Book a consultation

Back to all articles

Security

What a Cyberattack Actually Costs a Small Business

Picture of Team PRMT

Team PRMT

/

4 min read

cost of a cyberattack for small businesses

The cost of a cyberattack for small businesses is one of the most underestimated risks in business today. Headlines throw around big numbers, but the actual experience is more complicated than any single figure suggests. The damage doesn’t stop when the attack does. It compounds across weeks and months, touching everything from operations to reputation to insurance premiums.

This post breaks down what those costs actually look like: where the money goes, why small businesses are disproportionately affected, and what it takes to avoid becoming part of the statistics.

Key Takeaways

  • The average cost of a cyberattack for a small business ranges from $120,000 to over $1 million, depending on severity.
  • Costs fall into three categories: direct (immediate response), indirect (operational disruption), and hidden (long-term damage). 
  • 60% of small businesses close within six months of a major data breach. 
  • Ransomware, phishing, and credential theft are the most common and costly attack types targeting SMBs. 
  • Proactive managed IT security costs significantly less than recovering from an incident.

What Does a Cyberattack Actually Cost a Small Business?

According to Verizon’s 2024 Data Breach Investigations Report, the average cost of a breach for a small business ranges from $120,000 to $1.24 million. IBM’s research puts the figure higher still — closer to $3.31 million for businesses with fewer than 500 employees when all downstream costs are factored in. Hiscox’s annual Cyber Readiness Report offers a different lens: a median annual cost of $8,300 per business, but across a median of four attacks per year.

The range is wide because so much depends on the type of attack, how quickly it’s detected, what data was accessed, and whether the business had any incident response plan in place before it happened. A phishing email that gets caught early looks nothing like a ransomware attack that shuts down operations for a week.

What the numbers agree on: the cost is almost always higher than the business expected, and it almost never stays contained to the initial incident.

The Direct Costs of Data Breach Recovery for Small Businesses

These are the expenses that show up first, aka the ones a business has to pay to stop the bleeding and get back online.

IT forensics and incident response

The first priority after an attack is understanding what happened, what was accessed, and whether the threat is still active. That requires specialist forensic investigators — and their services don’t come cheap. Forensic investigation alone can run between $15,000 and $30,000, depending on the complexity of the breach. For a business without an existing managed IT relationship, finding and onboarding that expertise in the middle of a crisis adds both time and cost.

Data recovery

Cyberattacks frequently corrupt, encrypt, or destroy business data. Recovering it — if recovery is even possible — requires specialist tools and significant labour. The cost varies based on how much data was affected and whether current backups exist. Businesses without recent, clean backups often face a choice between paying the ransom or rebuilding from scratch.

Customer notification and credit monitoring

If customer or employee data was compromised, most jurisdictions require formal notification — and in many cases, businesses are also expected to provide affected individuals with credit monitoring services. This process, including legal review of notification requirements, communications, and monitoring provision, typically costs between $20,000 and $50,000. It’s also the moment a private incident becomes a public one.

Ransom payments

Ransomware attacks lock businesses out of their own systems until a payment is made. The average ransom demand for small businesses now exceeds $10,000 — and paying it doesn’t guarantee resolution. According to Hiscox, of the small businesses that paid ransoms, only half recovered all their data, and 27% faced additional demands after the first payment. Paying the ransom is often the beginning of the cost, not the end of it.

The Indirect Costs: What You Lose Over Time

Once the immediate crisis is contained, a second wave of costs begins. These are slower to surface but often more damaging in total.

Business downtime and lost revenue

A cyberattack almost always takes systems offline. For small businesses, even a few days of disruption can mean missed orders, delayed projects, and broken client commitments. The longer the downtime, the deeper the revenue impact — and unlike a planned outage, there’s no way to prepare customers in advance.

The financial impact of a cyberattack on operations

Beyond lost revenue, the operational disruption runs deep. Staff hours are redirected to incident management instead of productive work. Leadership attention shifts away from growth and toward damage control. According to IBM, 60% of breached businesses raise their prices after a cyber incident to offset recovery costs — a move that can push price-sensitive customers toward competitors. The financial impact of a cyberattack doesn’t just hit the balance sheet once; it reshapes how the business operates for months.

