A recent study by Experian UK, SMEs Under Threat, revealed that British SMEs are unclear about the risks and subsequent costs of a possible breach, indicating small businesses are unprepared for growing cybercrime threats. A surprising statistic highlights almost 30 per cent of businesses have no plans in place to deal with security threats.
The same study highlighted the fact that many UK SMEs would not survive a data breach due to underestimating the true financial impact. According to government statistics, a data breach costs a small business around £310,000, but SMEs surveyed believed the cost to be £130,000 less, at only £179,990.
So why are businesses not planning for such events in a world which is so dominated by cyber-crime, which is rarely out of the headlines?
To cyber criminals any accessible company is a resource that could be exploited and discarded, simply because it is there. And once they are in, they will take whatever they can or hold the organisation to ransom in order to make a return on their time investment.
The true cost of a breach, whether due to sophisticated cybercrime or basic human error, is far higher than the cost to design and implement a plan – and generally far worse than companies tend to imagine.
Although companies may understand why they are attractive to cyber criminals, it’s clear that a data breach plan can seem overwhelming to some. But businesses plan for all sorts of eventualities, like fire, theft or employee grievances. Indeed, no business would not put a fire drill plan in place and in an increasingly data driven world a cyberattack is just as real a possibility as a fire.
The key elements of a data breach plan should cover:
Crucially, in the event of a breach or a cyberattack, it is important to get your message out quickly, and that means doing as much of the work as possible in advance. This can be done by identifying potential scenarios, developing the appropriate messaging templates and selecting appropriate communications channels for each situation.
The resulting incident response plan should be adequately staffed and resourced, and needs to be kept updated to take account of new risks. It should also be regularly tested, ideally several times a year.