Selling Security to the C-Suite: 10 Statistics to Spur Organisational Action


As the number of cyber crime cases continue to rise, it’s putting organisations the world over on edge.

We’ve hit a critical point in time where attacks have become so common that businesses who aren’t hit are actually in the minority. It’s that bad.

You could even make the point that having a solid cyber security risk mitigation plan is essential for operating with any semblance of confidence in the 21st century. This factors into a company’s stability, sustainability and ultimately its longevity.

In most cases, following cyber security best practices starts at the top and trickles down. It’s usually up to C-level senior executives to lead the charge and keep an organisation safe.  

But what if your company’s C-Suite still hasn’t bought in?

Maybe it’s due to a false sense of security. Or maybe it’s simply a reluctance to commence cyber security initiatives that require time and money. Whatever the reason, failing to take cyber security seriously is just tempting fate.

The following 10 statistics may be just what you need to sell security to the C-Suite and spur organisational action.

1.  Just over half of US businesses experienced some sort of cyber attack in 2016.

This trend officially became the new norm in 2016 in the US, though similar activity is being seen around the world. While the severity of attacks can differ considerably, just north of 50 percent of all businesses fell victim within a single calendar year. reports that the following attacks were most common:

  • Malware – This affected 53 percent of businesses
  • Viruses – 51 percent
  • DDoS attack – 35 percent
  • Ransomware – 29 percent

To compound the problem, 70 percent of executives were concerned about the potential for data loss that could occur. In some cases such as ransomware attacks, data is permanently lost and can never be retrieved.

2. Small businesses account for 43 percent of cyber attacks.

Try to put yourself in the mind of a cyber criminal for a second. Which path would you be more inclined to take?

Attack a massive, global business leader with nearly infinite resources for preventing and defending attacks or a small to mid-sized business with minimal security?

As research has discovered, many prefer the latter simply because they’re easier targets. That’s why nearly half of all cyber attacks go after smaller businesses. Although the pay off may be less, the networks of SMBs tend to be much easier to penetrate.

What’s alarming is that the percentage of attacks on small businesses jumped from being only 34 percent in 2014 to 43 percent in 2015. With many SMBs lagging behind in security, this is likely to be a growing trend moving forward.

3. 60 percent of those companies go out of business within six months.

Besides the stress and headaches that arise from an attack, organisations face exorbitant costs when “cleaning things up.”

The Denver Post explains that cyber attacks cost small businesses an average of $690,000. That cost is even higher for mid market companies and often exceeds $1 million.

Some specific contributing factors include:

  • Fraud that stems from compromised data
  • Loss of trade secrets
  • Penalties from regulatory bodies
  • Costs associated with downtime
  • Diluted brand equity

It’s sad to say but six out of every ten businesses that get hit will never recover. Although cyber security initiatives require an investment, this often pales in comparison to the money that’s spent recovering from an attack.

4. Employee/contractor negligence is the primary reason behind 48 percent of data breaches.


What’s interesting is that nearly half of all data breaches aren’t the direct result of nefarious or unscrupulous activity. It’s simply due to an employee or contractor’s negligence.

This shows just how important it is for organisations to educate their employees and contractors on cyber security best practices. Some examples include:

  • Identifying questionable links and documents
  • Identifying phishing emails seeking sensitive information
  • Understanding password best practices
  • Protecting mobile devices
  • Being careful about the information that’s posted on social media

Offering comprehensive education and training is arguably the best way to protect your company pound-for-pound.

5. Roughly one billion accounts and records were compromised globally in 2016.

This statistic provides some perspective on the sheer size of the issue. We’re seeing an escalating problem where consumer data is being compromised on the macro level. Besides the obvious loss of trust and brand equity that can result, organisations can be hit with some hefty fines as well.

As TechRepublic points out, the common theme we see in industries across the board is a general disregard for security practices and failing to place an emphasis on customer security. It’s the classic “It won’t happen to me” mentality that’s so dangerous.