Reputational damage and customer churn

A breach makes customers question whether their data is safe, and many will simply take their business elsewhere rather than wait to find out. That lost revenue rarely shows up in breach cost estimates, but it’s real and often permanent. Investors and prospective hires apply the same logic: a publicised security incident is a signal about how a business is run.

Rising insurance premiums

Experiencing a breach changes your relationship with your insurer. Premiums typically increase after an incident, particularly if the investigation reveals gaps in the business’s security posture. For businesses that didn’t have cyber insurance at the time of the attack, getting cover afterwards becomes significantly more expensive — if they can get it at all.

Legal fees and regulatory fines

Depending on the industry and the data involved, a breach can trigger regulatory investigations and significant fines. Businesses handling health data face HIPAA exposure. Any business dealing with EU customers operates under GDPR, where fines can reach into the hundreds of thousands. Add legal counsel to navigate the process and respond to any civil claims, and the legal tail of a breach can run for years.

Why Small Businesses Are Hit Hardest

Large enterprises get breached, too. The difference is that they can usually survive it.

A business with thousands of employees, dedicated security teams, legal departments, and deep reserves can absorb the cost of a breach as a line item. For a small business operating on tight margins with a lean team, the same incident can be existential. That’s not an exaggeration: studies consistently show that 60% of small businesses close within six months of a major data breach.

Small businesses are also disproportionately targeted. Cybercriminals know that SMBs typically have less sophisticated defences, less incident response capability, and more pressure to pay ransoms quickly to get back online. According to Accenture, 43% of cyberattacks are aimed at small businesses — but only 14% are prepared to defend themselves.

The asymmetry is stark: the attacks are designed for businesses like yours, but the defences often aren’t.

The Most Common Attack Types and What They Cost

Not all cyberattacks are equal. These three account for the vast majority of incidents affecting small businesses.

Small business ransomware costs

Ransomware is the most financially damaging attack type for SMBs. Criminals encrypt business data and demand payment for the decryption key. Beyond the ransom itself, small business ransomware costs include days or weeks of downtime, data recovery efforts, and in many cases, the cost of rebuilding systems entirely. Sophos’s 2023 State of Ransomware Report put the average ransomware demand at $1.54 million — nearly double the previous year.

Phishing attacks

Phishing remains the most common entry point for cyberattacks, and for good reason: it targets the most vulnerable part of any security setup, the people using it. A convincing email gets one employee to click a link or hand over credentials, and the attacker is inside the network. Hiscox found that phishing was the point of entry in 53% of ransomware incidents. The cost isn’t always dramatic, but the breach rate is consistent.

Credential theft

Stolen login credentials give attackers persistent access to business systems, often going undetected for weeks or months. During that window, they can exfiltrate data, access financial accounts, or lay the groundwork for a larger attack. For businesses using shared passwords or without multi-factor authentication, a single compromised credential can unlock the whole environment.

What a Cyberattack Costs vs. What Prevention Costs

The median cost of a cyberattack on a small business is $8,300 per incident, across a median of four incidents per year. A serious breach — ransomware, a major data exfiltration — runs into the hundreds of thousands. Against those numbers, the monthly cost of managed IT security looks less like an overhead and more like an insurance policy with an unusually good payout ratio.

Proactive managed IT support prevents the majority of incidents before they become breaches. Continuous monitoring catches anomalies early. Regular patching closes the vulnerabilities attackers look for. Security awareness training addresses the human layer that phishing depends on. None of it is free — but all of it is cheaper than the alternative.

The businesses that end up paying the most are almost always the ones that delayed the conversation about prevention.

How PRMT Helps Small Businesses Stay Protected

PRMT delivers managed IT services built around the reality that prevention is always cheaper than recovery. Our approach combines continuous monitoring, cybersecurity-first infrastructure management, and proactive threat response — so potential incidents get caught before they become costly ones.

