SMB headline figure
60% of small businesses close within 6 months.
IBM's headline $4.44M average is enterprise-skewed. The reality for an SMB is a $15K-$3.31M cost range that compares directly to annual revenue. Below: cost ranges by company size, common attack types, and an affordable defence stack by budget tier.
Closure rate
60%
Within 6 months of major attack
Under 500 emp avg
$3.31M
IBM 2025
Broader SMB avg
$1.6M
TechAisle 2025
Small biz avg
$0.164M
$164K, all incidents
Section 07.1 / Cost ranges by size
What it actually costs at your scale
Costs scale with employee count, but unevenly. Notification per record is a fixed cost regardless of size. Forensics has a base fee. The result: smaller incidents are dominated by fixed costs, while large incidents start to track records.
| Organization size | Cost range | Dominant cost driver |
|---|---|---|
| Sole trader / micro (1-9 employees) | $15K - $50K | Fixed costs (forensics, legal retainer, notification) |
| Small (10-49 employees) | $50K - $200K | Fixed costs (forensics, legal retainer, notification) |
| Medium (50-249 employees) | $200K - $1M | Mixed: fixed costs + per-record + business interruption |
| Mid-market (250-499 employees) | $1M - $3.31M | Per-record costs and lost business become dominant |
Primary source:IBM Cost of a Data Breach Report 2025 (under-500-employee bracket); TechAisle SMB Cybersecurity Tracker 2025; Hiscox Cyber Readiness Report.
Section 07.2 / Common SMB attack types
Where SMB breaches start
SMBs face a different attack mix than enterprises. Phishing dominates because SMB email security is often consumer-grade. Ransomware operators target SMBs deliberately because the pay rate is higher and detection is slower.
Primary source:Verizon Data Breach Investigations Report 2025 (SMB victim cohort).
Section 07.3 / Affordable defence stack
What you can do at three budget tiers
Free / low-cost controls eliminate the most common attack precursors. Paid tiers add managed-service economics. Vendor-neutral, named only by category.
Tier 1 / Free or near-free
Eliminates the precursor attacks
- [x]Enable MFA on all accounts (email, banking, cloud services)
- [x]Regular employee security awareness conversations
- [x]Keep all software and operating systems updated
- [x]Implement the 3-2-1 backup rule (3 copies, 2 media, 1 offsite)
- [x]Use a password manager (many have free tiers)
Tier 2 / Under $5K / year
Managed defence becomes affordable
- [x]Managed endpoint detection and response (EDR), $3-8/device/month
- [x]Business-grade email filtering, $2-5/user/month
- [x]Enterprise password manager, $4-8/user/month
- [x]DNS filtering (block known malicious domains), $1-3/user/month
- [x]Automated patch management, $2-5/device/month
Tier 3 / Under $20K / year
SMB approaches enterprise hygiene
- [x]Managed SIEM (Security Information & Event Management)
- [x]Annual penetration test, $5K-$15K
- [x]Cyber insurance policy, $1K-$5K/year for small businesses
- [x]Security awareness training platform, $15-25/user/year
- [x]Managed firewall and intrusion detection
Primary source:Pricing aggregated from public vendor pricing pages (typical 25-100 user bands), Q1 2026.
Index / Companion schedules
01 Calculator
→Estimate cost at your specific size and industry.
05 Prevention ROI
→Affordable subset of these controls with ROI.
06 Ransomware
→Why SMBs are increasingly the primary target.
09 Notification laws
→Legal obligations after a breach for SMBs.
02 Statistics
→Context: $4.44M global average.
10 Cost breakdown
→Where the money goes at any size.
Schedule F / Reference Q&A