DataThe threat of a data breach is growing and irrelevant of size, all businesses need a plan to firstly respond, and then recover and reassure, says Jim Steven, data breach expert at Experian.

SMEs and the personal identifiable information challenge

Data breach. Two words that smaller business owners can no longer ignore as an issue that only affects other, much larger, organisations. The threat of a breach is growing and irrelevant of size, all businesses need a plan to firstly respond, and then recover and reassure. Organisations managing large volumes of personally identifiable information face the worrying reality that their business could be a target because of the value data holds to scammers and thieves.

This reality has never been truer when it comes to SMEs. According to research from Experian, 74 per cent of SMEs suffered a data breach in 2015, with a third of businesses still without a data breach response plan – a significant gap that needs addressing.

Root of the threats

When it comes to data breaches, there are multiple threats at play. Almost one fifth (17 per cent) of incidents arise from spear phishing, an email or electronic communications scam that targets a specific individual or business. The intention behind this? To steal data or install malware on the target’s computer. Extra vigilance is needed, especially by finance staff, who can often become victims by paying fraudulent invoices.

Another tactic of the data breach criminals is social engineering. In these instances, attackers use human interaction to manipulate people into breaking normal security protocol. Anyone within a business can become victim to these – education and awareness are key to prevention. Worryingly, more than a fifth (21 per cent) of security vulnerabilities detected on networks were more than three years old. Some even dated as far back as 1999.

Cost of data breach

Not having a data breach plan in place makes it harder for SMEs to really understand the cause of the breach, and why they were targeted. While no-one expects a data breach, having processes in place to notify those affected as soon as possible will provide support to them. The research revealed that 42 per cent of SMEs had no customer notification plan if struck by a data breach, with 48 per cent also without insurance.

Government statistics reveal that a data breach costs a small business around £310,000. But SMEs believe it’d cost around £179,990 – a staggering £130,000 difference. With such an underestimation of the true financial impact, how many SMEs would actually survive a data breach?

Employing best practice to build better business performance

Confidence is great. 77 per cent of SMEs are confident they’d know how to handle a data breach. Whether that is true or not, the key to truly reaching readiness is investing time and preparing in advance – it’s a huge risk to only begin thinking about a breach when it happens.

One of the most crucial steps is communication. Customers and employees need to be notified as soon as possible if a data breach is to be managed effectively. The ability to communicate and offer identity/credit monitoring to safeguard people during what is inevitably unsettling time will serve the business well when it comes to providing peace of mind to those most important to them.

When it comes to best practice, there are a few processes businesses should always have in place, such as highly secure servers, fire walls and filters and back-up systems.

But it’s important to focus attention on maintaining best practice when it comes to people, not just technology. Around 50 per cent of breaches occur as result of an individual’s misjudgement – a figure that would be foolish to disregard. Small businesses need to ensure they’re effectively screening new employees before they start work, and ensure they’re training all staff in cyber risks. This shouldn’t fall to a small minority of the business either. Board level support is essential and externally certified resilience through Cyber Essentials, ISO27001 and IT vulnerability tests can help too.

Once the plan is in place, it cannot be forgotten about. It should be regularly reviewed and revised, something only 29 per cent of companies are currently doing on a quarterly basis. Planning for a data breach should be a regular task, and one which is regarded and invested in as highly as a business strategy plan, for example.

The potential of a data breach response plans is that it could lessen the financial impact following a breach. While it can be a challenge for many small businesses in terms of taking the time to prepare, the reality of the alternative is not an option, as the government figures showed. The focus for all SMEs should be to get plans in place to prepare for a breach should it hit, and follow best practice so the business can operate efficiently moving forward. In addition to the resilience of data breach preparedness, such foresight will help a business streamline and strengthen themselves from top to bottom.

Jim Steven, Head of Data Breach Services at Experian

GDPR Summit Series will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at

The GDPR Summit Series has been specifically designed for business generalists rather than data protection or privacy specialists and will provide delegates with a comprehensive picture of the new regulations and a practical understanding of the implications and legal requirements needed for compliance.