The real cost of a data breach for a small business — and why "we're too small to matter" is the wrong bet.

When people think about data breaches, they think about large corporations and headline-grabbing incidents. But the average data breach — the kind that doesn't make the news — happens to a small business. It costs them money they don't have, time they can't afford, and clients they may never get back.

What a breach costs, by the numbers

IBM's annual Cost of a Data Breach Report (2024 edition) put the global average cost of a data breach at USD $4.88 million across all organisation sizes. For small businesses — typically under 500 employees — the absolute numbers are lower but proportionally devastating:

• Average breach cost for a small business: USD $120,000–$200,000 (various industry estimates)
• More than half of small businesses that suffer a significant breach close within six months, according to research from the U.S. National Cybersecurity Alliance
• Average downtime from a ransomware incident: over three weeks (Sophos State of Ransomware, 2024)

For a business operating on normal margins, a six-figure unexpected cost — plus weeks of operational disruption — is often existential. It's not a bad quarter. It's potentially the end.

Where the costs actually come from

Incident response and recovery

Finding out what happened, containing the breach, cleaning infected systems, and restoring from backups requires technical expertise most small businesses don't have in-house. Incident response firms charge premium rates — and they should, because what they do is difficult and time-critical.

Legal and compliance costs

Many jurisdictions require you to notify customers affected by a breach within a specific timeframe. Getting that notification wrong — or failing to send it — can trigger regulatory fines. Legal advice during an incident isn't cheap.

Downtime and lost revenue

If your systems are down, your billing stops. If your website is offline, you're losing leads. If your email is compromised, you can't communicate with clients. Weeks of operational disruption at a moment when your costs are dramatically elevated is a compounding problem.

Reputational damage

This is the one that's hardest to quantify and often the most lasting. Clients who find out their data was exposed may not wait for an explanation. Prospective clients who search for your business and find news of a breach will think twice. Rebuilding that trust takes time and consistent effort.

What attackers actually want from a small business

• Customer data — email addresses, payment details, and personal information have market value
• Ransomware payouts — automated tools deploy ransomware at scale; they don't care how many employees you have
• Your infrastructure as a launchpad — compromised servers are used to send spam, host phishing sites, or attack other targets
• Business email compromise — access to your email allows attackers to intercept payments and impersonate you to clients

The good news: basic hygiene closes most of the door

The majority of successful attacks on small businesses exploit the same handful of vulnerabilities: weak passwords, no multi-factor authentication, unpatched software, and phishing clicks. These are all solvable — not expensively, not technically complex. Just habits that need to be in place.

The businesses that get hit aren't typically the ones that got unlucky. They're the ones that bet "it won't happen to us" — and turned out to be wrong.