We're here to help
0345 222 5391
Mon-Fri, 9am-5pm, local rate & mobile friendly
Back

The average cost of a data breach for a small business

20/02/2025

A cybercriminal attempts to steal login information using phishing, leading to a data breach

Cybercrime is a big problem for the UK. In 2022, it cost the UK economy an estimated £27 billion. And that number is only predicted to have grown over the past three years.

One of the most high-profile and impactful areas of cybercrime is data breaches. You know those stories where a company is hacked and their data is either held ransom, leaked to the world, or sold? That’s a data breach.

What impact do data breaches have on small businesses?

At worst, the average cost of a data breach for businesses can be devastating. At best, they’re an expensive nuisance that forces you to stay on your toes.

Large and medium businesses are targeted the most. Their data is the most valuable for cybercriminals, but also difficult to get.

Why? Well, they have more budget to spend on cybersecurity and experts. So, they can set up tough defences around their data.

These criminals will go after smaller businesses too. The rewards are smaller but the data's easier for them to get their hands on.

How many UK businesses have experienced some kind of data breach?

The government’s latest Cyber Security Breaches Survey published in April 2024 reveals that half of all (50%) UK businesses have experienced some form of cybersecurity breach in the last 12 months. For large businesses, this rises to 74%.

That’s a third of all UK businesses and nearly three-quarters of bigger organisations. Not forgetting many smaller businesses have no way of detecting cyber-attacks. So there are potentially thousands of attacks going unrecorded.

The continuing evolution and ease of access to AI in 2025 is also having an impact on the world of cybercrime. The NCSC has highlighted the importance of properly protecting your business, as cybercriminals begin to utilise AI to improve the speed and impact of cyber-attacks.

But just what is the average cost of a data breach for UK businesses? And what sort of impact can data breaches have on businesses?

What is the average cost of a data breach for UK businesses?

It’s difficult to put a firm number on the cost of a data breach in the UK. It depends on the size of your company, how much data you store, what your business does, and much more.

There are a few ways we can measure it, though.

First, we can look at the average cost of a data breach around the world. According to technology giant IBM, which looked at data from 16 different countries and regions, it was $4.88 million in 2024. This is an increase of 10% from 2023, the biggest rise since the pandemic.

It’s worth mentioning that this stat doesn’t include very small or very large breaches. For huge companies that have vast amounts of data, a breach will cost them a lot more.

Likewise for small businesses, the cost will be a lot lower as they store much less data.

So, let’s look at it another way.

In 2024, the average cost of cybercrime on a UK business was around £1,120. Looks a lot lower than $4.88 million, doesn’t it? Well, this stat includes forms of cybercrime which will be much cheaper to sort out. Especially those that don’t involve stolen data.

This stat also takes into account very small businesses, which IBM didn’t do in their study. Thousands of small businesses are affected by cybercrime every year. But naturally, their clean-up costs are a lot lower.

When you consider that small businesses make up 99.2% of our business population in the UK, it makes sense that including them would drive down the average cost.

Regardless, this amount of money can cause real problems for small and micro-businesses. But there are other, less measurable issues that they might have to face…

How often are small businesses hit by cyber-attacks?

We won’t mince words. A successful data breach of a small business can cause chaos.

Why? Well, it comes down to investment in cybersecurity. A small business doesn’t have as much budget to spend on defending themselves from cybercriminals.

They also don’t have as much access to experts who can monitor and log attacks.

A report by Hiscox in 2018 estimated that UK small businesses were targeted with 65,000 cyber-attacks per day. And that over 4,500 of those attacks were successful.

This means that a small business was successfully breached every 19 seconds.

Other global and UK-based data we’ve highlighted in this blog shows us that post-pandemic, it’s highly likely that this number of attacks will have risen. Especially with the increasing use of AI in cybercrime.

How much do data breaches cost small businesses?

