Government figures suggest that a data breach costs SMEs an average of £310,000. Yet there’s a worrying lack of understanding among these businesses of the true cost of this, according to Jim Steven, head of data breach services at Experian

Cybercrime and fraud are significant and growing risks faced by all of us; both businesses and consumers alike. Experian’s third annual data breach preparedness study ‘SMEs Under Threat’ reveals a worrying lack of understanding among Britain’s SMEs regarding the true cost of a data breach.

Unprecedented levels of personally-identifiable information are being traded online. With more and more data made available online every day and cyber-criminals continuing to set the pace, it is reasonable to assume we will see the threat of data breach continue to rise in the future. 

Underestimating impact

There is a severe sense of unpreparedness among small businesses when it comes to dealing with a potential cyber crisis. Half of small businesses in the UK have no plan in place to deal with a data breach.

Critically, there is also worrying lack of understanding among SMEs regarding the true cost of a data breach, with estimates falling short by an average of 40 per cent, which could leave the survival of many at stake if a breach were to hit.

Government figures indicate that a data breach costs SMEs an average of £310,000; yet the SMEs surveyed estimated the cost to be £179,990 – a shortfall of over £130,000.

While it’s clear SMEs are underestimating these direct costs, the additional indirect costs associated with reputational damage and impacted trust makes the picture for unprepared organisations even bleaker.

Two thirds (64 per cent) of consumers say they would be discouraged from using an SME’s services following a data breach, yet just a quarter (23 per cent) of SMEs surveyed acknowledged this as a risk.

Our study has uncovered a highly evident ‘it’ll never happen to us’ attitude among Britain’s most vulnerable businesses. While it’s understandable that smaller businesses may feel they lack the resource or expertise to prepare for a data breach, they are also the most vulnerable.

Whether due to sophisticated cybercrime or basic human error, the true cost of a breach is far worse than companies assume, and for small companies, CEOs need to ask themselves whether their business could survive if two thirds of their customer base were to disappear overnight.

The importance of planning

Just 45 per cent of small companies said they had a data breach response plan in place, in spite of three quarters of UK SMEs (74 per cent) having experienced a data breach last year[2].Our research revealed complacency as the main reason for inaction with half (51 per cent) of SMEs without a plan said they did not see it as a priority and 39 per cent said they did not think they were at risk.

Three quarters (77 per cent) of SMEs are confident they would know what to do in the event of a data breach; yet further investigation found that 60 per cent of plans contained no provisions for customer remediation and around half contained no provision for insurance or communications around the data breach (48 per cent and 49 per cent respectively).

Our research has also uncovered a vast gulf between how ready SMEs think they are for a data breach and the stark reality. With high profile data breaches becoming an almost-monthly occurrence, and looming European cyber legislation that could enforce huge penalty’s, it is important that companies of all sizes to expect the unexpected and ensure they have plans in place that mitigate damage to their customers – and, ultimately, their reputation.

Given the halo effect of financial implications resulting from impacted customer loyalty and longer-term reputational damage, it’s vital that businesses remember that the real people affected here are customers and they’re the ones who will ultimately vote with their feet.

Jim Steven is the head of data breach at Experian UK.