Most small business owners understand that a website breach would be unpleasant. What many do not realise is just how expensive it is. The numbers are not theoretical — they come from real incidents affecting real UK businesses, and they add up fast.
According to the Department for Science, Innovation and Technology (DSIT), the average cost of a cyber breach for a UK small business is approximately £8,460. That figure covers the direct costs: the things you have to pay for to contain the breach, fix the damage, and meet your legal obligations. It does not include the longer-term costs that many businesses never fully quantify.
Let us break down where that money goes.
Immediate incident response
When a breach happens, the clock starts ticking. You need to find out what happened, stop it from continuing, and assess the damage. Most small businesses do not have the skills in-house to do this, which means calling in external help.
A cybersecurity consultant or incident response firm typically charges £150 to £300 per hour. A basic investigation and containment exercise can take 10 to 20 hours. That is £1,500 to £6,000 before you have even started fixing anything.
If the breach involves ransomware or a compromised server, you may also need emergency hosting, backup restoration, or a full website rebuild. The cost depends on the complexity of your site, but a WordPress rebuild with security hardening typically starts at around £1,500 and can go much higher.
Business downtime and lost revenue
While you are dealing with the breach, your website is often offline. If you run an e-commerce business, that means lost sales. If your website generates leads, those leads stop coming in. If clients use your website to access services, they cannot.
The average small business website is down for 2 to 7 days following a breach. For an e-commerce site doing £10,000 per month in online sales, that is £660 to £2,300 in lost revenue alone. For a service business, the cost is harder to measure but no less real: every day your site is offline is a day potential customers find a competitor instead.
Customer notification costs
If the breach involves personal data — and most breaches do — you have a legal obligation to notify the affected individuals. Under the GDPR, you must also notify the ICO within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms.
Notification costs include writing and sending letters or emails to every affected person. If you have 500 customers and need to send physical letters (which is required if you do not have confirmed email consent), that is approximately £500 to £1,000 in printing and postage alone. Add the cost of setting up a dedicated helpline or email address to handle enquiries from worried customers.
For breaches involving sensitive data, you may also need to offer credit monitoring services to affected individuals. This can cost £5 to £15 per person per year, which adds up quickly with a large customer base.
Legal fees and ICO fines
If the ICO investigates your breach and finds that you did not have adequate security measures in place, it can issue a fine. GDPR fines can reach £17.5 million or 4% of global turnover. While fines at that scale are reserved for large corporations, the ICO has issued five-figure and six-figure fines to smaller organisations for inadequate data protection.
Even if you avoid a fine, you may need legal advice. A data protection solicitor charges £200 to £400 per hour. Drafting your breach notification to the ICO, advising on your obligations to affected individuals, and reviewing your security practices after the fact can easily run to £2,000 to £5,000 in legal fees.
Lost customer trust and churn
This is where the long-term damage really adds up, and it is the hardest cost to quantify. When customers find out their data has been compromised, many leave. Research consistently shows that around 30% of customers will stop doing business with a company after a data breach.
If your average customer is worth £500 per year and you lose 50 of your 400 customers, that is £25,000 in annual revenue gone. Some of those customers may come back over time, but many will not. The cost of acquiring a new customer to replace each one you lost is typically 5 to 7 times more than retaining an existing customer.
Your reputation also takes a hit that extends beyond the directly affected customers. Word travels fast, and a breach can make potential customers think twice before trusting you with their information.
Cyber insurance premium increases
If you have cyber insurance, it may cover some of the costs above. But after a claim, your premiums will increase. Insurers assess risk based on claims history, and a business that has already been breached is a higher risk. Premium increases of 25% to 100% after a breach claim are common.
If you do not have cyber insurance, you are bearing all of these costs yourself. Many small businesses discover too late that their standard business insurance does not cover cyber incidents.
The hidden costs
The £8,460 average does not capture everything. Here are the costs that most businesses overlook:
- Staff time. Dealing with a breach consumes days or weeks of staff time that would otherwise be spent serving customers and growing the business. At an average salary, that is £500 to £2,000 in lost productivity.
- Stress and distraction. A breach is emotionally draining. Business owners report high stress levels, sleep disruption, and difficulty focusing on anything else while the situation is unresolved. You cannot put a price on that, but it has real consequences for decision-making and wellbeing.
- Opportunity cost. Every hour spent dealing with a breach is an hour not spent on sales, marketing, product development, or customer service. The growth you did not achieve because you were firefighting is a real cost, even if it never appears on a spreadsheet.
- Supply chain effects. If your breach affects partners, suppliers, or clients, those relationships can be damaged. A single breach can trigger contract reviews, loss of preferred supplier status, or additional compliance requirements imposed by larger partners.
The maths: prevention vs cure
Let us put this in plain numbers.
Continuous website security monitoring from PulseShield costs from £29 per month. That is £348 per year. It includes regular scanning for vulnerabilities, alerts when new threats are detected, and detailed reports telling you exactly what to fix.
The average cost of a breach is £8,460.
That means a single breach costs the equivalent of 24 years of monitoring. Even if you only factor in the direct, immediate costs — incident response, website rebuild, and notification — you are looking at the equivalent of 5 to 10 years of monitoring.
The argument is not complicated. Monitoring is not a luxury or a nice-to-have. It is basic risk management. You insure your premises, your vehicles, and your stock. Your website deserves the same protection, especially when the cost of failure is this high.
What to do right now
You do not need to spend thousands to improve your website security. Start with these three steps:
- Run a free scan. A PulseShield free scan checks your website for exposed files, missing security headers, SSL issues, email security gaps, and other common vulnerabilities. It takes 30 seconds and tells you exactly where you stand.
- Fix the critical issues. The most common vulnerabilities — exposed configuration files, missing security headers, outdated software — can be fixed in an afternoon. Your web developer can handle most of them in a single session.
- Set up monitoring. Once your site is secure, keep it that way. New vulnerabilities appear daily. Continuous monitoring catches them before attackers do. See our monitoring plans starting at £29/month.
The cost of doing nothing is not zero. It is £8,460 on average, potentially much more, and the risk is growing every year. Don't wait for a breach to take website security seriously.