The most common reason small businesses skip cybersecurity investments is the belief that they're too small to be targeted. The second most common reason is that they can't justify the cost.
Both are wrong, but the second one is easy to disprove with math.
What the Data Shows
IBM publishes an annual Cost of a Data Breach Report — the most comprehensive study of breach costs available, covering hundreds of organizations across industries. The 2025 report puts the global average cost of a data breach at $4.88 million.
That number is misleading for small businesses because it includes enterprise breaches that skew the average. The numbers that matter for you:
Organizations under 500 employees: Average breach cost of $3.31 million. Before you dismiss this as inapplicable to your 20-person company, understand that this figure scales — smaller breaches cost less in absolute terms but proportionally more relative to revenue. A breach that costs a Fortune 500 company a rounding error can bankrupt a small business.
More realistic small business range: Industry analyses estimate the average cost for businesses with 10-100 employees falls between $120,000 and $1.24 million. That range accounts for the direct costs, recovery costs, and business impact that small companies actually experience.
Where the Money Goes
A data breach isn't a single expense. It's a cascade of costs that unfolds over months or years.
Direct Costs
Forensic investigation: Determining what happened, what data was affected, and how the attacker got in. For a small business, expect $10,000-$75,000 depending on complexity. You need a third-party forensic firm — your IT guy running antivirus doesn't satisfy legal or insurance requirements.
Legal counsel: Breach notification laws vary by state (all 50 states plus DC have them), and getting it wrong creates additional liability. Legal fees for breach response typically run $10,000-$50,000 for a small business.
Notification costs: Notifying affected individuals as required by law, including credit monitoring services that many states mandate you provide. At roughly $1-$2 per affected individual for notification and $10-$30 per person per year for credit monitoring, this adds up fast.
Regulatory fines: Depending on your industry and the data involved, you may face fines from state attorneys general, the FTC, HHS (for healthcare data), or state privacy regulators. HIPAA violations alone can range from $100 to $50,000 per violation, with annual maximums up to $1.5 million per violation category.
Recovery Costs
System restoration: Rebuilding compromised systems, restoring from backups (if you have them), replacing hardware, and re-imaging endpoints. If you don't have clean backups and the attacker deployed ransomware, you're rebuilding from scratch.
Security improvements: The security controls you should have had before the breach — you're implementing them now, under pressure, at a premium. Expect to spend 3-5x what it would have cost to do it proactively.
Increased insurance premiums: Your cyber insurance premium will increase at the next renewal. If you didn't have cyber insurance, obtaining it post-breach will be significantly more expensive, if you can get it at all.
Business Impact
Downtime: The most underestimated cost. The average ransomware-related downtime is 24 days. For a business generating $5,000/day in revenue, that's $120,000 in lost revenue before you've paid for anything else. And 24 days is the average — many businesses experience longer outages.
Customer loss: This is hard to quantify in advance but real in practice. The IBM report shows that lost business represents the largest share of breach costs across all organization sizes. Customers leave. Prospects choose competitors. The reputational damage compounds over time.
Opportunity cost: Every hour your team spends dealing with breach response is an hour not spent on revenue-generating work. For a small business where everyone wears multiple hats, this impact is felt acutely for months after an incident.
The Insurance Trap
"We have cyber insurance" is not a security strategy. Here's why:
Policies have coverage limits. A typical small business cyber insurance policy covers $1-$3 million. If your breach costs exceed that, you're absorbing the remainder.
Policies have exclusions. Read your policy carefully. Many exclude coverage for breaches resulting from failure to maintain "reasonable security practices" — undefined terms that give the carrier room to deny claims. If the breach occurred because you had no MFA, no patch management, or no encryption on customer data, your carrier may argue you didn't meet this standard.
Policies don't cover everything. Lost business, reputational damage, and long-term customer attrition are rarely covered. The policy pays for incident response and notification. The business impact is on you.
Premiums reflect claims history. One claim doesn't just raise your premium — it may make you uninsurable for a period. Some businesses report premium increases of 200-300% after a breach.
Insurance is a necessary component of risk management, not a substitute for security.
The Comparison That Matters
Here's where the ROI argument becomes straightforward:
| Security Investment | Typical Annual Cost | |---|---| | Vulnerability assessment | $3,000-$15,000 | | MFA implementation | $3-$6/user/month | | Security monitoring | $5,000-$20,000/year | | Employee security training | $1,000-$5,000/year | | Patch management | $2,000-$10,000/year | | Total annual security program | $15,000-$55,000 |
Compare that to the breach cost range of $120,000 to $1.24 million. A comprehensive small business security program costs somewhere between 4% and 12% of the low end of expected breach costs. Annually.
The objection that security is too expensive only holds up if you assume a breach will never happen to you. That assumption gets more dangerous every year as attacks become more automated and indiscriminate.
The Small Business Targeting Myth
"We're too small to be a target" was debatable five years ago. It's not debatable now.
Modern attacks are automated. Attackers scan the entire internet for vulnerable services, exposed credentials, and misconfigured systems. They don't check your revenue before attacking. A bot that finds your unpatched VPN appliance doesn't know or care that you have 15 employees.
According to Verizon's Data Breach Investigations Report, 43% of cyberattacks target small businesses. Small businesses represent the majority of ransomware victims because they have weaker defenses and are more likely to pay.
You're not too small to be targeted. You're the preferred target.
The Decision
Security spending is risk management. You're not buying a guarantee — you're reducing the probability and severity of an event that would be financially devastating.
An assessment that identifies your specific vulnerabilities costs less than 1% of the average small business breach. That's not a hard case to make.
Find out where you stand. A security assessment shows you exactly what an attacker would find and gives you a prioritized plan to address it — before someone else finds it first.