What is the average cost of a data breach?

According to IBM's Cost of a Data Breach Report 2024, the global average cost of a data breach is $4.88 million — up from $4.45 million in 2023. This is the highest figure ever recorded in the report's 19-year history.

Which industry has the highest data breach cost?

Healthcare has the highest per-record breach cost at $10.93 per record, followed by financial services at $5.97 per record. Healthcare has held the top position for 14 consecutive years due to highly sensitive data and strict regulatory requirements.

How much does an incident response team save in a data breach?

IBM's 2024 report found that organizations with a dedicated incident response team save an average of $2.66 million compared to those without one. AI-based security tools save $1.76 million on average.

How long does it take to contain a data breach?

The global average time to identify and contain a data breach is 258 days (194 days to identify + 64 days to contain). Breaches contained in under 200 days cost $3.93M on average vs $4.95M for breaches taking over 200 days.

What factors most reduce data breach costs?

The top cost-reducing factors from IBM 2024 are: incident response team (-$2.66M), AI and automation in security (-$1.76M), employee training (-$1.5M), encryption (-$360K), and DevSecOps approach (-$249K).

Data Breach Cost for Small Businesses: What It Really Costs (2026)

IBM (Under 500)

$3.31M

Average breach cost

SMB Average

$1.6M

TechAisle estimate

Small Business

$164K

Typical small firm

Closure Rate

60%

Close within 6 months

Breach Cost by Business Size

Data breach costs for small businesses vary enormously depending on organization size, data volume, and industry. The IBM Cost of a Data Breach Report 2025 benchmarks organizations under 500 employees at $3.31 million average, but this includes mid-market companies with substantial IT infrastructure. For true small businesses with fewer than 50 employees, costs typically range from $50,000 to $200,000 — still potentially devastating when measured against revenue. The figures below represent typical ranges based on multiple data sources including IBM, TechAisle, and the National Cyber Security Alliance.

Sole trader / micro (1-9 employees)

$15K - $50K

Small (10-49 employees)

$50K - $200K

Medium (50-249 employees)

$200K - $1M

Mid-market (250-499 employees)

$1M - $3.31M

Source: IBM Cost of a Data Breach Report 2025, TechAisle SMB Security Study, National Cyber Security Alliance

Where Small Business Breach Costs Go

Small businesses face unique cost dynamics compared to enterprises. While the IBM four-category breakdown (lost business 38%, detection 29%, post-breach 27%, notification 6%) applies broadly, the proportional impact differs significantly for smaller organizations. Here is where SMB breach money typically goes and why each category hits harder for smaller companies.

IT forensics and cleanup ($20K-$100K): Small businesses almost always need to hire external IT forensics firms because they lack internal security expertise. These firms charge $300-$500 per hour, and a typical investigation takes 200-400 hours. Unlike enterprises that have internal security teams to lead the response, SMBs are paying retail rates for incident response, making this category disproportionately expensive per employee. The forensic investigation must determine what was accessed, how the attacker gained entry, and whether data was exfiltrated — all essential for legal and regulatory compliance.

Business interruption ($30K-$500K): When systems go down, small businesses cannot absorb the revenue impact. An enterprise with diversified operations can shift work to unaffected units; a 20-person company has no such flexibility. Average downtime from a ransomware attack is 22 days for SMBs. For a business generating $5 million annually, 22 days of zero or reduced revenue represents approximately $300,000 in direct revenue loss, not counting the operational chaos of manual workarounds, missed deadlines, and disrupted customer relationships.

Customer notification ($10K-$50K): Notification costs are essentially fixed per affected individual regardless of company size. Letters, email notifications, credit monitoring services, and regulatory filings cost the same $1-$10 per person whether you are a Fortune 500 company or a 10-person firm. For a small business that stores 10,000 customer records, notification and credit monitoring can easily cost $30,000-$50,000 — a significant expense for an organization with limited cash reserves.

Legal and regulatory ($15K-$100K): Compliance fines do not scale down for small businesses. GDPR fines up to 20 million EUR, CCPA penalties of $2,500-$7,500 per violation, and HIPAA fines of $137-$68,928 per violation apply equally regardless of organization size. Legal counsel for breach response costs $300-$1,000 per hour and typically engages for 6-18 months. Small businesses often lack existing relationships with cybersecurity-experienced law firms, leading to higher initial engagement costs.

Lost customers (ongoing): Small businesses have fewer customers to lose, making each lost relationship proportionally more damaging. Research suggests that 65% of consumers lose trust in a business after a data breach, and 85% say they would not do business with a company if they had concerns about its security practices. For a small business with 200 key accounts, losing 20% of them post-breach eliminates $1 million or more in annual recurring revenue — a potentially fatal blow.

Most Common SMB Attack Types

Small businesses face a different threat landscape than enterprises. While nation-state actors and advanced persistent threats target large organizations, SMBs are predominantly hit by opportunistic attacks that exploit basic security gaps. Phishing accounts for 43% of SMB breaches, making it the single largest threat vector — and one of the most preventable through employee awareness training.

