Experian’s third annual data breach preparedness study reveals a worrying lack of understanding among small and medium-sized enterprises (SMEs) regarding the true cost of a data breach, with estimates falling short by an average of 40 per cent.
Such a miscalculation could leave the survival of many at stake if a breach were to hit.
Government figures indicate that a data breach costs SMEs an average of £310,000, yet the SMEs surveyed estimated the cost to be £179,990; a shortfall of more than £130,000.
While it’s clear SMEs are underestimating these direct costs, the additional indirect costs associated with reputational damage and impacted trust makes the picture for unprepared organisations even more bleak.
Two thirds (64 per cent) of consumers say they would be discouraged from using an SME’s services following a data breach, yet just a quarter (23 per cent) of SMEs surveyed acknowledge this as a risk.
Jim Steven of Experian says, ‘Our study has uncovered an ‘it’ll never happen to us’ attitude among Britain’s most vulnerable businesses. While it’s understandable that smaller businesses may feel they lack the resource or expertise to prepare for a data breach, they are also the most vulnerable.’
Whether due to sophisticated cybercrime or basic human error, the true cost of a breach is far worse than companies are imagining, adds Steven.
He adds, ‘For small companies especially, businesses need to ask themselves whether their business could survive if two thirds of their customer base were to disappear overnight.’
Just 45 per cent of small companies say they have a data breach response plan in place, despite three quarters of UK SMEs (74 per cent) having experienced a data breach last year.
The research reveals complacency as the main reason for inaction, with more than half (51 per cent) of SMEs without a plan saying they do not see it as a priority.
Two fifths (40 per cent) say they do not think they were at risk, and 20 per cent cite a lack of available budget as the main barrier.
Three quarters (77 per cent) of SMEs are confident they would know what to do in the event of a data breach; yet further investigation finds that 60 per cent of plans contain no provisions for customer remediation and around half contain no provision for insurance or communications around the data breach (48 pet cent and 49 per cent respectively).
Steven says, ‘Our research has uncovered a vast gulf between how ready SMEs think they are for a data breach and the stark reality.
‘With high profile data breaches becoming an almost-monthly occurrence, and European legislation that’s likely to fundamentally change requirements of companies around customer notification, we urge companies of all sizes to expect the unexpected and put solid plans in place.’