I recently had the privilege of meeting a business analyst from BDC. She shared some not-yet published information from a study BDC conducted.

Most statics available online are U.S. Obtaining Canadian statistics can be difficult so I appreciate her willingness to share these sobering numbers:

  • 227 - Average number of days to identify and contain a data breach.
  • 21% - Percentage of SMEs that will not survive a security incident.
  • $2M - Average cost to remediate an incident, excluding ransom (<1000 employees).

We’ve heard similar stats for how long hackers sniff around in a company before conducting the actual attack. But 227 days is even higher than the other stats we’ve seen.

Think about it: A bad guy gets access to your systems today. They watch and learn for weeks or months. They figure out how big the business is, the annual revenue, profitability, cash on hand, etc. Based on what they learn, they decide how to attack and how much money they should ask for.

For example, if you have $30M annual revenue with 10% profitability and maintain an operating balance of $1.5M in the bank, they aren’t going to ask for $5M because they know it would bankrupt you. Instead, they might demand $500K – enough for it to hurt but not enough that you wouldn’t be able to pay.

Then, if you do pay but don’t fix the problem that allowed them access in the first place, they will simply do it again in another 6 months or a year.

If you’re wondering if your business might be in the middle of that 227 days of waiting, let’s have a conversation about a cyber risk assessment. Visit Birmingham.ca/consult to learn more.