The cost of data loss to your small business

Katie Chadd 20 Jun 2018

On average, a data breach can cost a small business £53,000

Data breaches are more common than you might think, especially for small businesses.

To illustrate that point, here are a few key statistics:

  • There was a 424% increase in data breaches at small businesses between 2017 and 2018
  • 43% of all businesses admitting they have suffered a data breach or cyber attack in 2017
  • 75% of data breach victims are small businesses
  • Data breaches in small businesses occur most often in these industries: retail, professional services, accommodation, healthcare and finance.

    (Sources: 4IQ, Verizon)

Small business data breach statistics

  • Security breaches due to cybercrime increased by 27.4% in 2017

  • Small and medium-sized businesses have higher average costs related to malware, online attacks and phishing than large businesses

  • On average, security intelligence systems, such as antivirus, save businesses (large and small) in the US $2.8 million (2017)

  • Only 21% of US small to medium-sized businesses say they are able to protect against threats.

    (Sources: Ponemon Institute, Business Insider, CNBC)

These and other figures paint a concerning picture. Small business owners (SMBs) are underprepared for constant attacks that can cost them thousands.

How much is your data worth?

Part of the problem is that many SMBs don’t know what’s valuable – or, at least, everything that is of value. We lock our doors, keep cash in safes and have intruder alerts. But what about your digital data?

While it may not be that valuable to someone else, it’s invaluable to you, which is why ransomware attacks work to get YOU to buy it back. How much a company’s data is worth is often only quantified when a cybercriminal steals it and offers it back at a cost. How much would you pay for all of your data?

The aim is never to get to this stage. All small businesses should aim to collect their valuable data and protect it.

What types of data are at risk?

Contemporary businesses rely on a wide variety of data types. How these businesses manage the collection and protection of that data is crucial to ensuring customer satisfaction.

Your business gathers and uses data that relates to its core activities:

  • Production
  • Marketing
  • Sales
  • Fulfillment
  • Invoicing
  • Human resources

The average cost of data loss for small businesses

The cost of cybercrime to you and your business will depend on what your business does, how it makes money and what form the attack is.

Having said this, financial loss is always harmful whether as a result of having to pay out to repair a compromised system, compensate customers, or to pay fines to the relevant authorities if you’re found to be in breach of legislation. It will have a detrimental and unforeseen effect on your revenue and cash flow.  

We’ve worked out that the total cost of a data breach for a small business could reach £53,000 continue reading to find out how we got there.

Ransomware attacks

Your digital data – reports, surveys, emails, corporate information – is an essential part of the service you offer. How much would you pay to get it back if you suffered a ransomware attack? On average, small companies are asked to pay £3,000 per user ($4,200.00).

Time costs money

How much time - and therefore money - would it take to rebuild your data if it was permanently deleted? Even if you pay the ransom requested by the malicious hackers, there is no guarantee you will get your data back. Plus, ransomware is just one type of cyber attack. There are plenty of viruses that can compromise your data and not provide you the opportunity to get it back.

Many companies shut down during cyber attacks and this has a cost. For example: an attack means you and 20 employees can’t work for two days. If the average employee gets paid £200 ($275) per day, the attack has already cost you £8,000 ($10,980.) Then figure in the time to rebuild your digital assets (assuming you can.) If it takes each person a week’s work to rebuild databases, repopulate address books and scour emails for invoices, purchase orders and other data, that’s an extra £20,000 ($27,450.) Now factor in any new business you have been unable to do, what is the loss of earnings? If you turn £5,000 ($6,860) per day, that’s £25,000 ($34,310) over a working week.

Now the figure is starting to look like £53,000 ($72,740).

Retrospective tech and protection

Of course, that £53,000 ($72,740) - or whatever your initial costs total - is before you look at other damage costs. This may include outside technical support to clean and rebuild servers, new machines and the cyber security that people invest in all too late. This could easily add a few more pounds or dollars to your bill.

Fines and litigation

There are other important reasons to protect your data. In the US businesses must comply with a variety of State and Federal laws and regulations; in the UK, companies have to comply with the Data Protection Act.

Economic regions also have their own requirements that member and non-member states need to be aware of, such as the European Union General Data Protection Regulation (GDPR) which came into effect on 25 May 2018.

Failure to manage your customers’ data in accordance with the relevant laws can result in fines, litigation, and even criminal convictions. Penalties for not complying with GDPR, for example, are up to 4% of your annual international turnover or, for the most serious breaches, €20million ($24million/£17.5million.) Failure to comply might also affect the ability to deliver a service or product to your customer.

Another important aspect to consider is that companies and individuals have the right to sue you, if you are the source of a breach of their data that you hold. Thousands of employees sued Morrisons supermarket over data breaches. The same fate befell Seagate, who were sued through the Northern California District Court for their data breaches.

Although small businesses are not affected by lawsuits to the same extent as bigger companies, one statistic states that the average small business earning $1million (£730,325) annually will spend about $20,000 (£14,600) on legal costs every year. So it’s worth considering the impact data breaches can make on any budget you set aside for litigation costs.

Protecting your team

Businesses have a responsibility to protect the personal data of their employees, and breaches can endanger your colleagues: people with families and livelihoods of their own.

Some businesses even end up having to close after an attack, which means everyone is out of business and looking for a job. By failing to protect your digital assets you are placing everyone at risk.


And what about your reputation? You might say it’s hard to quantify value like that, but if negative press and subsequent distrust means your revenue drops by 20%, it’s easier to quantify.

Equifax is not only being sued, but its plummeting share price shows the impact of distrust.

Any loss in customer trust could also hamper your future success and the reputation of your brand or business. Your customers may reasonably think that, if you were hacked once, why couldn’t it happen again? Confidence in your brand or business can drain faster than the battery of your smartphone.

How to protect your small business from a data breach

  • 9% of small businesses get burgled
  • 0.1% of UK businesses were affected by fire*
  • 90% of all data breaches affect small businesses

*This figure is the number of fires (7209) as a proportion of the total number of businesses in the UK according to UK Gov: 5.7m.

You lock up at night. You have security cameras and burglar alarms. Your phone has a screen lock. You have smoke detectors and sprinklers. And then you insure your premises and other liabilities, to make sure that if these measures don’t work, you can recoup damage costs and rebuild your business.

So, why don’t small business protect their digital assets in the same way? It costs a fraction of an attack and gives you peace of mind, just as your locks, insurance and smoke detectors do. Follow these basic actions to protect your small business:

  • Train your staff. If you don’t have the money to spend on formal training courses, you’ll find plenty of information online that will benefit you and your staff. Make sure that your employees know:

    • How to spot suspicious emails, websites or links
    • Basic data principles such as using strong passwords, restricting access to files with sensitive data 
    • The law around data protection such as GDPR or industry specific legislation
    • What to do in the event of a data breach (inform manager, do not use computer)
  • Create a cybersecurity policy to formalize the above. You should also include and/or reference a Bring-Your-Own-Device (BYOD) policy (for example, do not connect to the network with an unprotected device).

  • Invest in business antivirus. Not all attacks will start with a suspicious email, so you can’t solely rely on employee-vigilance to protect your business. Antivirus offers a range of features that will help to prevent data breaches. Learn more about Avast Business Antivirus.
--> -->