The Real Cost of a Data Breach for a Small Business
The number everyone quotes is $4.88 million. That's the average. Here's what it actually looks like when it happens to a 30-person company.
IBM publishes an annual Cost of a Data Breach report. The 2024 edition put the global average at $4.88 million. For healthcare, it was $9.77 million. Those numbers get cited everywhere.
But if you're a 30-person accounting firm or a 15-person dental practice, those averages don't mean much. You're not a Fortune 500 company with millions of records. So what does a breach actually cost you?
More than you think. Here's the breakdown.
The Direct Costs
These are the expenses that hit your bank account in the first 90 days.
Forensic investigation
$10,000 - $75,000
You need to know what happened, what was accessed, and how the attacker got in. This requires a forensic firm. They image your systems, analyze the attack chain, and produce a report. This isn't optional - your cyber insurance carrier will require it, and you need it for regulatory notification.
Legal fees
$15,000 - $100,000+
You'll need a lawyer who specializes in data breach response. They'll handle regulatory notifications, draft breach notification letters, advise on liability exposure, and potentially defend against lawsuits. If you're in healthcare, add HIPAA-specific legal counsel.
Notification and credit monitoring
$5 - $30 per affected individual
You're required to notify every person whose data was exposed. For HIPAA, that's within 60 days. Most states have their own notification laws too. You'll also typically offer credit monitoring (1-2 years). For a practice with 2,000 patients, that's $10,000 - $60,000 just in notifications and monitoring.
Regulatory fines
$0 - $1,500,000+
Depends entirely on the framework and severity. HIPAA fines range from $100 to $50,000 per violation, capped at $1.5M per violation category per year. If the breach reveals systemic compliance failures (no risk assessment, no encryption, no training), the fines stack up fast.
Ransom payment (if ransomware)
$10,000 - $500,000+
The median ransom demand for small businesses in 2024 was around $50,000. Paying doesn't guarantee you get your data back, and it doesn't satisfy notification requirements. You still have to report the breach regardless.
The Hidden Costs
The direct costs are painful. The hidden costs are what put companies out of business.
Downtime
The average ransomware recovery time is 22 days. During that time, your systems are partially or fully offline. For a medical practice billing $5,000/day in services, that's $110,000 in lost revenue. For a CPA firm during tax season, it could be worse.
Lost clients
Studies consistently show that 25-40% of customers leave after a data breach. For a small business, losing a quarter of your client base is devastating. The trust that took years to build evaporates in a news cycle.
Insurance premium increases
After a claim, your cyber insurance premiums will increase 25-100% at renewal. Some carriers may decline to renew entirely, forcing you into a higher-risk pool with worse coverage at higher cost.
Employee impact
Your team spends weeks dealing with the aftermath instead of doing their actual jobs. Morale drops. Key employees may leave. Recruitment becomes harder when the breach is public.
Reputation damage
For HIPAA breaches affecting 500+ individuals, the breach is posted on the HHS "Wall of Shame" - a public, searchable database that lives forever. For any business, negative press and Google results about the breach will follow you for years.
Putting It Together
Realistic Breach Cost for a Small Business (20-50 employees)
- Forensic investigation: $25,000
- Legal fees: $30,000
- Notification/credit monitoring: $20,000
- Regulatory fines: $50,000 (assuming some gaps)
- System recovery/rebuild: $15,000
- Downtime (2-3 weeks): $50,000 - $150,000
- Lost clients (first year): $50,000 - $200,000
- Conservative total: $240,000 - $490,000
This doesn't include ransom payments, lawsuits, or long-term reputation damage. Add those and you're easily over $500,000.
The Survival Rate
The often-cited statistic is that 60% of small businesses close within 6 months of a cyberattack. The actual number varies by study, but the direction is consistent: a significant percentage of small businesses don't recover.
The businesses that do survive are the ones that:
- - Had cyber insurance that covered their response costs
- - Had working backups that allowed them to recover data
- - Had an incident response plan so they moved quickly
- - Had compliance documentation that reduced regulatory penalties
- - Communicated honestly with clients and retained trust
Every one of those things is something you set up before the breach, not after.
The Math on Prevention
A proper cybersecurity and compliance program for a 30-person business costs roughly $50,000 - $120,000 per year. That includes managed IT, endpoint security, backup, compliance documentation, and annual risk assessments.
A single breach costs $240,000 - $500,000+ and might end your business.
The ROI on cybersecurity isn't theoretical. It's the difference between a bad week and a closed business.
How Exposed Is Your Business?
We'll show you where the gaps are before an attacker finds them.
Get a Free Assessment