Form: Cost-of-Breach DisclosureSource: IBM 2025Filed: 28 Apr 2026
DataBreachCost.comOpen calc
Schedule 07 / SMB Cost RegisterTechAisle 2025 + IBM 2023 org-size breakout

SMB headline figure

A small-business data breach averages $1.6M, up to $3.31M at the top of the SMB range.

IBM's headline $4.44M average is enterprise-skewed. TechAisle's 2025 SMB tracker puts the average breach loss at $1.6M across small and mid-size firms; IBM's most recent small-business breakout (2023, the last year it segmented by organization size) put firms under 500 employees at $3.31M. For a genuinely small business the range runs $15K to $3.31M and compares directly to annual revenue. Below: cost ranges by company size, common attack types, and an affordable defence stack by budget tier.

SMB average

$1.6M

TechAisle 2025, all SMB

Under 500 emp

$3.31M

IBM 2023 (last breakout)

Micro (1-9 emp)

$15K-$50K

Typical range

Global average

$4.44M

IBM 2025, all sizes

Section 07.1 / Cost ranges by size

What it actually costs at your scale

Costs scale with employee count, but unevenly. Notification per record is a fixed cost regardless of size. Forensics has a base fee. The result: smaller incidents are dominated by fixed costs, while large incidents start to track records.

Organization sizeCost range
Sole trader / micro (1-9 employees)$15K - $50K
Small (10-49 employees)$50K - $200K
Medium (50-249 employees)$200K - $1M
Mid-market (250-499 employees)$1M - $3.31M

Primary source:Organization-size figure from IBM Cost of a Data Breach Report 2023 (fewer-than-500-employee bracket, the last year IBM segmented by size); SMB average from TechAisle SMB Cybersecurity Tracker 2025. Sub-500-employee cost ranges are modelled from fixed-cost floors plus per-record and business-interruption scaling.

Section 07.2 / Common SMB attack types

Where SMB breaches start

SMBs face a different attack mix than enterprises. Phishing dominates because SMB email security is often consumer-grade. Ransomware operators target SMBs deliberately because the pay rate is higher and detection is slower.

Phishing / Fraudulent emails targeting employees43%
Ransomware / Encryption-based extortion increasingly targeting SMBs27%
Business Email Compromise / Impersonating executives or vendors15%
Credential Stuffing / Automated login attempts with leaked passwords10%
Other / Insider threats, physical theft, misconfiguration5%

Primary source:Verizon Data Breach Investigations Report 2025 (SMB victim cohort).

Section 07.3 / Affordable defence stack

What you can do at three budget tiers

Free / low-cost controls eliminate the most common attack precursors. Paid tiers add managed-service economics. Vendor-neutral, named only by category.

Tier 1 / Free or near-free

Eliminates the precursor attacks

  • [x]Enable MFA on all accounts (email, banking, cloud services)
  • [x]Regular employee security awareness conversations
  • [x]Keep all software and operating systems updated
  • [x]Implement the 3-2-1 backup rule (3 copies, 2 media, 1 offsite)
  • [x]Use a password manager (many have free tiers)

Tier 2 / Under $5K / year

Managed defence becomes affordable

  • [x]Managed endpoint detection and response (EDR), $3-8/device/month
  • [x]Business-grade email filtering, $2-5/user/month
  • [x]Enterprise password manager, $4-8/user/month
  • [x]DNS filtering (block known malicious domains), $1-3/user/month
  • [x]Automated patch management, $2-5/device/month

Tier 3 / Under $20K / year

SMB approaches enterprise hygiene

  • [x]Managed SIEM (Security Information & Event Management)
  • [x]Annual penetration test, $5K-$15K
  • [x]Cyber insurance policy, $1K-$5K/year for small businesses
  • [x]Security awareness training platform, $15-25/user/year
  • [x]Managed firewall and intrusion detection

Primary source:Pricing aggregated from public vendor pricing pages (typical 25-100 user bands), Q1 2026.

Index / Companion schedules

Schedule F / Reference Q&A

Frequently Asked Questions