When the breach is over, the hard part begins: What a cyber incident really costs is your reputation
Written by Forensic Pathways
Ask most business owners what a cyber attack costs and they'll picture an IT bill, a few days of disruption, a new firewall, maybe a small ransom.
Then a name like Marks & Spencer lands in the headlines, and the real numbers come into focus.
Ransomware is where cyber risk stops being a nuisance and starts being a threat to the survival of the business.
The figures for UK organisations now run into the millions. The median ransom demand on UK victims more than doubled in a year, climbing to roughly £3.9 million, and the typical UK business recovering from an attack now spends around £2 million putting itself back together, before the ransom is even counted. UK firms also tend to pay more than they're asked, around 103 per cent of the demand on average, far above the global norm. These are not numbers a typical SME can simply absorb.
If you run a small or medium business in the West Midlands, this isn't an abstract risk. The UK Government's latest Cyber Security Breaches Survey found that ransomware attacks on businesses doubled year on year, and that hundreds of thousands of UK firms identify a breach or attack annually.
The chance of being hit is now, in the words of one security chief, just part of doing business. What separates the companies that survive it from those that don't is rarely luck. It's preparation.
Here's the part that should worry directors most. Only about one in five UK businesses has a formal incident response plan. When ransomware hits, most organisations are improvising, and improvisation is exactly when both the financial and the reputational damage spread fastest.
Reputation breaks faster than systems recover
You can restore a server from backup in hours. Rebuilding a customer's trust takes far longer, and sometimes it doesn't come back at all.
When a breach becomes public, your customers don't ask whether your antivirus was up to date. They ask three things. Was my data exposed? Did you know what you were doing? Can I trust you with my business going forward? How you answer in the first 48 hours shapes the story far more than the breach itself.
This is where many SMEs stumble. In the rush to get back to normal, they wipe machines, restore systems, and unintentionally destroy the evidence of what actually happened. That leaves them unable to answer the most important questions, whether to customers, to the ICO, or to an insurer who won't pay out without proof.
The risk you don't control: Your supply chain
Here's an uncomfortable truth. You can do everything right and still be breached through someone else's mistake. Many of the most damaging incidents now start not inside the target business but inside one of its suppliers, software vendors, or IT partners.
The 2025 attack on Marks & Spencer is the textbook case. Attackers reportedly got in through a flaw in third-party software, not through M&S's own front door. Attackers have worked out that the easiest way into a well defended company is often through a smaller, less protected one it trusts.
The government's own analysis points to supply chain weakness as one of the biggest unmanaged risks facing UK organisations, yet only a minority of businesses actively check the security of their suppliers.
For most SMEs, the question isn't whether you depend on third parties, it's whether you have any visibility of the risk they carry on your behalf.
This cuts both ways, and that's the part worth dwelling on. You are also somebody else's supplier. If you are breached, your customers' data and operations may be exposed too, which is precisely why their procurement teams increasingly ask hard questions before signing. A weak link in your security is a weak link in theirs, and they know it.
Practical steps don't have to be heavy. Keep a list of the suppliers who can touch your data or systems. Ask them the same security questions your own customers ask you.
Make sure your contracts say who does what if either side is breached. And know, in advance, how you would investigate an incident that began somewhere outside your own four walls.
The hidden costs that don't show up on the IT invoice
The direct cost of a breach is only the visible tip. Underneath sit the costs that genuinely hurt.
Lost contracts and due diligence failures. Increasingly, your customers' procurement teams ask about your security posture before they sign. A breach you handled badly becomes a line item in someone else's risk assessment, and a reason to choose a competitor.
Regulatory exposure. Under UK GDPR, certain personal data breaches must be reported to the ICO within 72 hours. Getting that wrong, by reporting too late or reporting the wrong thing because you don't actually know what happened, can compound the original problem.
Insurance disputes. Cyber insurance is now common, but policies increasingly require you to demonstrate what occurred and that you took reasonable precautions. Without a clear, evidenced account of the incident, claims get delayed or declined.
Internal disruption and morale. The quiet cost is weeks of senior people firefighting instead of running the business.
Being investigation-ready beats incident response alone
Most cyber advice focuses on prevention and response. Both matter. But there's a third capability that SMEs routinely overlook, and it's the one that protects your reputation when prevention fails. It's being investigation-ready.
Investigation-ready means that if the worst happens, you can establish, quickly and credibly, what was accessed, what was taken, how it happened, and what wasn't affected.
That's the work of digital forensics, preserving and analysing evidence so you can give straight answers instead of nervous guesses. It matters just as much when the trouble starts in your supply chain, because you still have to prove what reached you and what didn't.
That clarity is what lets you reassure customers honestly, report accurately to regulators, support an insurance claim, and, if necessary, take legal action.
It's the difference between saying “we believe everything is fine” and saying “we know exactly what happened, here's the evidence, and here's what we've done about it.” Customers forgive the first far less readily than the second.
Five things you can do this month
You don't need a large security budget to be dramatically better prepared than most of your competitors.
- Write a simple incident response plan. One page is fine to start. Note who decides, who communicates, and who you call. Most businesses don't have this, so having one puts you ahead immediately.
- Map your supply chain risk. List the suppliers and partners who can reach your data or systems, and ask them how they protect it. You can't manage a risk you can't see.
- Know who you'll call before you need them. Identify your forensic and legal contacts now. In a live incident, you won't have time to shop around.
- Don't destroy the evidence. Train your team that the instinct to wipe and rebuild can erase exactly what you'll need to defend yourself. Isolate, don't obliterate.
- Rehearse your first 48 hours. Walk through a realistic scenario with your leadership team. The first time you think about your response shouldn't be during a real one.
The bottom line
Cyber risk isn't really an IT problem. It's a reputation problem with a technical trigger, and increasingly it's one you can inherit from a supplier you trusted.
The businesses that come through a breach with their customer relationships intact are rarely the ones that were never attacked. They're the ones that could stand up afterwards and say, credibly, here's exactly what happened, and here's how we handled it.
That credibility is built before the incident, not during it.
Forensic Pathways helps organisations prepare for, investigate, and recover from cyber incidents, turning the chaos of a breach into clear, evidenced answers you can stand behind.
If you'd like a no obligation conversation about how investigation-ready your business is, get in touch via the website, email or by calling 0121 232 4662
