The assumption that kills small businesses
The most dangerous assumption in small business cybersecurity is this: we are too small to be a target.
It is understandable. High-profile breaches make the news because they involve large companies with recognizable names and millions of affected customers. The breach of a 12-person law firm or a regional accounting office does not make headlines. But it happens, and when it does, the impact is often existential.
According to IBM's Cost of a Data Breach Report, the average cost of a data breach for small and mid-sized businesses exceeds $3 million. For many small businesses, that number is not survivable.
Where the costs actually come from
When people think about breach costs, they usually think about the immediate incident — cleaning up malware, restoring backups, maybe paying a ransom. Those are real costs, but they are often not the largest ones.
Incident response and forensics
When a breach occurs, you need to figure out what happened: how the attacker got in, what they accessed, how long they were in your systems, and whether the threat has been fully eliminated. This requires specialized expertise that most small businesses do not have in-house. Hiring an incident response firm costs $200 to $500 per hour, and investigations routinely take weeks.
Legal and regulatory obligations
Depending on your industry and the data involved, a breach may trigger mandatory notification requirements. State data breach notification laws require businesses to notify affected individuals within specific timeframes — often 30 to 72 hours. HIPAA requires notification to affected patients and potentially to the Department of Health and Human Services. Failure to comply adds regulatory fines on top of everything else.
Legal counsel to navigate these obligations is not optional, and it is not cheap.
Client notification and credit monitoring
If client data was exposed, you are typically required to notify them and often obligated to offer credit monitoring services. At $20 to $30 per person for a year of monitoring, this adds up quickly. Beyond the direct cost, the notification itself damages trust and triggers client attrition.
Downtime and lost productivity
Ransomware attacks, which are among the most common types of small business breaches, often take systems offline entirely. The average ransomware-related downtime is 21 days. Twenty-one days without access to client files, email, billing systems, or any operational data. The lost productivity and revenue during that period frequently exceeds the ransom demand itself.
Reputational damage and client loss
This is the hardest cost to quantify and often the most lasting. Clients who learn their data was exposed leave. Referrals dry up. In professional services industries like law and accounting where the relationship is built on trust and confidentiality, a breach can permanently alter the trajectory of the business.
Cyber insurance gaps
Many small businesses discover after a breach that their cyber insurance policy covers less than they expected. Coverage limits may be too low. Policy exclusions may apply — particularly around unpatched software or misconfigured systems. If you did not have cyber insurance, the entire cost comes out of pocket.
The ransom question
Ransomware deserves its own note because it is the most common scenario small businesses face. The median ransom demand for small businesses is now in the range of $50,000 to $200,000. Paying does not guarantee you get your data back — about 20% of businesses that pay never receive a working decryption key. And paying puts you on a list: businesses that pay once are disproportionately targeted again.
The FBI advises against paying ransoms, though it acknowledges that for some businesses it may be the only practical option when backups have also been encrypted.
What $3 million looks like for a 10-person firm
Breaking it down for a small professional services firm:
- Incident response: $50,000 – $150,000
- Legal counsel: $30,000 – $80,000
- Client notification and monitoring: $20,000 – $60,000
- Regulatory fines (if HIPAA or state laws apply): $10,000 – $500,000
- Lost revenue during downtime: $50,000 – $200,000
- Client attrition over 12 months: $100,000 – $500,000+
- Ransom (if paid): $50,000 – $200,000
The ranges are wide because every incident is different. But even at the low end, a breach at a small firm is a six-figure event. At the high end, it is a business-ending event.
Prevention is not expensive. Recovery is.
A basic security program — vulnerability scanning, email security, employee training, multi-factor authentication, regular backups — costs a fraction of a single incident. The math is straightforward.
The challenge is that security spending is invisible when it works. There is no line item on your P&L for "breach we prevented." That makes it easy to defer. Until it is not.
See where your business stands with a free security assessment at kasperashield.com.
