Small companies – are they prepared to handle a data breach?

By Rikard af Sandeberg, Managing Director Denmark and Norway, Affinion

A recent study on data breach and identity theft revealed that confusion and uncertainty about GDPR and data breaches still prevails among the small and mediumsized enterprises (SMEs) in the Nordic markets.

In an ever more digitally connected world, cybercrime has been rapidly increasing, affecting both individuals and businesses. With the implementation of the General Data Protection Regulation (GDPR) across Europe, it has become even more important for businesses to respond quickly in the event of a data breach.

No procedures in place

But do small companies have the necessary capabilities to handle a data breach? And do they understand the potential ramifications? To understand what small companies (0-49 employees) know and think about data breaches, identity theft and GDPR, Affinion decided to ask them. The survey was performed by Novus in Denmark, Finland and Sweden and completed January 2019.

The survey revealed that there is still a lot of uncertainty among small companies when it comes to cybercrime. In general, more than half of the companies in the survey have no procedures for how to act if an identity theft occurs and the company’s identity has been abused.

4 in 10 of the small companies in Sweden responded that they do not have procedures in place that outlines how to respond if an unauthorized party gets access to the company’s customer database.

The Finnish companies are the least prepared with 71% saying they do not have procedures in place in case of a data breach, whereas this is only the case for 54% of the Danish com-panies and 43% of the Swedish companies.

72 hrs to report incident

As companies are required by GDPR to inform the local data protection agency of data breaches within 72 hours after the breach has been discovered, it is important that they are able to react quickly. The findings in the survey suggest that this might not be the case for a substantial number of the small companies.

A data breach can happen in many different ways and is not necessarily the result of an IT-related incident. However, between 20 – 28% of the companies in the survey responded that they have been exposed to computer virus, malware or even hacking which could potentially put them at risk.

Concern about data breach

Considering the relatively high number of Swedish companies responding that they have no internal processes to handle a data breach, it is a bit contradictory that only 10% are concerned about being exposed to one. This number increases as 25% of the Danish companies are concerned and the Finnish companies on top with 48% being concerned about being exposed to a data breach.

Cost of a data breach

It is of course almost impossible to predict the cost of a cyberattack, but the Nordic companies in the survey estimated an average cost (including loss of revenue) per day of € 3377 if their daily activities could not be carried out because all the company’s resources were used to manage the situation.

‘We think that many of these small companies underestimate both the potential risk of data breaches as well as the work that needs to be done following a data breach’, says Rikard af Sandeberg, Managing Director Denmark and Norway at Affinion. ‘As we have already seen, even some of the biggest global companies can suffer a data breach and we have no reason to believe that small companies, with their limited resources, would be any less at risk. Besides having severe financial consequences for the company, a data breach can also do a lot of damage to your brand reputation and lead to a loss of customers.’

‘We now see a similar evolution within cyber threats for small businesses as we did within identity theft towards private persons 7-8 years ago and we have already partnered with some of the major banks and insurance companies in the Nordics to provide assistance and mitigation services for SME’s that have been exposed to data breach.

We recommend business owners to check their insurance coverage and contact their insurance company or bank if they have any questions about ID protection or assistance in case of a data breach. Chances are, some companies probably already have access to the service and can benefit from advice on preventive measures or getting expert assistance in the event of a data breach or ID theft’, Rikard af Sandeberg concludes.

Want to know more? Contact our local Sales Director: Erja.wasenius-kesseli@affinioninternational.com

The survey was performed by Novus in Denmark, Finland and Sweden and completed January 2019. In each country, Novus conducted 300 phone interviews within two groups of small companies (0-9 employees and 10-49 employees).