In April, the commonly-used cloud storage service Dropbox revealed that it had been hacked. The attackers gained access to users’ sensitive information via the Dropbox Sign tool. While for many average users, this kind of security violation may produce a kind of “oh well, another hack” kind of response, in reality these kinds of breaches pose serious threats to SMB owners as a result of the varied potential consequences.
Access to Data / Downtime – Wasted time is wasted money
First and most basically, these kinds of security threats can result in wasted time. In many attacks similar to the Dropbox hack, businesses can be left twiddling their thumbs while the clock runs; this may happen in a couple of different ways. In the Dropbox security breach, Dropbox shut down access for many users while investigating and fixing the problem. Even if an SMB was not affected directly by the breach, these blanket service shutdowns obviously can cause serious problems for businesses relying on those services. Also, depending on the third-party software that has been hacked, SMB owners could find themselves wasting time chasing the problem with the provider. That is, calls and emails may not be returned in a timely fashion or at all, or the provider may simply not be forthcoming about the situation (leaving an SMB and its customers frustrated and confused). The aftermath of a breach can be chaotic, as the provider may not initially know what is going on themselves, or may try to minimize the issue so as not to lose face, or they may simply be overwhelmed trying to address the issue with an all-hands-on-deck. In any case, what that means for the SMB owner is lost time for you and your employees.
Lost Money
SMBs can also experience financial costs related to third party software breaches. For example, if the breach were of a cloud software your team uses, SMBs could lose money due to an inability to access customer billing information. A security issue with an email software might disrupt well-laid marketing campaigns or basic email contact with customers. Or, as mentioned above in the case of the Dropbox customers whose access was blocked in the wake of the breach, an SMB might lose money simply by paying employees to do nothing since their data is inaccessible.
Compliance Problems
For some SMBs, security breaches present compliance problems, as well. Imagine a healthcare provider who used Dropbox Sign with patients. The provider may use Dropbox for onboarding patients, signing consent forms and insurance forms, and general patient info. Now with this breach, that provider has opened themselves up to HIPAA compliance violation, a potentially massive financial hit and time-suck. The same could apply to other industries, as client information, financial details, or other security concerns could put an SMB at risk of various compliance violations.
Damage of Customer Trust
Moreover, a security incident like this is not a one-time, fix-it and forget-it issue. While SMB owners may think “well, that hack is Dropbox’s problem,” findings show that issues like these impact a business’s bottom line well beyond the immediate financial impact. The 2024 Verizon Data Breach Investigation Report shows that one quarter of businesses experienced revenue losses in the year following a breach. Again, this breach could be an issue that a third party experiences, but which impacts you or of your own organization (like the DropBox hack); however, your clients may not distinguish between a third-party software breach and your business’s performance. In a situation where a customer’s service or product is impacted, or where their data is accessed, or even simply where a customer experiences the chaos and confusion in the hours and days after a breach, they might hold you responsible for that breach, whether or not it is your fault.
In a real-case scenario BIT Services has dealt with, a hacker obtained access to a service provider’s customer data, then proceeded to send out false invoices which the hacker then collected (without the knowledge of the provider). As much as the money involved, the reputation of a business experiences significant damage as a result of security breaches that impact customer services, information, or billing, for example. Again, customers may not be able to distinguish between what is YOUR fault and what is a third-party software’s fault; they only know they did not receive the service or product they paid for in the time they expected it.
Ultimately, how these third-party security incidents end up impacting business depends on a wide variety of circumstances, including the type of software and how extensively a business relies upon it. Some impacts may be beyond the control of the SMB, but it is increasingly important for SMBs to practice basic cyber hygiene tactics to mitigate issues that are within their control.