A recent study by Experian UK, SMEs Under Threat, revealed that British SMEs are unclear about the risks and subsequent costs of a possible breach, indicating small businesses are unprepared for growing cybercrime threats. A surprising statistic highlights almost 30 per cent of businesses have no plans in place to deal with security threats.
The same study highlighted the fact that many UK SMEs would not survive a data breach due to underestimating the true financial impact. According to government statistics, a data breach costs a small business around £310,000, but SMEs surveyed believed the cost to be £130,000 less, at only £179,990.
So why are businesses not planning for such events in a world that is so dominated by cyber-crime, which is rarely out of the headlines?
To cyber criminals, any accessible company is a resource that could be exploited and discarded, simply because it is there. And once they are in, they will take whatever they can or hold the organisation to ransom in order to make a return on their time investment.
The true cost of a breach, whether due to sophisticated cybercrime or basic human error, is far higher than the cost to design and implement a plan and generally far worse than companies tend to imagine.
Although companies may understand why they are attractive to cyber criminals, it’s clear that a data breach plan can seem overwhelming to some. But businesses plan for all sorts of eventualities, like fire, theft or employee grievances. No business would decide against a fire drill plan, but in an increasingly data driven world, a cyberattack is just as real a possibility as a fire.
The key elements of a data breach plan should cover:
Crucially, in the event of a breach or a cyberattack, it is important to get your message out quickly, and that means doing as much of the work as possible in advance. This can be done by identifying potential scenarios, developing the appropriate messaging templates and selecting appropriate communications channels for each situation.
The resulting incident response plan should be adequately staffed and resourced, and needs to be kept updated to take account of new risks. It should also be regularly tested, ideally several times a year.
Moving forward, it will become ever-more essential for companies to have a robust Data Breach Plan in place. With the advent of GDPR and the financial implications of a data breach, not having one, could spell disaster, and in the words of Benjamin Franklin, ‘by failing to prepare, you are preparing to fail’.