How Much Does a Data Breach Cost a Small Business

When security spending comes up in a budget meeting, the question is always the same: what does it actually cost if something goes wrong? The answer is higher than most business owners expect, and the gap between what SMBs assume and what the data shows is part of the reason small businesses remain the most common targets. Here is what a data breach actually costs, broken down into the categories that matter for making a real budget decision.

The Headline Numbers

IBM publishes a Cost of a Data Breach Report every year, and it is the most widely cited source for breach cost data. The 2024 report puts the global average cost of a data breach at $4.88 million. That number gets attention, but it is heavily skewed by large enterprises with massive customer databases and international regulatory exposure. The figure that matters for small businesses is lower, but still significant.

For organizations with fewer than 500 employees, the average breach cost has consistently landed in the hundreds of thousands of dollars in recent years. The exact figure shifts annually, but it has trended upward. Verizon’s Data Breach Investigations Report (DBIR) reinforces this pattern, showing year after year that small businesses account for a disproportionate share of confirmed breaches relative to their security investment.

These are averages. Your actual cost depends on the type of data compromised, how long the attacker had access, whether you have cyber insurance, how quickly you respond, and what industry you are in. A healthcare practice that loses patient records faces a very different cost profile than a marketing agency that loses email lists. But the averages are useful for understanding the order of magnitude you are dealing with.

It is also worth noting that these figures only capture reported breaches. Many small businesses experience security incidents that never get formally classified as breaches, either because the business does not realize the full extent of what happened or because the incident does not cross the threshold for mandatory reporting. The actual financial impact of cybercrime on small businesses is almost certainly higher than what the published data reflects.

Direct Costs: What You Pay Out of Pocket

Direct costs are the expenses that show up on invoices in the weeks and months after a breach. They are the easiest to quantify and the hardest to ignore.

Forensic investigation is usually the first major expense. You need to understand what happened, how the attacker got in, what they accessed, and whether they are still in your environment. A forensic investigation for a small business typically costs between $10,000 and $100,000 depending on the complexity of the environment and the scope of the breach. If you need to bring in a specialized incident response firm on an emergency basis, expect to pay premium rates.

Legal fees start accumulating quickly. You need counsel to navigate breach notification requirements, evaluate your regulatory exposure, and manage communication with affected parties. If the breach involves personal data, you may also need to engage privacy counsel familiar with your state’s specific notification laws. Legal costs for a small business breach typically range from $10,000 to $75,000, but they can go much higher if litigation follows.

Breach notification is a legal requirement in all 50 states when personal data is compromised. You need to identify every affected individual, draft notification letters that meet your state’s specific requirements, and often provide credit monitoring services. Notification and credit monitoring costs scale with the number of affected individuals, but even for a small breach, budget at least $5,000 to $50,000 for the notification process alone.

Regulatory fines and penalties depend entirely on your industry. HIPAA violations can carry penalties ranging from $100 to $50,000 per violated record, with annual maximums reaching into the millions. PCI DSS non-compliance can result in fines from payment card brands of $5,000 to $100,000 per month until compliance is restored. Even outside regulated industries, the FTC has pursued enforcement actions against businesses with inadequate security practices.

Ransom payments, if ransomware is involved, add another layer. While law enforcement recommends against paying, some businesses feel they have no choice. Ransom demands for small businesses typically range from $10,000 to $500,000. Paying does not eliminate the other costs on this list, it adds to them. You still need forensics, legal counsel, and notification even if you pay and get your data back. We cover the full decision framework around ransomware payment in a separate guide.

Indirect Costs: What Hurts Longer

Indirect costs are harder to calculate but often exceed the direct costs. They do not arrive as invoices. They show up as lost revenue, lost customers, and lost opportunities over months and years.

Downtime is the most immediate indirect cost. While your systems are compromised or being rebuilt, your team cannot work normally. Email may be down. File shares may be inaccessible. Customer-facing systems may be offline. Ransomware recovery typically takes two to four weeks for businesses without tested backups. For a business that depends on its IT systems for daily operations, which is most businesses today, every hour of downtime has a dollar value. The average cost of IT downtime varies widely by industry, but for a small business doing $5 million in annual revenue, even a week of partial operations can translate to tens of thousands in lost productivity and missed revenue.

Customer churn is the cost that compounds. Customers who learn their data was compromised lose trust. Some leave immediately. Others leave at their next renewal or purchasing decision. IBM’s research consistently shows that lost business is the single largest cost category in a data breach, accounting for roughly a third of the total. For small businesses that depend on long-term client relationships, losing even a handful of key accounts after a breach can impact revenue for years.

