A single data breach can sink your business, yet many SMEs remain unaware of the full impact a cyberattack can have.

In fact, research from Experianfound that UK small business underestimated the cost of a data breach for 40% - and government researchfound that the average direct cost of a breach for SMEs is around £310,000.

If that figure is large enough to make your eyes water, consider that it only includes direct costs such as fines, compensation and business disruption. Indirect costs such as reputation loss and reduced consumer trust can be twice as damaging.

Additionally, 40% of SMEs didn’t think they were at risk of data breaches at all, despite the fact that the majority of small companies reported some kind of security breach during the previous year.

Although over half of SMEs don’t have data breach response plans in place, 77% were confident that they’d know how to respond to a breach. However, the research goes on to show that the vast majority of plans lacked key components.

Preventing data breaches

As with any security situation, it’s far more desirable to prevent cyber-attacks from succeeding in the first place than it is to clean up after a breach.

Many data breaches are partly due to human error or negligence. Therefore, it’s important to give staff basic cybersecurity training, to improve awareness of common phishing strategies and how to keep company data safe on personal devices.

Reinforce the importance of keeping software up-to-date – providers will quickly update software if security vulnerabilities are found. Implement a strong password policy as part of a wider cybersecurity procedure.

If you don’t have any security experts in your team, it’s worth approaching an expert about further steps you could take. For example, penetration testing is where an attack on your company is simulated, helping you find flaws in your security before a real attacker does.

Responding to data breaches

Data breaches take many different forms – some may be accidental, others will be malicious. Some will target company data such as emails, while other attackers may be after customer information such as credit card details.

Regardless of the type of attack, your response should include the following:

·       Rapid communication with relevant internal stakeholders – executives, managers, response team etc.

·       Investigate the issue, fix it and document everything.

·       Contact law enforcement, PR firms, lawyers etc. if relevant.

·       Notify customers and make a public announcement.

·       Continue to communicate with those affected about the extent of the breach and the steps they should take to reduce risk.

It’s essential to let customers know about breaches quickly – they’d certainly prefer to hear it from you instead of finding out after their bank account has been cleared out.

If you’re in the UK, you are legally required to notify the Information Commissioner’s Office if personal data is involved in the breach. You are also required to fill out a breach log which documents the cause, effects, and your response to the breach.


The prospect of a data breach is daunting for SMEs, particularly if you lack the technical expertise to implement thorough security systems. The costs of such a breach are huge – so it’s worth getting an expert to assist you.

However, many data breaches can be prevented simply through staff training and increasing awareness of basic, everyday cybersecurity risks – these preventative steps will help you use your point of sale software safely and confidently.