SMB headline figure
A small-business data breach averages $1.6M, up to $3.31M at the top of the SMB range.
IBM's headline $4.44M average is enterprise-skewed. TechAisle's 2025 SMB tracker puts the average breach loss at $1.6M across small and mid-size firms; IBM's most recent small-business breakout (2023, the last year it segmented by organization size) put firms under 500 employees at $3.31M. For a genuinely small business the range runs $15K to $3.31M and compares directly to annual revenue. Below: cost ranges by company size, common attack types, and an affordable defence stack by budget tier.
SMB average
$1.6M
TechAisle 2025, all SMB
Under 500 emp
$3.31M
IBM 2023 (last breakout)
Micro (1-9 emp)
$15K-$50K
Typical range
Global average
$4.44M
IBM 2025, all sizes
Section 07.1 / Cost ranges by size
What it actually costs at your scale
Costs scale with employee count, but unevenly. Notification per record is a fixed cost regardless of size. Forensics has a base fee. The result: smaller incidents are dominated by fixed costs, while large incidents start to track records.
| Organization size | Cost range | Dominant cost driver |
|---|---|---|
| Sole trader / micro (1-9 employees) | $15K - $50K | Fixed costs (forensics, legal retainer, notification) |
| Small (10-49 employees) | $50K - $200K | Fixed costs (forensics, legal retainer, notification) |
| Medium (50-249 employees) | $200K - $1M | Mixed: fixed costs + per-record + business interruption |
| Mid-market (250-499 employees) | $1M - $3.31M | Per-record costs and lost business become dominant |
Primary source:Organization-size figure from IBM Cost of a Data Breach Report 2023 (fewer-than-500-employee bracket, the last year IBM segmented by size); SMB average from TechAisle SMB Cybersecurity Tracker 2025. Sub-500-employee cost ranges are modelled from fixed-cost floors plus per-record and business-interruption scaling.
Section 07.2 / Common SMB attack types
Where SMB breaches start
SMBs face a different attack mix than enterprises. Phishing dominates because SMB email security is often consumer-grade. Ransomware operators target SMBs deliberately because the pay rate is higher and detection is slower.
Primary source:Verizon Data Breach Investigations Report 2025 (SMB victim cohort).
Section 07.3 / Affordable defence stack
What you can do at three budget tiers
Free / low-cost controls eliminate the most common attack precursors. Paid tiers add managed-service economics. Vendor-neutral, named only by category.
Tier 1 / Free or near-free
Eliminates the precursor attacks
- [x]Enable MFA on all accounts (email, banking, cloud services)
- [x]Regular employee security awareness conversations
- [x]Keep all software and operating systems updated
- [x]Implement the 3-2-1 backup rule (3 copies, 2 media, 1 offsite)
- [x]Use a password manager (many have free tiers)
Tier 2 / Under $5K / year
Managed defence becomes affordable
- [x]Managed endpoint detection and response (EDR), $3-8/device/month
- [x]Business-grade email filtering, $2-5/user/month
- [x]Enterprise password manager, $4-8/user/month
- [x]DNS filtering (block known malicious domains), $1-3/user/month
- [x]Automated patch management, $2-5/device/month
Tier 3 / Under $20K / year
SMB approaches enterprise hygiene
- [x]Managed SIEM (Security Information & Event Management)
- [x]Annual penetration test, $5K-$15K
- [x]Cyber insurance policy, $1K-$5K/year for small businesses
- [x]Security awareness training platform, $15-25/user/year
- [x]Managed firewall and intrusion detection
Primary source:Pricing aggregated from public vendor pricing pages (typical 25-100 user bands), Q1 2026.
Index / Companion schedules
01 Calculator
→Estimate cost at your specific size and industry.
05 Prevention ROI
→Affordable subset of these controls with ROI.
06 Ransomware
→Why SMBs are increasingly the primary target.
09 Notification laws
→Legal obligations after a breach for SMBs.
02 Statistics
→Context: $4.44M global average.
10 Cost breakdown
→Where the money goes at any size.
Schedule F / Reference Q&A