Hacks & data breaches are not dangers exclusive to large enterprises.

In fact, SMEs often have more to lose than large enterprises. As an SME you may have fewer fewer resources to cope with the aftermath of a breach and less of a safety net. To see these facts in action, take a look at what’s happening to Lime Crime, the indie vegan makeup company currently suffering severe brand damage thanks to a data breach that has turned many of its customers into identity theft victims.

The Lime Crime data breach first surfaced in the fall of 2014, but the outcry only began to gain steam earlier this February, when a member of Reddit’s 230,000-subscriber makeup hobbyist community voiced concerns about fraudulent charges made after buying products from the Lime Crime website. By the time Lime Crime made a public statement addressing the breach, the harm to the brand had already been done. Customers and social media followers pointed out that the company had probably known of the breach since October 2014.

News coverage of data breaches may make it seem as if only well-known global corporations get hacked, but the truth is that any business that handles sensitive information can become a target. The second lesson is that every organization needs a response plan ready, should the worst happen. When it comes to customer trust, Lime Crime lost more goodwill thanks to its slow public response and lack of transparency than it did by falling victim to a data breach in the first place.

Most customers are blaming Lime Crime instead of the cybercriminals who hacked the company. For small and niche businesses that do most of their business online, positive word of mouth is essential. A preventable data breach and poor response after the fact are great ways to ruin your reputation.

Don’t let your business become a worst-case scenario when it comes to data security. No matter how few or how many transactions your systems handle a day, you need the appropriate security infrastructure to protect your company’s sensitive data, and you need a plan to handle incidents if they occur. In the absence of these preparations, you are risking a data breach disaster.