. Statistics from reported events show that 50% of small businesses have experienced a cyber attack1.

Even without accounting for recovery or other associated costs, the financial impact of security events is very real. Small and medium businesses represent 68% of theft cases, with a median loss of $290k4. Companies with less than 100 employees lost a median $200k per instance of fraud3. Again this does not include recovery costs, the cost of litigation or the potential loss of reputation with customers, partners and others.

A security strategy can help manage security risk to reduce the likelihood of events, reduce losses when events occur and help the recovery process by defining response mechanisms. Look for Security by Design – Program Design in my next article.


1) https://www.inc.com/thomas-koulopoulos/the-biggest-risk-to-your-business-cant-be-eliminated-heres-how-you-can-survive-i.html

2) https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf

3) https://s3-us-west-2.amazonaws.com/acfepublic/2018-report-to-the-nations.pdf

4) https://www.cnbc.com/2017/09/12/workplace-crime-costs-us-businesses-50-billion-a-year.html