For small and mid-sized businesses, that means access to enterprise-level security capability without the overhead of building it internally. WePRMT handles the complexity, so your team can focus on running the business, not firefighting the infrastructure.

If you’re thinking about what a breach would cost your business, it’s worth talking to us first. Get in touch with the PRMT team to find out how we can help you stay ahead of the threat.

Picture of Team PRMT

Team PRMT

PRMT delivers the modern technology, bespoke solutions, and a reliable team to handle your IT challenges.

Connect with us

Get Industry-Best Support, Starting at Only $99/user.

Set up a short consultation call today. Our team will help you create a clear IT plan, giving you the right blend of ongoing and project-based support.

Book a consultation
prmt newsletter

Every week, get the latest AI and IT news in your inbox.

read next
cost of a cyberattack for small businesses
Security

What a Cyberattack Actually Costs a Small Business

A cyberattack doesn't just cost money — it can cost you the business. Here's what small businesses actually pay after an incident, from recovery and...
Picture of Team PRMT

Team PRMT

/

4 min read

managed IT services for small businesses
Strategy and Planning

Are Managed IT Services Right for Your Growing Small Business?

Not sure if managed IT services are right for your growing business? Here are the signs that partnering with an MSP makes sense — and...
Picture of Team PRMT

Team PRMT

/

4 min read

IT offboarding checklist
Tools and Operations

What to Do When an Employee Leaves: An IT Offboarding Checklist

When an employee leaves, your IT checklist matters more than you think. Here's what to do — from revoking access to recovering devices — to...
Picture of Team PRMT

Team PRMT

/

6 min read

Dark Web Scan Terms and Conditions

1. Public Report – Important Legal Notice (Read Before Use)

This Dark Web Exposure Report (“Report”) is generated automatically by Promethean IT, LTD, a New York State corporation (“PRMT,” “we,” “us”), using third-party and open sources. The Report may be incomplete, outdated, contain errors, or include information that is misattributed to the domain searched. The presence of information associated with a domain does not prove that the domain owner, any organization, or any person has been compromised, acted wrongfully, or experienced a current security incident.

This Report is provided for informational and defensive security purposes only and is not a security audit, penetration test, incident response service, breach notification, legal opinion, compliance determination, or a guarantee of security. Do not rely on this Report as the sole basis for decisions, and do not use it to target, harass, investigate individuals, or attempt unauthorized access.

Public availability & indexing. This Report is provided on a public website and may be accessible to anyone. It may be indexed, cached, archived, screen-captured, or copied by third parties beyond PRMT’s control.

By accessing or using this Report, you agree to the Dark Web Exposure Report Terms applicable to PRMT’s dark web monitoring pages and subpages (the “Site”).

2. How to Interpret This Report

  • The Report surfaces signals that may indicate exposure of credentials, identifiers, or domain-associated artifacts in third-party datasets (including, without limitation, breach corpuses, malware logs, paste sites, and other sources).

  • Results may reflect historical events and may include false positives, duplicates, synthetic/test data, “look-alike” domains, recycled addresses, forwarding aliases, data entry errors, or data unrelated to the current domain operator.

  • “Exposure” does not necessarily mean an active compromise or current vulnerability, and absence of findings does not mean no exposure exists.

  • The Report is not an attribution statement and should not be interpreted as alleging fault, negligence, or wrongdoing by any organization or individual.

3. Submission Form Language

Authorization & Proper Use Certification

I certify and agree that:

  1. I control the email address I provided and am authorized to request cybersecurity exposure information for the domain derived from that email address (the portion after “@”) (the “Domain”), either as (i) the Domain owner/operator, (ii) an employee/contractor acting within the scope of my duties, or (iii) an agent with written permission;

  2. I will use the Report solely for lawful, defensive security and risk-management purposes relating to the Domain;

  3. I will not use the Report to target, harass, stalk, defame, phish, spam, extort, or attempt unauthorized access to systems, accounts, or data;

  4. I understand and accept that the Report may be publicly accessible and may be indexed/cached/archived by third parties beyond PRMT’s control; and

  5. I have read and agree to the Dark Web Exposure Report Terms and acknowledge PRMT’s disclaimers and limitations of liability.

