Cyber attacks can be devastating for small businesses. A single cyber attack can cost a small business anywhere from a few thousand dollars to hundreds of thousands of dollars or more. The costs add up quickly from damage and destruction of data, downtime and loss of productivity, forensic investigation, customer notifications, and reputational harm. With small businesses increasingly targeted by cyber criminals, it’s important for small business owners to understand the potential costs of an attack to motivate investment in cybersecurity.
Costs from damage and destruction of data
One of the biggest costs from a cyber attack stems from the damage and destruction of data. If hackers infiltrate systems and corrupt or destroy data, those losses alone can cost tens or hundreds of thousands of dollars for a small business to restore. For example, hackers could demand a ransom to unlock data that was encrypted in a ransomware attack. Cyber attacks could also result in thieves stealing trade secrets, customer information, financial data or other valuable information. The business will need to take steps to recover or recreate lost data, which takes substantial employee time and effort.
A 2019 Data Breach Investigations Report by Verizon found that data theft was a component of 69% of breaches, while ransomware accounted for 24% of malware incidents resulting in data loss. Ransom demands from small businesses in particular have been increasing, with the average ransomware demand in 2019 at $3600. The total costs from just the damage and destruction of data alone during an attack could reach into the tens of thousands for many small businesses.
Costs from business disruption and lost productivity
Cyber attacks also create major business disruption and loss of productivity for small businesses. The company may be forced to shut down operations and stop serving customers during an attack. Systems critical to operations could be offline for an extended period while the company investigates, restores data from backups, replaces compromised hardware, or takes other steps to recover from the attack.
A survey by the insurance company Hiscox found that over 30% of small businesses hit by a cyber attack closed as a result of the attack. For businesses able to continue operating, productivity slows dramatically. Employees cannot access systems or data needed to perform their work, and a flood of unplanned and urgent cybersecurity triage duties supplant normal operations. The time spent on emergency response to a cyber attack takes away from time spent on revenue-generating tasks.
The average cost from downtime alone for small businesses suffering a cyber attack is estimated at $20,000 per day. Extended downtime of even 3-6 days to fully recover after an attack could result in $60,000-$120,000 or more in costs from lost revenue and productivity. And that’s before even considering costs from damaged data, investigation, notifications and reputational harm.
Investigation, forensics and security improvements
After a cyber attack, a small business will need to conduct a thorough investigation of what happened and contain the breach. Forensic investigators may need to be hired to aid in determining the root cause, extent of systems and data compromised, and identifying which specific data or IP was stolen. Small businesses victimized by advanced persistent threat (APT) attacks may pay $100,000 or more for incident response and forensics.
Security firms or consultants are also often engaged to quickly improve and tighten up security to prevent a recurrence. New security tools like firewalls, endpoint detection and response (EDR), or email security gateways may need to be purchased. Data backup solutions, employee security training, and penetration testing are some other security features small businesses often invest in after an impactful breach. These unplanned security updates and improvements alone can cost tens of thousands of dollars.
Customer notification costs
If a cyber attack exposed or compromised customer data, small businesses will incur costs to notify those individuals. There are 47 state data breach notification laws in the U.S., with fines up to $500,000 in some states for failure to properly notify consumers. The cost to appropriately notify each impacted customer is estimated by the Ponemon Institute to range from $150-$300.
For small businesses with upwards of 10,000 or more customer records breached, mailing notification letters adds up quickly at $150-$300 per letter. A data breach impacting 1 million customer records could result in $150 million or more in notification costs alone at the higher end.
Cost per record breach notification by industry
| Industry | Cost per record |
| Financial | $210 |
| Services | $172 |
| Industrial | $171 |
| Education | $138 |
| Communications | $136 |
| Technology | $131 |
| Energy | $131 |
| Research | $111 |
| Public | $106 |
| Retail | $105 |
| Healthcare | $103 |
Data source: IBM/Ponemon Cost of Data Breach Study 2020
Even for small businesses with fewer customers impacted, sending just 500 notification letters comes at a cost of $75,000-$150,000. Reaching out to customers about a breach is time-consuming and cuts into time spent on revenue-generating tasks, further hurting productivity.
Legal costs, fines and lawsuit settlements
Cyber attacks often lead to legal expenses for small businesses as well, including potential class action lawsuits from customers or compliance investigations by regulators. More than 25% of cyber attacks result in litigation, according to a study by Kaspersky Lab, with the average legal costs from a data breach totaling $34,000.
If the cyber attack led to a data breach, small businesses also face considerable costs from fines and penalties. In the United States, healthcare providers, financial institutions and companies dealing with government data face steep fines under laws like HIPAA and GLBA. Failing to comply with state data breach notification laws can also lead to fines from attorneys general. EU’s GDPR imposes fines up to 4% of global revenue for violations.
Depending on the severity and nature of the breach, fines from regulators can reach six or even seven figures for some small businesses. Settlements from customer class action lawsuits after cyber attacks also often cost tens or hundreds of thousands of dollars, sometimes reaching millions, for small businesses.
Reputational damage and lost business
Last but certainly not least, cyber attacks also lead to significant reputational damage, eroding customer trust and ultimately leading customers to flee to competitors. A cyber attack represents a major failure to keep customer data secure. According to How-To Geek, 60% of small companies close permanently within 6 months of a cyber attack.
Lost business from reputational damage is difficult to quantify, but can even outpace all the direct costs combined of a cyber incident for small businesses. A survey by Kroll found that for mid-sized companies, lost business represented 42% of total cyber attack costs. Lost business amounted to 23% of total costs for larger enterprises. Reputational damage also often reduces the valuation of the small business as well, hampering the ability to raise funds or invest.
Total potential costs
Given the myriad direct and indirect costs explored above, the total costs for a small business stemming from a single cyber attack can easily reach $100,000 to $500,000 or more. For small businesses with under 100 employees, a $200,000 cyber attack bill represents a substantial chunk of yearly revenue, between 2%-20% for most. A cyber incident costing $500,000 could severely threaten the ability of many small businesses to survive, particularly without cyber insurance.
Of course, costs vary widely depending on the nature and severity of the cyber attack. A simple phishing attack leading to a minor malware infection might have a lower cost ranging from $10,000-$30,000. A highly sophisticated nation-state attack could cost many times more, in the millions. But the examples above illustrate why all small businesses need to take cybersecurity seriously and guard against potential worst-case scenarios threatening their survival.
Prevention is the best medicine
Ultimately, “ounce of prevention is worth a pound of cure” rings strongly true when it comes to cyber attacks. While cybersecurity tools and services to react to attacks come at a high price, relatively inexpensive preventative measures can greatly reduce a small business’s chances of getting hit in the first place. Investing in basic cyber hygiene and foundational security controls leaves much less surface area for cyber threats to exploit.
Some low-cost cybersecurity best practices like cyber awareness training, endpoint protection, access controls, data encryption, firewalls, backups and patching go a long way in making businesses less vulnerable. Establishing an IT security policy and incident response plan likewise costs little to set up but pays dividends. While small businesses can’t prevent every attack, focusing affordable resources on prevention lowers overall business risk and reduces potential costs from attacks exponentially.
No small business owner wants to think about costs arising from a cyber attack crippling their livelihood. But understanding the major costs associated with cyber incidents enables small businesses to appreciate their cyber risk exposure and motivates sufficient cybersecurity investment. In the unfortunate event an attack succeeds, financially preparing for the worst will also put the business in a better position to pay major unplanned bills, survive the fallout, and avoid having to close up shop.