6. There will be 8.4 billion connected things by the end of 2017.

A big contributor to the rise in attacks is the growing attack surface. While the Internet of Things (IoT) and the cloud have revolutionised the way we do business, they create some major security concerns. With more and more devices being connected, it’s putting organisations at serious risk.

This can be especially anxiety-inducing if you currently implement bring your own device (BYOD) policies because this makes it hard to monitor your employees’ behaviour.

8.4 billion connected things is a lot, but experts predict that this number will more than double to 20.4 billion by 2020. For this reason, addressing the usage of mobile devices in your company security policies will be a must.

7. Cyber crime will cost businesses over $2 trillion by 2019.

Countless companies have already been crippled by cyber attacks. With the level of digitisation that’s taking place on the global level and business infrastructure becoming more and more interconnected, this number will continue to increase.

According to Juniper Research, the total cost of data breaches is predicted to reach $2.1 trillion by 2019 – nearly four times what it was in 2015. That’s why it’s crucial that organisations do everything they can to not become part of this statistic.

8. Only 29 percent of businesses have a response time between two and seven days.

Another startling fact is that most businesses are terribly inefficient about responding to incidents. Less than a third can effectively respond within a week.

That’s a big problem, and failing to act swiftly can maximise the overall damage. The longer it takes to respond, the worse things tend to get. What might have been a fairly small issue can quickly escalate into something much larger.

Besides taking preventative measures, it’s equally important to have a rapid response plan in the event that something does happen. Team members need to know how to react and what each person’s specific role is. You may even want to have an occasional cyber security “fire drill” to test your staff’s preparedness.

9. 93 percent of security operations managers are overwhelmed by alerts.

To make matters worse, the vast majority of security teams find themselves completely overwhelmed when dealing with potential threats. Most aren’t sure how to prioritise threats, which diminishes their effectiveness when responding.

Even for those who have made efforts to establish a proactive security plan, 26 percent are still operating in a reactive model. These statistics tell us that even the organisations that have invested a lot in security are still ill-prepared to deal with threats in a real-life environment.

10. Only 38 percent of organisations feel they are prepared to deal with a sophisticated attack.

With the recent wave of attacks occurring all over the world, you might think that cyber security would be a main objective for most companies. However, this simply isn’t the case. While many have made at least some effort to ramp up security, 38 percent simply aren’t equipped to handle a sophisticated attack.

This is problematic because your average cyber criminal is more advanced than ever. They have access to better tools, often operate with a business mentality and have a framework for committing their acts with relative anonymity. For example, they can use cryptocurrency platforms like Bitcoin to accept money anonymously for ransomware payments.

Time for Action


Technology is a double-edged sword. On one hand it’s empowered businesses in the 21st century and allows them be more productive and profitable. The cloud and the IoT in particular have been real game changers.

On the other hand, it’s created a breeding ground for cyber crime. As technology continues to advance, the frequency and intensity of cyber attacks is only going to increase.

Without a viable cyber security plan in place, your organisation is essentially playing with fire and is almost guaranteed to face an attack at some point. Preparedness really starts at the top with the C-Suite.

These individuals are usually the key decision-makers and the ones responsible for establishing a cyber security framework. Getting them on board is the critical first step for getting your organisation to take action and protect its IT assets.

What are the biggest obstacles that are preventing your business from investing in cyber security? Please share your thoughts:


Image Credits

Featured image: iAmMrRob / Pixabay

In-post image 1: janeb13 / Pixabay

In-post image 2: StartupStockPhotos / Pixabay

Ajay Unni

Ajay Unni is the Founder and Chief Executive Officer of Stickman. Ajay specialises in helping customers manage the growing threat of data breaches and compliance with globally accepted industry standards for data security and compliance. More articles by Ajay Unni

Take charge of your cybersecurity today, with Stickman.

Get in Touch