In 2020, business investment in cybersecurity hit record levels, increasing by 10% to $53 billion. Unfortunately, the same year saw more records compromised than in the previous 15 years combined. Side by side, those two figures paint a rather sobering picture.
And they also underscore the importance of effective security, especially if you ever plan to sell your business. The unpleasant truth is that whether you run an ecommerce store, a content site, or a SaaS application, the array of threats and risks you now face is more significant than ever. Distributed work, SaaS subscriptions, and online shopping weren’t the only booms created by COVID-19.
Cybercrime saw similarly explosive growth; as reported by Security Boulevard, 90% of companies experienced an increase in cyberattacks during the pandemic. As for what this has to do with business value, that’s easy. It’s all about risk.
A business with lackluster cybersecurity is, especially in the current climate, an extremely risky investment. Any prospective buyer will have to take on the chance that their new acquisition might suffer a cyberattack shortly after the sale is finalized. Or worse, maybe your business has already been compromised, and they’ll only find out months or years later.
Either way, that kind of thing can put a significant damper on the sale value of a business for a few reasons.
Think about the major businesses that have suffered data breaches in the past several years. Their reputations are tarnished, perhaps permanently. Larger companies like Facebook, Target, and Equifax can survive such damage simply by virtue of being ‘too big to fail.’
Small and medium online businesses, especially those in competitive sectors, likely cannot. An intelligent buyer understands this. They also know how difficult it tends to be to rebuild a shattered brand, especially if it’s a business they recently purchased.
Litigation and Regulatory Penalties
Reputational damage is far from the only risk associated with poor security practices. Should your business suffer an avoidable data breach that causes measurable harm to customers, clients, or employees, there’s a chance it might result in litigation. Granted, that chance is relatively small — between 3.3% and 5.7%.
But it’s still higher than zero. Given the amount of damage that a class action lawsuit can potentially cause to a business, some buyers might be reluctant to accept even that small of a risk. And that’s not even getting into the stress involved in dealing with litigation.
I’ve seen it firsthand, and trust me, it’s not something anyone wants to deal with.
Far more significant than litigation is the risk of running afoul of regulators. Depending on where you live and where your audience is situated, this has the potential to be even more devastating than a lawsuit. For instance, in Europe, the GDPR empowers authorities to issue fines of up to $24.1 million or 4% of a companies annual global turnover (whichever is higher).
And it doesn’t matter who owned the business at the time the breach occurred, either — the business itself is liable, which consequently means whoever happens to hold it at the time the breach is discovered.
Consumers today have little patience for brands that lack transparency. They have little interest in working with businesses that do not make their safety a priority. And they are generally unwilling to give their information to an organization they feel will not treat that data with the care it deserves.
That translates to lost sales and higher churn.
Concern about payment security accounted for 13% of all shopping cart abandonments in 2020. In business to business (B2B) space, a vendor that does not have a strong security posture is functionally useless. Consequently, if your business has a strong security posture and clarifies that you prioritize your customers’ safety and security, it can serve as a competitive advantage and selling point.
Security Measures Your Online Business Should Incorporate
Having driven home the importance of cybersecurity when making plans to sell your business, I’d like to conclude by explaining what that means. What’s involved in maintaining a strong security posture?
- Strong passwords. Use a password management application to generate strong passwords for any backend logins. Do not reuse passwords from other accounts, and do not rely on weak or easily guessed passwords. Brute force attacks are still very
- Account controls. No user should have access to any data, files, or permissions they do not specifically need to do their job.
- Multi-Factor authentication, ideally through a mobile app, is a must. Passwords on their own, even strong ones, are likely no longer enough.
- Incident response. If your business does suffer any cyber incident, you need to ensure you have a plan to alert stakeholders and maintain business continuity.
- Redundant backups remain the best defense against all manner of digital threats, including ransomware and catastrophic hardware failure.
- If you operate a website, make sure you’re using SSL encryption. If you store or transmit data, make sure it’s encrypted both when it’s in motion and at rest.
- Security software. Make sure to install antispam, antimalware, and (if relevant) network monitoring software to protect your online business’s core assets.
- Security training. If relevant, make sure to regularly coach employees on common phishing scams and general mindfulness when working online.
- User privacy. Even if you aren’t based in Europe, I’d strongly advise you to have systems in place that allow users to retain control of their personal information and policies that enable them to delete or deny your business that information if they so choose.
In discussions about business value, it’s easy to get caught up examining profits & losses, market conditions, and asset lists. But especially with today’s climate, a strong security posture is every bit as important as decent financials. After all, there’s one question any intelligent buyer will ask themselves if they notice you’ve slacked off on security:
Where else might you be cutting corners?
About the Author
“Christopher Moore is the Chief Marketing Officer at Quiet Light, which specializes in helping clients sell their internet-based businesses. Additionally, he founded Gadabout Media LLC to inspire, educate, and unite others by creating visually stunning content for clients.”