Phishing43%

Ransomware27%

Business Email Compromise15%

Credential Stuffing10%

Other5%

Source: Verizon DBIR 2025, CrowdStrike SMB Threat Report

Real SMB Breach Case Studies

Lincoln College (157-year-old institution, 2022)

Lincoln College in Illinois, founded in 1865, permanently closed its doors in May 2022 after a December 2021 ransomware attack compounded existing financial challenges from COVID-19 enrollment declines. The attack encrypted critical systems during the crucial enrollment period, preventing the college from accessing institutional data needed for recruiting and retention. With enrollment already down 45% from COVID, the ransomware attack eliminated any chance of recovery. The college spent four months working to restore systems, ultimately achieving full restoration, but the damage to enrollment was irreversible. Total cost: institutional survival.

Renfrew County (Ontario, Canada, 2021)

Renfrew County's municipal government suffered a ransomware attack that encrypted systems across multiple departments including paramedic services, housing, and long-term care facilities. With approximately 100 employees and limited IT staff, the county spent an estimated $500,000 on incident response, forensic investigation, and system restoration — a significant portion of its annual IT budget. Critical services were disrupted for weeks, with paramedic dispatching reverting to manual paper processes. The incident highlighted how small government organizations face enterprise-level threats with fraction-of-enterprise budgets.

The Heritage Company (Arkansas, 2019)

The Heritage Company, a telemarketing firm with approximately 300 employees, was hit by ransomware just before Christmas 2019. The company paid the ransom but still could not fully restore operations. After spending several hundred thousand dollars on IT recovery, legal fees, and lost business, the CEO announced in a letter to employees that the company could not recover and would be laying off all staff. The business ultimately closed permanently, leaving 300 people unemployed. This case illustrates the cruel reality that even paying the ransom does not guarantee business survival for small organizations.

Affordable Prevention for Small Businesses

The good news: the most effective breach prevention controls are also the most affordable. Small businesses do not need enterprise security budgets to achieve meaningful protection. The controls below are organized by cost tier, with the free/low-cost options providing the highest ROI and addressing the most common SMB attack vectors.

Free / Near-Zero Cost

Enable MFA on all accounts (email, banking, cloud services)
Regular employee security awareness conversations
Keep all software and operating systems updated
Implement the 3-2-1 backup rule (3 copies, 2 media, 1 offsite)
Use a password manager (many have free tiers)

Under $5,000/Year

Managed endpoint detection and response (EDR) — $3-8/device/month
Business-grade email filtering — $2-5/user/month
Enterprise password manager — $4-8/user/month
DNS filtering (block known malicious domains) — $1-3/user/month
Automated patch management — $2-5/device/month

Under $20,000/Year

Managed SIEM (Security Information & Event Management)
Annual penetration test — $5K-$15K
Cyber insurance policy — $1K-$5K/year for small businesses
Security awareness training platform — $15-25/user/year
Managed firewall and intrusion detection

Source: Industry pricing benchmarks, vendor published pricing. Last verified: April 2026.

Full Calculator

Model your specific small business breach exposure.

Prevention ROI

Detailed ROI analysis for every security control.

Ransomware Targeting SMBs

Why ransomware operators increasingly target small businesses.

Your Legal Obligations

Breach notification requirements apply to businesses of all sizes.

Frequently Asked Questions

Data breach costs for small businesses range from $15,000 for a micro-business (1-9 employees) to $3.31 million for organizations under 500 employees (IBM 2025 benchmark). The most common range for a typical small business (10-49 employees) is $50,000-$200,000, encompassing IT forensics, business interruption, customer notification, and legal costs. TechAisle estimates the broader SMB average at $1.6 million. These costs are disproportionately impactful: a $100,000 breach cost represents 2% of revenue for a $5 million business but could mean several months of operating margin wiped out.

The frequently cited statistic is that 60% of small businesses close within six months of a major cyber attack. While the exact percentage is debated, the underlying reality is clear: data breaches pose existential threats to small businesses. Survival depends on several factors: pre-existing financial reserves, the severity of the breach, the quality of incident response, customer and partner loyalty, and available insurance coverage. Businesses with cyber insurance, tested backup procedures, and incident response plans are significantly more likely to survive. The Heritage Company (300 employees) and Lincoln College are real examples of organizations that did not survive their breaches.

The most cost-effective breach prevention starts with free or near-zero cost controls: enabling multi-factor authentication (MFA) on all accounts, maintaining regular software updates and patches, implementing the 3-2-1 backup rule (3 copies, 2 different media, 1 offsite), using a password manager, and conducting regular security awareness conversations with employees. These five steps alone address the root causes of the majority of SMB breaches. MFA specifically would have prevented the Colonial Pipeline, Change Healthcare, and many Snowflake-related breaches. For under $5,000/year, adding managed endpoint detection, email filtering, and DNS filtering provides enterprise-grade protection at SMB prices.

The National Cyber Security Alliance reports that 60% of small businesses that experience a major cyber attack go out of business within six months. While some researchers debate the exact figure, multiple studies confirm that the survival rate for small businesses after significant breaches is alarmingly low. The key factors driving closure are: insufficient cash reserves to absorb unexpected costs, inability to maintain operations during extended downtime, loss of customer trust and resulting revenue decline, and regulatory fines that do not scale down for business size. Businesses with cyber insurance and tested recovery plans have substantially better survival rates.