The Many Costs of Cyber-Attacks on SMBs

How much money can your business afford to lose if it becomes the victim of a cyber-attack? 

If you think this question will never apply to your business, then think again. Twenty-three percent of small businesses and 43% of businesses overall were targeted by cyber-attacks in 2020, according to a study commissioned by specialist insurer Hiscox of businesses in the United States and seven other countries. 

The average financial cost of cyber-attacks to U.S. small businesses with less than 250 employees was $25,612. More than half of small businesses in the eight countries covered by the survey incurred costs of at least $10,000 per cyber-attack and more than half of medium-sized businesses (250-999 employees) incurred costs of at least $17,000. At the extreme end of the scale, 5% of small businesses incurred at least $119,000 in costs, and 5% of medium-sized businesses incurred at least $382,000 in costs. 

If anything, the study understates what happens when a company gets hacked. While some of the costs of cyber-attacks are fairly easy to quantify, there are also hidden costs that are difficult to calculate. In this blog post, we discuss the obvious – and less obvious – in which cyber-attacks can hurt your business. 


One of the more worrying trends in cybersecurity is the growing prevalence of ransomware attacks. In 2020, 16% of firms reporting a data breach were hit with a ransomware demand, according to the Hiscox study. Just over half the firms targeted (58%) paid a ransom in order to recover data or prevent publication of sensitive information, at a median amount of $11,900. A separate study of ransomware attacks against 300+ American SMBs by NetDiligence, a cyber risk assessment specialist, found that the average ransom demand was $12,000 and the median demand was $81,000. 

Incident response and recovery 

The cost of incident response, including the costs of cleaning up and fixing the problem, depends largely on the size and severity of the data breach as well as your organization’s own preparedness. In a recent study of large global enterprises, IBM found that the average total cost of a data breach for companies with an incident response team was $3.29 million, compared to $5.29 million for companies without an IR team. Obviously, small and medium-sized businesses incur smaller costs for incident response and recovery (the median is $41,000 according to NetDiligence). However, the point remains: being prepared can save your business money in the event of cybersecurity hacking. 

Regulatory fines and settlements

Another obvious cost of cyber-attacks is the regulatory cost. In 2020, 11% of U.S. firms paid a substantial fine that had a “significant impact” on their financial health, according to the Hiscox study. In the past few years, large corporations have paid eight-figure and even nine-figure sums to the U.S. Federal Trade Commission and various U.S. states for failure to disclose data breaches involving the personally identifiable information (PII) of millions of people. Smaller businesses are less likely to attract the attention of the federal and state governments, given they have fewer users. However, SMBs are not necessarily immune from FTC and other regulatory bodies.  


As law firm Smith, Gambrell & Russell has noted, data breach lawsuits have been filed by consumers, financial institutions, credit card companies, and other businesses affected by data breaches. Most data breach lawsuits have involved causes of action for negligence, breach of contract, breach of warranty, breach of fiduciary duty, false advertising, and unfair or deceptive trade practices. The largest lawsuit to date saw major health insurance provider Anthem pay $115 million as part of class-action litigation relating to a 2015 cyber-attack that compromised the personal information of 79 million people. Again SMBs are less likely to be involved in litigation, but nor are they completely immune. 

Loss of IP

Another cost that is difficult to account for is the loss of IP. In June 2021, hackers downloaded approximately 780GB of data from video games published by Electronic Arts (EA) and attempted to sell portions of the cache on the dark web. EA said the incident didn’t involve ransomware and experts suggested that the main motivation may have been “cheat making or underground community kudos.” However, there’s no knowing how damaging the loss of IP could be if your business becomes the victim of a data breach.  

Loss of reputation

This is where we get into the hidden, virtually unquantifiable costs of data breaches. What would be the cost to your business of each existing customer lost or each new customer you fail to attract because of a cyber-attack? And how much would you be willing to pay for a PR firm to perform damage control? In business, reputation is everything. All 50 states (and D.C.) have laws requiring businesses to notify users of security breaches, although the exact rules vary from state to state. From a moral standpoint, consumers certainly expect to know when their data has been compromised. Therefore, there is really no good way to stop the public from finding out when you have been the victim of a data breach. 

Loss of talent

The effects of a serious breach could extend to losing employees and struggling to find new ones.  After all, who wants their LinkedIn profile to show that they work for a company with a bad reputation? Furthermore, even if employees don’t have any personal issue with working for a cyber-attack victim, they may feel that their job now isn’t secure enough to warrant staying. 

Disruption to business continuity

The term “business continuity” has come up a lot in the past year due to COVID-19, but it is equally applicable to other disruptive events such as cyber-attacks. Business continuity is about maintaining essential business functions during and after a disruptive event. Loss of business continuity can spell financial disaster. The less prepared your business is for a potential cybersecurity hacking, the greater the potential cost. 

Avoiding the damage from cyber-attacks 

As long as cyberspace exists, so will cybercriminals. To make matters worse, cybercriminals are becoming ever-more sophisticated in their evil plan to hack into businesses. To avoid financial damage from cyber-attacks and maintain business continuity, you need an online cybersecurity platform involving defensive and offensive tactics. The best platforms deploy strategic monitoring and proactive threat intelligence to ward off cyber criminals before they can hack your systems, as well as rapid incident response to shut down problems after they arise.  

Sign Up for Updates