What is the average cost of a data breach for a small business?

IBM's 2025 report shows the average breach cost for organizations under 500 employees is $3.31 million. For smaller businesses, costs typically range from $120,000 to $1.24 million, depending on the scope and the organization's preparedness.

How long does it take to recover from a data breach?

Full recovery, including system restoration, security improvements, compliance remediation, and reputation repair, typically takes 6 to 12 months. Some operational impacts persist for up to 2 years.

Are small businesses really targeted by hackers?

Yes. The Verizon 2025 DBIR found that SMBs are targeted nearly four times more than large organizations. Attackers specifically target smaller businesses because they typically have weaker defenses and still hold valuable data.

Does cyber insurance cover all breach costs?

No. Cyber insurance covers some direct costs, but policies have exclusions, sublimits, and requirements. Many policies exclude costs related to unpatched vulnerabilities or failure to maintain minimum security standards. Insurance is a safety net, not a security strategy.

What is the single most effective thing I can do to prevent a breach?

Implement multi-factor authentication across all business accounts and email. It blocks the majority of credential-based attacks, which are the number one initial attack vector according to the Verizon DBIR.

What Is the Cost of a Data Breach for a Small Business in 2026?

The average data breach costs businesses with fewer than 500 employees $3.31 million, according to IBM’s 2024 Cost of a Data Breach Report. For smaller operations, costs typically range from $120,000 to $1.24 million per incident. Either number is enough to threaten the survival of most small businesses.

What Does the Latest Research Actually Say?

Two reports set the standard for breach cost data, and both paint a clear picture for small businesses.

IBM Cost of a Data Breach Report 2025

IBM’s annual study, which analyzed 600 breached organizations across 17 industries, found that the global average cost of a data breach was $4.44 million in 2025, down 9% from $4.88 million in 2024 (IBM). That decrease was driven primarily by organizations using AI-powered security tools for faster detection and containment.

For organizations that lacked security AI and automation, costs remained significantly higher. IBM also found that shadow AI, where employees use unapproved AI tools without oversight, added an average of $670,000 to breach costs. Only 37% of organizations had AI governance policies in place.

The message is clear: businesses investing in proactive security tools pay less when a breach occurs. Businesses without those tools pay substantially more.

Verizon 2025 Data Breach Investigations Report

The Verizon DBIR analyzed over 12,000 confirmed breaches and delivered a critical finding for small businesses: SMBs are targeted nearly four times more often than large enterprises (Verizon).

The numbers for SMBs are particularly alarming:

88% of SMB breaches involved ransomware, compared to just 39% of enterprise breaches
The median ransom payment was $115,000
Credential abuse (22%) and vulnerability exploitation (20%) were the top initial attack vectors
Third-party involvement in breaches doubled to 30%

Small businesses are not too small to be targeted. They are targeted specifically because they are less likely to have the security controls that make attacks difficult.

What Are the Real Costs Beyond the Headline Number?

A data breach is not a single expense. It is a cascade of costs that unfolds over months.

Immediate Response Costs

Forensic investigation to determine what happened and what was compromised. Incident response, either internal or through an external firm. Legal counsel to assess notification obligations. These first-response costs typically run $10,000 to $75,000 for a small business.

Notification and Compliance Costs

Washington State and federal regulations require notifying affected individuals, and in some cases regulators, within specific timeframes. Notification costs include legal review, mailing or electronic notification, and credit monitoring services for affected parties. For businesses subject to HIPAA, PCI-DSS, or other regulations, fines can add $50,000 to $500,000 or more.

Operational Downtime

This is often the largest single cost. Systems must be taken offline for investigation and remediation. The cost of IT downtime for SMBs ranges from $8,000 to $25,000 per hour, and breach-related outages frequently last days to weeks, not hours.

A ransomware incident that takes your business offline for five business days at $10,000 per hour costs $400,000 in downtime alone.

Customer and Revenue Loss

IBM’s research consistently shows that lost business is the largest component of breach costs. Customers leave. Prospects choose competitors. Contract renewals stall. The reputational damage persists long after systems are restored.

Long-Term Recovery

New security tools, system rebuilds, additional staff or consulting, insurance premium increases, and ongoing monitoring. These trailing costs continue for 12 to 24 months after the initial breach.

Can a Small Business Survive a Breach?

The honest answer: many cannot.

Research from VikingCloud found that 40% of SMBs say a $100,000 attack would end their business (VikingCloud). Given that the median ransomware payment alone is $115,000, before accounting for downtime, response, and recovery, the math is dangerous.

The widely cited statistic that 60% of breached SMBs close within six months comes from the National Cyber Security Alliance. More recent research puts the number lower, but even conservative estimates show that roughly 1 in 5 SMBs face bankruptcy following a significant breach.

Whether the exact number is 20% or 60%, no business owner should be comfortable with those odds.

What Makes Small Businesses So Vulnerable?

Small businesses face a unique combination of risk factors:

Smaller security budgets mean fewer protective layers
Less security expertise leads to misconfigured tools and unpatched vulnerabilities
Valuable data including customer records, financial information, and payment data that attackers can monetize
Weaker vendor management creates third-party risk exposure
Employee security training gaps make phishing and social engineering highly effective

The Verizon DBIR’s finding that credential abuse and vulnerability exploitation account for 42% of all initial attack vectors means that basic security hygiene, strong passwords, multi-factor authentication, and timely patching, prevents nearly half of all breaches.

How Do You Reduce Your Breach Risk and Cost?

IBM’s data shows that organizations with these capabilities experience significantly lower breach costs:

Security AI and Automation

Organizations using AI-powered security tools detected and contained breaches faster, driving the global average cost down. Automated threat detection, endpoint detection and response (EDR), and security information and event management (SIEM) platforms make the difference.

Incident Response Planning

Having a tested incident response plan reduces breach costs by hundreds of thousands of dollars. Not a plan sitting in a drawer. A plan that has been rehearsed and updated within the past year.

Employee Security Training

Since phishing and credential theft are the top attack vectors, regular security awareness training is one of the highest-ROI security investments a business can make.

Multi-Factor Authentication

MFA blocks the majority of credential-based attacks. It is one of the simplest, most effective security controls available, and it costs almost nothing to implement.

Managed Detection and Response

For businesses that cannot staff a 24/7 security operations center, a managed IT provider with cybersecurity expertise provides continuous monitoring, threat detection, and rapid response at a fraction of the cost of building those capabilities internally.

Our NIST-aligned security framework at ROI Technology covers all of these layers. Since 2014, we have maintained a $0 in ransomware losses across our client base, because prevention is exponentially cheaper than recovery.

Invest in breach prevention as part of your overall IT budget plan, and use our pricing calculator to see what comprehensive protection looks like for your business.