SMEs underestimate the cost of a data breach by 40%

London, UK, 24 March 2016 - Half of small businesses[1] in the UK have no plan in place to deal with a data breach and are drastically underestimating the cost of managing one.

Experian’s third annual data breach preparedness study reveals a worrying lack of understanding among SMEs regarding the true cost of a data breach, with estimates falling short by an average of 40%, which could leave the survival of many at stake if a breach were to hit. Government figures indicate that a data breach costs SMEs an average of £310,000; yet the SMEs surveyed estimated the cost to be £179,990 - a shortfall of over £130,000.

While it’s clear SMEs are underestimating these direct costs, the additional indirect costs associated with reputational damage and impacted trust makes the picture for unprepared organisations even more bleak. Two thirds (64%) of consumers say they would be discouraged from using an SME’s services following a data breach, yet just a quarter (23%) of SMEs surveyed acknowledged this as a risk.

Jim Steven at Experian said: “Our study has uncovered an ‘it’ll never happen to us’attitude among Britain’s most vulnerable businesses. While it’s understandable that smaller businesses may feel they lack the resource or expertise to prepare for a data breach, they are also the most vulnerable. Whether due to sophisticated cybercrime or basic human error, the true cost of a breach is far worse than companies are imagining, and for small companies especially, businesses need to ask themselves whether their business could survive if two thirds of their customer base were to disappear overnight.”

Just 45% of small companies said they had a data breach response plan in place, in spite of three quarters of UK SMEs (74%) having experienced a data breach last year[2].The research revealed complacency as the main reason for inaction:

• Half (51%) of SMEs without a plan said they did not see it as a priority;
• 40% said they did not think they were at risk;
• A fifth (20%) cited a lack of available budget as the main barrier.

Three quarters (77%) of SMEs are confident they would know what to do in the event of a data breach; yet further investigation found that 60% of plans contained no provisions for customer remediation and around half contained no provision for insurance or communications around the data breach (48% and 49% respectively).

A typical SME response plan:

• 42% No customer notification
• 45% No legal plans
• 48% No insurance plans
• 49% No communication plans
• 60% No remediation for customers
• 75% No forensics

“Our research has uncovered a vast gulf between how ready SMEs think they are for a data breach and the stark reality. With high profile data breaches becoming an almost-monthly occurrence, and European legislation that’s likely to fundamentally change requirements of companies around customer notification, we urge companies of all sizes to expect the unexpected and put solid plans in place. Given the halo effect of financial implications resulting from impacted customer loyalty and longer-term reputational damage, it’s vital that businesses remember that the real people affected here are customers and they’re the ones who will ultimately vote with their feet.” Jim Steven continued.

Experian has launched a new Data Breach Response Guide to help SMEs demystify the area of data breaches and how they should be preparing to mitigate damage to their customers – and, ultimately, their reputation. Experian’s Data Breach Response Guide is available to download for free at www.experian.co.uk/databreach.

Creating a data breach response plan: the essentials

1. Legal and privacy: Businesses should be aware of their legal obligations regarding notification of customers, media, lawyers and regulatory bodies. It is a good idea to establish relationships with any external legal representatives and be familiar with the latest regulatory updates before the worst happens.
2. Public relations: 72% of consumers believe that the company is to blame if a data breach occurs, so a crisis communications plan is vital to mitigate reputational damage. This should include managing and logging internal and external enquiries, plus tracking, analysing and responding to all relevant media coverage.
3. Customer care and human resources: Customer Service teams are a company’s first line of defence against the backlash caused by a data breach. Simulation training can help prepare staff for an emergency situation, including setting up a data breach hotline for customers affected.
4. The Police and regulatory bodies: Businesses should assess immediately which authorities need to be notified by law, such as the Information Commissioner’s Office (ICO), the Financial Conduct Authority (FCA) or the Cyber Crime Unit of the Police.
5. Data breach resolution partner: Assign a dedicated breach response manager to handle all aspects of notification (such as drafting, printing and mailing letters, address verification); offer identity theft monitoring to reassure those affected and provide early-warning tools to allow them to resolve potential fraud or identity theft.

ENDS

Notes to Editors

Research methodology: Survey conducted by ComRes, surveying 302 IT business decision-makers within small, medium-small and medium-large enterprises in January 2016, online and by telephone. All businesses held PII data for more than 100 customers or employees. ComRes also interviewed 2,008 British adults.

Jim Steven, head of data breach services at Experian available for media interviews upon request

Media contacts

Jill O’Connor, Senior PR Manager

T: +44 (0) 20304 24870
M: +44 (0) 7964 903729
E: Jill.OConnor@experian.com

Priya Sahib, PR Manager
T: +44 (0) 20304 24573
M: +44(0)78 1649 1152
E: priya.sahib@experian.com

About Experian

We are the leading global information services company, providing data and analytical tools to our clients around the world. We help businesses to manage credit risk, prevent fraud, target marketing offers and automate decision making. We also help people to check their credit report and credit score, and protect against identity theft. In 2015 we were named by Forbes magazine as one of the ‘World’s Most Innovative Companies’.

We employ approximately 17,000 people in 37 countries and our corporate headquarters are in Dublin, Ireland, with operational headquarters in Nottingham, UK; California, US; and São Paulo, Brazil.

Experian plc is listed on the London Stock Exchange (EXPN) and is a constituent of the FTSE 100 index. Total revenue for the year ended March 31, 2015, was US$4.8 billion.

To find out more about our company, please visit http://www.experianplc.com or watch our documentary, ‘Inside Experian’.

[1] Companies with 1 – 49 employees

[2]HM GOVERNMENT 2015 Information Security Breaches Survey