Email Delivery Consent

I request and consent to receive the Report and related service communications at the email address provided. I understand the message is service-related/transactional and may contain security information.

The Report will be generated only for the Domain derived from the email address provided, as determined by PRMT’s normalization and validation logic. PRMT may refuse, restrict, or suppress outputs in its discretion to mitigate abuse or risk.

4. Dark Web Exposure Report Terms

Effective: January 1, 2026

These Dark Web Exposure Report Terms (“Terms”) govern access to and use of the dark web exposure reporting features made available by Promethean IT, LTD, a New York State corporation (“PRMT,” “we,” “us”), on PRMT’s dark web monitoring pages and subpages (the “Site”). By searching a domain, requesting a Report, accessing a Report, or receiving a Report by email, you (“you,” “Requester”) agree to these Terms.

1. Definitions

  • “Report” means any output, score, summary, finding, alert, visual, or display generated by the Site in connection with a Domain search or request.

  • “Domain” means the internet domain derived from the email address submitted (generally, the portion after “@”), as determined by PRMT in its discretion, including normalization (e.g., handling of subdomains, internationalized domain names, aliases, and domain equivalents).

  • “Service” means the Site features that generate, display, or email Reports.

2. Eligibility; Authority to Request

You represent and warrant that you: (a) are at least the age of majority in your jurisdiction; and (b) are authorized to request and use the Service with respect to the Domain (e.g., you own/control the Domain, are acting within the scope of your employment/engagement, or have express permission from the Domain owner/operator).

No obligation to verify. PRMT may use technical measures to reduce unauthorized requests (including Domain-based email delivery), but PRMT does not guarantee that any Requester is authorized. You acknowledge that identity and authority verification may be limited and that PRMT is not responsible for misrepresentations by Requesters.

3. Public Nature of Reports; No Confidentiality

Reports are made available on a public website. You acknowledge and agree that:

  • Reports may be indexed by search engines and stored via caching, archiving, or mirroring services;

  • Copies may persist even if PRMT later updates, suppresses, or removes a Report; and

  • You will not treat Reports as confidential and you assume all risk of public exposure, republication, and downstream dissemination.

4. Permitted Use

Subject to these Terms, you may use the Service and Reports only for lawful, defensive security, risk management, and internal assessment purposes relating to the Domain.

5. Prohibited Use

You agree not to, and not to permit any third party to:

(a) use the Service or Reports to compromise, attempt to compromise, or gain unauthorized access to any system, account, or data;

(b) use the Service or Reports for phishing, credential stuffing, doxxing, harassment, extortion, fraud, spamming, social engineering, or any unlawful purpose;

(c) use the Service or Reports to investigate, evaluate, or make determinations about individuals (including employment, housing, credit, insurance, eligibility, or similar decisions), or otherwise use Reports as a “consumer report” or similar regulated report;

(d) scrape, crawl, bulk download, or systematically extract data from the Service (including via bots, automation, or any non-public interface), except as expressly permitted in writing by PRMT;

(e) reverse engineer, bypass, or interfere with Service security, rate limits, access controls, or anti-abuse measures;

(f) misrepresent your identity, authorization, or affiliation with any Domain;

(g) introduce malware or malicious code, or use the Service to distribute or facilitate malicious activity; or

(h) use the Service in a manner that could reasonably be expected to create liability, reputational injury, or harm to PRMT or others.

PRMT may investigate suspected violations and may suspend, block, limit, suppress, remove, or refuse Service access at any time.

6. Nature of the Data; No Statement of Fact; No Endorsement

The Service aggregates, analyzes, and summarizes information from third-party and open sources. Reports are indicators and signals, not verified facts. PRMT does not independently verify the completeness, accuracy, timeliness, source provenance, legality of upstream collection, or attribution of underlying data.

