Our third annual data breach preparedness study highlights a real lack of understanding among SMEs when it comes to quantifying the true cost of a data breach.
Estimates fall critically short and would put the survival of many SMEs in the balance if they were to fall foul of a typical six-figure breach.
Government figures put the cost of a data breach to SMEs at around £310,000 per incident – yet many small businesses surveyed, estimated the cost to be less than £180,000 – equating to £130,000 shortfall.
Despite SMEs underestimating these direct costs, there’s a slew of acutely bleak indirect costs that also aren’t considered including reputational damage, loss of trust and long-term loss of customers.
Nearly two out of three (64%) consumers say they would be discouraged from using an SME again if it were hit by a data breach. But at the same time, nearly one in four (23%) SMEs surveyed acknowledged data breaches posed a risk.
While it’s understandable that smaller businesses may feel they lack the resource or expertise to prepare for a data breach, they’re also among the most vulnerable. Whether due to sophisticated cybercrime or basic human error, the true cost of a breach is far worse than companies are imagining, and, businesses need to ask whether they could survive if two thirds of their customer base were to disappear overnight.
The research makes sobering reading and highlights how complacency is the key reason for inaction.
• Around half (45%) of small companies said they had a data breach response plan in place – in spite of three quarters of UK SMEs (74%) having experienced a data breach last year.
• Similarly, just over half (51%) of SMEs without a plan insisted they did not see it as a priority.
• Nearly half (40%) said they did not think they were at risk.
• One in five (20%) cited a lack of available budget as the main barrier.
• More than three out of four (77%) SMEs were confident they would know what to do in the event of a data breach.
• But further investigation found that 60% of plans contained no provisions for customer remediation, with around half (48%) failing to allow any provision for insurance, reputational fall-out, or communications around the data breach.
There’s clearly a void between how ready SMEs think they are for a data breach and the stark reality. High-profile data breaches have now become a common occurrence.
At the same time, European legislation that’s set to fundamentally change requirements of companies around customer notification is now in the pipeline.
But we’re here to help and are urging companies of all sizes to expect the unexpected and safeguard their business and customers by getting robust plans in place.
Given the so-called ‘halo effect’ of financial implications resulting from impacted customer loyalty and longer-term reputational damage, it’s vital businesses remember that the real people affected here are their customers and they’re the ones who will ultimately vote with their feet.
To support companies of all sizes be prepared to respond effectively should the worst happen, we’ve also developed a step by step guide to preparing a Data Breach Response Plan.