What a Data Breach Actually Costs

According to IBM’s annual Cost of a Data Breach Report, the global average cost of a data breach reached $4.88 million in 2024 — but that figure is skewed toward large enterprises with complex environments. For small businesses, the numbers are lower in absolute terms but devastating in relative impact. Verizon’s Data Breach Investigations Report consistently shows that breaches affecting organizations with fewer than 1,000 employees carry average costs between $120,000 and $1.24 million, depending on the type of data involved and the attacker’s objectives. Ransomware incidents, which now represent the majority of financially motivated attacks against SMBs, add the ransom demand on top of recovery costs — and paying the ransom doesn’t guarantee data recovery or prevent future attacks from the same group.

Why Small Business Breaches Are More Devastating

Large enterprises absorb breach costs through insurance, dedicated legal teams, crisis communications budgets, and deep cash reserves. Small businesses have none of those buffers. A $200,000 breach recovery — which is well within the range for a small business ransomware incident — represents several times the annual profit margin for most companies in that size range. Beyond the financial hit, small businesses are more likely to suffer permanent reputational damage because their customer relationships are more personal and trust-dependent. Enterprise clients can weather a breach with strong communications and demonstrated remediation; a local accounting firm, medical practice, or defense subcontractor may never fully recover the trust of their customer base after a public breach. The National Cyber Security Alliance has reported that 60% of small businesses that suffer a significant cyberattack close within six months — not because the breach itself was fatal, but because the cascading financial and reputational damage was.

The Hidden Costs Nobody Talks About

• Business interruption: Every hour your systems are down or your team is dealing with the breach instead of serving customers represents lost revenue. For many SMBs, even 2–3 days of downtime has serious cash flow consequences.
• Legal and regulatory costs: Breach notification requirements, potential FTC enforcement actions, state AG investigations, and class action exposure all require legal counsel — which is expensive even when you’re ultimately not found liable.
• Forensic investigation: Incident response firms typically charge $200–$500/hour. A thorough forensic investigation of even a moderate incident can run $15,000–$50,000.
• Notification costs: Sending breach notifications to affected individuals, setting up credit monitoring services, and managing the customer service volume that follows all carry real costs.
• Increased insurance premiums: After a breach, cyber insurance premiums often double or triple — if you can get coverage at all. Some carriers non-renew policies after significant incidents.
• Lost contracts and revenue: Enterprise clients and government contractors who discover you’ve had a breach may terminate contracts or decline renewals, particularly if sensitive data about their organization was involved.

Does Cyber Insurance Cover This?

Cyber insurance covers some of these costs — but the gap between what business owners expect coverage to provide and what policies actually pay is significant. Most policies cover first-party costs like forensic investigation, notification, crisis communications, and some business interruption. They typically do not cover losses from social engineering or fraudulent transfers unless specifically endorsed, reputational damage, future lost revenue, or fines from certain regulators. Coverage limits for small business policies — often $250,000 to $1 million — can be exhausted quickly in a significant incident. Perhaps most importantly, insurers are increasingly requiring specific security controls as a condition of coverage: MFA, EDR, backup segregation, and employee training are now standard underwriting questions. If you don’t have these controls in place, you may find your policy voided at the moment you need it most.

How to Reduce Your Breach Risk Right Now

The best time to reduce breach risk was before this conversation. The second best time is today. Start with the controls that address the highest-probability attack vectors: deploy MFA on all accounts (especially email and remote access), implement a modern endpoint detection and response solution, test your backup and recovery procedures to confirm you can actually restore from them, and run a phishing simulation to understand your current employee susceptibility rate. These four controls, properly implemented, address the majority of SMB breach scenarios. A vCISO engagement can help you build a prioritized roadmap, implement the right controls for your environment, and establish the monitoring and response capabilities needed to detect breaches early — when the cost of response is still manageable.