Cybersecurity ROI For Small and Mid-Sized Businesses

How do you quantify something that never happened?

Many businesses and partners that we work with have grappled with the issue of how to quantify the price of not experiencing a data breach. CSO Online argues that that ROI is the wrong metric- instead businesses should be focusing on what security goals they want to achieve, and how that fits into the organization’s overall budget. While we tend to agree that ROI might not be the best way to analyze your security budget, the C-suite is unlikely to ignore ROI anytime soon. Additionally, we believe there is still value in being aware of the financial risks involved in not taking security seriously.

Though businesses will never directly profit from implementing effective cybersecurity, if they aren’t taking cybersecurity seriously, then they are very likely to suffer a data breach, and the often catastrophic material losses that can accompany it. Unfortunately, small and mid-sized business are both easier to hack (because they tend to not invest in cybersecurity) and far more likely to be experience a financially catastrophic cyber attack. While the overall costs of a breach may be greater for larger businesses, they also have greater resiliency, and are more likely to return to business as usual following an incident. Unfortunately, for small and mid-sized businesses, a breach is often devastating. It is estimated that 60% of hacked small and mid-sized businesses go out of business within 6 months of experiencing a data breach.

Despite increases in cyber-attacks, and the bleak outlook for affected businesses, many mid-sized businesses underspend on cybersecurity. Those with purchasing power tend to be motivated by good ROI, and it can be difficult for IT teams to convince executives of the importance of advanced cybersecurity. To measure ROI for cybersecurity, companies need to look not at money earned, but rather at money saved. Downtime, negative PR, loss of intellectual property, fines, and declines in stock prices and valuations should all be considered as companies assess their risks.


For most businesses, if they cannot access their data, they cannot operate. Ransomware attacks can take down entire networks, encrypt hard drives, and bring business to a screeching halt. Even in a best-case scenario (the hacked company has effective backups, or their cybersecurity team has a ransomware decryptor), companies often experience several days of downtime before they can properly secure the network and get everything up and running again.

This leaves businesses with tough choices about whether or not to pay up. The FBI recommends that companies do not pay the ransoms. However, a recent IBM study found that 70% of businesses that experience a ransomware attack do pay the hackers. More than half of business affected by ransomware paid over $10,000 to get their data back, and 20% of businesses paid more than $40,000 to retrieve their data. On top of the ransomware fines, these companies are likely also paying for Incident Response services. Though these services are critical following a security incident, it is much more cost-effective to use effective cybersecurity from the beginning, reducing the likelihood of an attack.

Public Image

Most CEOs would agree that a favorable company reputation is a valuable asset, yet placing a dollar value on this can be difficult. A good reputation can help companies differentiate their products in competitive markets, and overcome minor PR setbacks, while a bad reputation can cause clients, vendors, and partners to go elsewhere. Though a data breach will most likely cause at least a temporary setback in a business’ reputation, a proactive response and proof that preventative measures were taken beforehand can help a business bounce back.

Unfortunately, most companies will be effected by a security incident. However, the way in which an organization handles a data breach tells the world a lot about its core values. Consumers are increasingly concerned with corporate social responsibility, and will support companies that they can trust, and that are transparent and responsive during a crisis. Developing an comprehensive Incident Response strategy ahead of a data breach helps companies stick to their values in times of pressure, and minimize reputational damage following a breach.

Loss of Intellectual Property and Competitive Edge

Loss of Intellectual property can devastate a company. This is especially true for startups and companies in high-tech industries, such as biotech. Often, these companies spend years and millions of dollars to develop a single product. State-sponsored corporate espionage is becoming more prevalent, and companies must be diligent in defending their most important assets. The value of every company’s IP will be different, but The Congressional Joint Economic Committee found that, in 2017, the average large U.S. company lost $101.9 million in revenue and incurred costs of $1.4 million in identification and enforcement of intellectual property rights.


Cybersecurity regulations are becoming more common, which is great from a security standpoint, but can be challenging for businesses. Fines for non-compliance vary greatly. Minor HIPPA violations may only levy a one-time $100 fine, while major NYDFS violations can cost companies up to $75,000 per day. Companies need to make sure they are familiar and compliant with their industry’s cybersecurity standards.

Decline in Stock Prices and Valuation

What is every executive and board member’s worst nightmare? A decline in shareholder value. Unfortunately, a breach will negatively impact a company’s stock, but how much of an effect it has depends greatly on the company’s pre-breach security posture. According to a Ponemon study, the average company experiences a 5% drop in share value the day they disclose a breach. However, companies with a poor security posture prior to a breach experience, on average, a 7% drop in share price, which they do not fully recover. Companies with a good cybersecurity posture typically experience a decline in share value of less than 3% and actually gain long-term stock value after the incident.

For startups, a valuation decline can completely derail the company. Investors do not like to back insecure entities, and most startups find it difficult to raise capital after a security incident. More and more investors are considering a startup’s security posture, and businesses looking to standout to VC funders should make sure they are properly protecting their data.

Calculating ROI

Every business’ ROI for cybersecurity will look a little bit different, as every business has different data to protect, different costs associated with protecting it, and deferent potential losses. When assessing cybersecurity risks, companies need to look at both material and intangible risks, and how data breaches have impacted other businesses in their industry. A comprehensive risk assessment is a great place for businesses to start. After a business has a clear idea of their potential risks, they can then develop a risk mitigation strategy. For some businesses, a simple cybersecurity solution and some employee training will suffice. However, businesses that deal with sensitive information or valuable intellectual property will have more to lose, and need to take a stronger stance if they wish to prevent threat actors from accessing their data.


Do you think ROI is the right metric to use to justify cybersecurity spending? Join the discussion below!