The real cost of a data breach for a UK small business

The Numbers That Keep You Awake

---

I'm going to be straight with you.

This isn't a fun post. There's no Kev anecdote at the end to lighten the mood. No biscuit jokes. This is the stuff that should scare you - because it scared me when I first understood it, and that fear is what made us take security seriously.

If you're already certified, already protected, already doing the work - this is validation. You made the right choice.

If you're not? Read this. Then do something about it.

The Headline Number

According to the UK Government's Cyber Security Breaches Survey, the average cost of a cyber attack for a small business is around £8,460.

Sounds manageable, right? That's painful but survivable. One bad quarter. A hit, but not fatal.

Here's the problem: that's an average. It includes minor incidents. Phishing attempts that got caught. Small-scale disruptions. It also includes the businesses that got lucky.

The unlucky ones? The ones that got properly hit?

Those numbers look very different.

The Hidden Costs

Let me break down what a serious breach actually costs. Not the average - the reality when things go properly wrong.

Immediate Response: £5,000 - £50,000+

When you discover a breach, the clock starts. You need:

• Forensic investigation to understand what happened
• IT support to contain the damage and restore systems
• Legal advice to understand your obligations
• Possibly PR support to manage communications

For a small business without in-house expertise, you're hiring specialists at emergency rates. That forensic investigator who'd normally charge £150 an hour? They know you're desperate. And you need them now, not next week.

Regulatory Fines: £0 - £17.5 million

Under UK GDPR, fines can reach up to £17.5 million or 4% of annual turnover - whichever is higher.

Now, the ICO tends to be proportionate with small businesses. You're probably not getting a multi-million pound fine. But you could absolutely face a fine in the thousands or tens of thousands. The ICO issued £15.2 million in fines in 2022 alone.

And even if you avoid a fine, there's the investigation process itself. Time spent responding to regulators. Stress. Distraction from actually running your business.

Notification Costs: £1,000 - £10,000+

If personal data was compromised, you're legally required to notify affected individuals. Depending on the scale:

• Template letters, printing, postage
• Call centre support for people who have questions
• Credit monitoring services you might offer affected customers

Notifying a few dozen customers? Manageable. Notifying thousands? The costs escalate fast.

Business Interruption: £££ - ?????

This is where it gets impossible to predict.

How long are your systems down? A day? A week? A month?

Can you operate without your IT systems? Can you fulfil orders? Process payments? Contact customers?

Every day of downtime is lost revenue. Contracts you can't fulfil. Customers going to competitors. Staff sitting idle while you sort out the mess.

I know a business - similar size to Simpson & Sons - that was down for three weeks after a ransomware attack. Three weeks. Their monthly revenue was around £80,000. Do the maths.

Reputational Damage: Incalculable

How do you put a number on lost trust?

Customers who quietly take their business elsewhere. Contracts you don't win because people Googled you. Relationships that cool because people aren't sure they can trust you with their data.

This doesn't show up in the breach cost statistics. It shows up months later, when you're wondering why revenue is down and customer retention has dropped.

Increased Insurance Premiums: 20-100%+ increase

If you have cyber insurance and you claim on it, your premiums will go up. Possibly dramatically. Possibly you'll struggle to get coverage at all.

If you don't have cyber insurance, good luck getting it after a breach at anything resembling affordable rates.

The Small Business Reality

Big companies can absorb these costs. They have cash reserves. Legal teams. PR departments. Insurance policies with high limits.

Small businesses don't.

The Federation of Small Businesses estimates that 60% of small businesses that suffer a serious cyber attack go out of business within six months.

Let me repeat that: six out of ten don't survive.

Not because the attack itself was fatal. Because the combination of costs, disruption, reputational damage, and lost business pushed them over the edge.

They were already operating on thin margins. Already working hard to stay afloat. The breach was the thing that finished them.

A Real Example

I'm not going to name them, but I'll tell you about a business I know of.

Small professional services firm. Eight employees. Turned over about £600,000 a year. Good reputation, steady clients, nothing flashy but profitable.

Someone clicked on a phishing email. Ransomware deployed. Everything encrypted.

They didn't have proper backups. The backups they thought they had were also encrypted - connected to the same network.

The ransom demand was £40,000 in Bitcoin. They didn't pay it - on police advice - but that meant rebuilding everything from scratch.

Forensic investigation: £12,000
IT recovery and new systems: £25,000
Lost billable time (three weeks): £35,000
Two clients who left permanently: £80,000/year in recurring revenue
Staff member who quit (couldn't handle the stress): recruitment cost £8,000

Total direct costs: around £80,000
Ongoing revenue impact: significant

They survived. Barely. Two years later, they're still recovering. Still rebuilding the client base. Still paying off the loans they took out to cover the immediate costs.

The Prevention Comparison

Now let me show you some different numbers.

Cyber Essentials certification: £300-500

Monthly security platform (like TransCrypt): £20

Password manager for the team: £5-10 per person per month

Annual security training: A few hours of time

Keeping software updated: Free (just time)

Let's be generous and say comprehensive basic security for a small business costs £1,500 per year. All in. Everything.

That's less than a fifth of the average breach cost.

It's less than 2% of what that professional services firm lost.

It's nothing compared to losing 60% of your business's chance of surviving the next six months.

The Maths That Should Terrify You

The UK Government's survey found that 39% of UK businesses identified a cyber attack in 2022.

Four in ten. And that's just the ones they identified - plenty more probably happened and weren't noticed.

If you're a small business without proper security, you're not wondering if you'll be targeted. You're wondering when.

And when it happens, the average cost is £8,460. But you're not average. You might be lucky - a minor incident, quickly contained. Or you might be the professional services firm, three weeks down, clients leaving, taking out loans to survive.

Is that a gamble you want to take?

What Mr S Says

I asked Mr S what made him finally take security seriously. He said:

"I lay awake at night imagining having to call our customers and tell them their data was stolen. Imagining having to tell Sandra and Kev that there might not be wages this month. Imagining losing everything we'd built because I didn't spend a few hundred quid on a certificate."

That fear drove him to act. And acting meant those scenarios stayed imaginary.

The certificate cost him less than a day's revenue. The peace of mind? Priceless. (Sorry, that's cheesy. But it's true.)

The Numbers

Let me leave you with the numbers side by side.

Cost of Cyber Essentials certification: £300-500

Average cost of a cyber breach for UK SME: £8,460

Potential cost of a serious breach: £50,000 - £100,000+

Percentage of small businesses that fail within 6 months of a serious attack: 60%

Percentage of UK businesses that experienced an attack last year: 39%

Cost of lying awake at night worrying: Your health, your relationships, your sanity

Do Something

I'm not trying to scare you into buying something. I'm trying to scare you into doing something.

Get certified. Implement basic controls. Train your people. Back up your data. Update your software.

The breach that destroys a business is usually preventable. Basic security stops most attacks. The criminals are looking for easy targets - don't be one.

The numbers are real. The risk is real. The cost of doing nothing is real.

But so is the solution. And it costs a fraction of the alternative.

Your choice.

---

Danny Preece is Head of Technical Sales at Simpson & Sons and an SME Cyber Resilience Consultant with TransCrypt. He apologises for the lack of jokes in this post. Some things aren't funny.