What does being breached actually mean for a small business? Hiscox found it costs them about £25,700 in clean-up costs, on average. This includes restoring systems, paying ransoms, replacing hardware, and investing in better security after they’ve been breached.

The second big hurdle they have to face is less measurable. Business interruption, damage to their reputation, difficulty getting customers in the future. These problems are far more likely to lead to a small business closing after a data breach.

In 2024, Hiscox found that 43% of businesses lost customers after a cyber-attack. And 38% reported experiencing bad publicity.

With challenges like these in mind, it’s easy to see how a small business could struggle to keep its doors open. Especially if they were faced with a particularly damaging data breach.

What are the different kinds of data breaches?

There are many different kinds of data breaches. Some of which are complex and nuanced, while others are about as subtle as throwing a brick through a window.

The main ones you need to watch out for involve exploiting human error. In 2023, Stanford University research found that around 88% of all data breaches are caused by human error.

That’s why training your staff is so important. So they can avoid the tricks and tactics that cybercriminals love to use.

These include phishing emails, where a fake email is used to gain access to a system. Or ransomware, where someone inadvertently installs malware on your network, allowing a cybercriminal to hold your data hostage in exchange for a ransom payment.

Outside of human error, there are physical breaches. A criminal might steal an employee’s laptop or phone, or break into your office and rip a hard drive out of a computer.

These are just a few examples of data breaches. In reality, there are dozens of techniques that cybercriminals use.

The most important thing is that you have some kind of cybersecurity in place. It’s all about prevention.

Where does GDPR come in?

You’ve probably heard a lot of talk about GDPR over the last few years.

It stands for General Data Protection Regulation. It’s a set of rules that makes sure personal data is used responsibly by businesses.

You’ll often hear about it when companies are fined for failing to follow the rules. Usually in connection to a data breach.

When a company is breached, it might be found that it didn’t protect its data properly. This is a big no-no when it comes to GDPR.

So much so that they can be investigated by the regulator (the Information Commissioner’s Office) and fined up to £17.5 million, or 4% of their annual global turnover. Whichever is greater.

Smaller businesses probably wouldn’t see a fine anywhere near this level. But they can still be fined thousands of pounds.

Putting up the right defences

Don’t want to be on the receiving end of a data breach? We don’t blame you. Because the average cost of a data breach for small businesses in the UK can be crippling.

The best way to stop them is by prevention. Investing whatever budget you can afford into cybersecurity will make a huge difference. The National Cyber Security Centre (NCSC) is a great resource for actionable advice.

Following their advice can help you mitigate the chances of being hit by a cyber-attack. And make it way harder for cybercriminals to sneak in and cause havoc, if they choose you as a target.

Chances are, though, that you will be breached at some point. Being prepared for it can help you get ahead of the problems you’ll face.

Cyber insurance is a great way to do this. It’ll pay your recovery costs. Help you manage any PR difficulties you might face. And bring the average cost of a data breach right down.

Some policies even offer online cybersecurity training for your staff. So you can avoid common pitfalls that can lead to data breaches.

You can also add on extra cover for social engineering and financial cybercrime - two of the most common forms of cybercrime. Or patch on some help if your business isn't able to trade due to a cyber-attack.

Got any questions? We've written an in-depth guide on what cyber insurance is and what it covers. You can also give us a ring on 0345 222 5391 to chat with one of our friendly advisers.

All figures are the most up-to-date available at the time of publishing.

Image used under licence from iStock.

cyber liability insurancemanaging riskrunning a businessstatistics

If you liked this, you might like these...

UK charity and not-for-profit statistics 2025
How many charities are there in the UK? Where are they based? And what do they do? Find out with our latest UK charity statistics.
Aesthetics industry UK statistics 2025
Want to know more about the UK aesthetics industry? Here are some fascinating statistics to put you in the picture!
UK business insurance statistics 2025
Want to know more about the UK business insurance landscape in 2025? Find interesting, in-depth statistics and facts right here.

More Advice, News & Know-how