Reputation damage is related to churn but extends beyond existing customers. Prospects who see a breach in the news or hear about it through industry channels may choose a competitor instead. This cost is nearly impossible to quantify, but it is real. Small businesses that serve other businesses (B2B) are particularly vulnerable here, because their clients are evaluating them as a supply chain risk. A breach at your company becomes a risk factor in your client’s security posture.

Increased insurance premiums follow almost every claim. If you had cyber insurance and filed a claim, expect your premiums to increase significantly at renewal, sometimes doubling or more. If you did not have cyber insurance, you will find it significantly more expensive and harder to obtain after a breach. Some insurers may decline coverage entirely or impose exclusions related to the type of incident you experienced. Others may require you to demonstrate specific security controls like MFA, EDR, and regular backups before they will offer a policy at any price.

Opportunity cost is the subtlest expense. The months your leadership team spends managing breach response, legal proceedings, customer communication, and system rebuilds are months they are not spending on growth, product development, or sales. For a small business where the owner or a small leadership team drives most of the strategic work, this diversion of attention can stall the business in ways that do not show up on a balance sheet until much later.

Why Small Businesses Pay More Per Record

Large enterprises have higher total breach costs, but small businesses often pay more relative to their size. There are several reasons for this.

Small businesses have less negotiating power with incident response firms, legal counsel, and forensic investigators. Enterprise clients get volume pricing and retainer rates. Small businesses pay retail, often on an emergency basis with no pre-existing relationship.

Small businesses are less likely to have an incident response plan, which means the response itself takes longer and costs more. Decisions that should take minutes take days when nobody has thought through the process in advance. That extended response time gives attackers more time to cause damage and increases the scope of what needs to be investigated and remediated.

Small businesses are also less likely to have cyber insurance, which means every dollar of breach cost comes directly out of operating budget. According to industry surveys, fewer than half of small businesses carry cyber insurance. Those that do often have policies with coverage limits that fall short of actual breach costs.

Finally, small businesses recover more slowly. An enterprise with redundant systems, dedicated IT staff, and tested backup procedures can rebuild in days. A small business with one IT person, no documented recovery procedures, and backups that do not follow the 3-2-1 rule is looking at weeks. Every additional day of recovery is additional lost revenue and productivity. Some small businesses never fully recover. Industry estimates suggest that a meaningful percentage of small businesses that suffer a major data breach close within two years, not always directly because of the breach itself, but because the financial and operational damage compounds with other business pressures in ways that become unsustainable.

The Cost of Prevention vs. The Cost of a Breach

This is where the math gets useful for budget conversations. The annual cost of a managed security provider for a 50-person company typically falls between $30,000 and $90,000 depending on the scope of service. Add cyber insurance at roughly $1,500 to $5,000 per year for a small business, and your total preventive security spend is in the range of $35,000 to $95,000 annually.

Add backup and disaster recovery at $8,000 to $18,000/year for a managed hybrid setup, and your total preventive spend is still a fraction of what a single incident costs.

Compare that to a breach. Even a relatively contained incident with limited data exposure will cost a small business $50,000 to $200,000 when you add up forensics, legal fees, notification, downtime, and customer impact. A more serious breach involving ransomware, regulatory exposure, or significant data loss can easily exceed $500,000. For some small businesses, that is an existential number.

Prevention does not eliminate risk entirely. No security investment guarantees you will never be breached. But it dramatically reduces the probability, and just as importantly, it reduces the cost and duration of a breach when one does occur. Businesses with Managed Detection and Response (MDR) in place detect breaches faster, contain them sooner, and spend less on remediation. The dwell time reduction alone, catching an attacker in hours rather than weeks, can cut breach costs by more than half.

The question is not whether you can afford security. It is whether you can afford a breach without it.

How to Use These Numbers

If you are building a case for security investment to a board, a partner, or yourself, here is how to frame it.

Start with the revenue your business would lose during a week of downtime. Be honest about how long it would take to rebuild if your systems went down tomorrow. Multiply your daily revenue by that number of days. That is your baseline exposure from downtime alone, before legal fees, notification costs, or customer churn.

Then add the minimum direct costs: $20,000 to $50,000 for a modest forensic investigation and legal response. More if you are in a regulated industry.

Then factor in customer impact. If you lost your top five clients because of a breach, what would that do to your annual revenue? Even if the probability is low, the impact justifies basic protection.

Stack that total against the annual cost of managed security. For most small businesses, even a conservative estimate of breach impact will be three to ten times the annual cost of proper security coverage. In almost every scenario, the math favors prevention by a wide margin. The businesses that struggle most after a breach are the ones that assumed it would not happen to them and had no plan or protection in place when it did.

If you are ready to understand what security coverage would look like for your specific business and what it would cost, Sequentur works with SMBs to build managed security programs that fit the business without overbuilding. You can reach us through our contact page to start that conversation.