No implication of wrongdoing. Reports do not allege, and must not be interpreted as alleging, wrongdoing, negligence, breach, or fault by any Domain owner/operator, employee, contractor, or user. Any labels, severity indicators, or summaries are for informational triage only.

7. No Security Audit; No Incident Response; No Duty to Update

The Service is not a penetration test, vulnerability assessment, audit, certification, compliance determination, managed detection and response (MDR), or incident response service. PRMT does not guarantee that:

  • the Service will identify all exposures, threats, incidents, compromised credentials, or affected individuals;

  • any finding reflects a current risk; or

  • the Service will continuously monitor or update any Report.

PRMT may change the Service, sources, scoring, display logic, or reporting format at any time without notice.

8. Your Responsibilities

You are solely responsible for:

(a) determining whether you are authorized to request and use a Report for a Domain;

(b) verifying results through your own security processes and qualified advisors;

(c) using the information lawfully and responsibly; and

(d) complying with all applicable laws and policies (including privacy, cybersecurity, employment, and communications laws) relating to your access and use of Reports.

9. Email Delivery; Consent; Misdelivery and Compromised Mailbox Risk

By submitting an email address, you request that PRMT send the Report and related service communications to that address. You acknowledge that:

  • PRMT cannot guarantee deliverability or confidentiality of email in transit or at rest outside PRMT’s systems;

  • email may be forwarded, archived, accessed by administrators, or viewed by unintended recipients; and

  • if the mailbox is compromised or shared, a Report may be accessed by unauthorized parties.

PRMT is not responsible for unauthorized access to emails outside PRMT’s control.

10. Privacy; Personal Data; Redaction; Sensitive Information Handling

Reports may reference datasets that include identifiers (including email addresses) associated with a Domain. PRMT may redact, mask, hash, summarize, aggregate, or otherwise transform data to reduce sensitivity, and may change presentation at any time in its discretion.

You agree not to publish, share, reidentify, or misuse sensitive data obtained from the Service, and to handle any personal data in compliance with applicable law.

Your use of the Service is also governed by PRMT’s Privacy Notice.

11. Takedown / Dispute / Correction Process

If you believe a Report is inaccurate, unlawfully published, defamatory, infringes rights, or was requested without authorization, you may contact PRMT at [email protected] with: (i) the Domain, (ii) the specific Report URL or identifying details, (iii) the basis for your request, and (iv) evidence of authority to act for the Domain (which may include DNS-based verification or other reasonable proof requested by PRMT).

PRMT may, but is not obligated to, correct, suppress, or remove Reports, and may require verification before acting. PRMT may retain records necessary for security, audit, or legal compliance.

12. Intellectual Property; License

The Service and its underlying software, design, compilation, and presentation are owned by PRMT and its licensors and are protected by applicable laws. Subject to these Terms, PRMT grants you a limited, non-exclusive, non-transferable, revocable license to access and use the Service solely for the permitted purposes. No other rights are granted.

13. Disclaimer of Warranties

TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE SERVICE AND REPORTS ARE PROVIDED “AS IS” AND “AS AVAILABLE,” WITH ALL FAULTS AND WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, ACCURACY, COMPLETENESS, TIMELINESS, OR THAT THE SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE.

14. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW:

(a) PRMT WILL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, DATA, GOODWILL, BUSINESS INTERRUPTION, REPUTATIONAL HARM, OR THIRD-PARTY CLAIMS, ARISING OUT OF OR RELATED TO THE SERVICE OR REPORTS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES; and

(b) PRMT’S TOTAL LIABILITY FOR ALL CLAIMS ARISING OUT OF OR RELATED TO THE SERVICE OR REPORTS WILL NOT EXCEED THE GREATER OF US$100 OR THE AMOUNT YOU PAID TO PRMT FOR THE SERVICE IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM (IF ANY).

Some jurisdictions do not allow certain limitations; in those jurisdictions, liability is limited to the minimum extent permitted by law.

15. Indemnification

You agree to defend, indemnify, and hold harmless PRMT and its officers, directors, employees, contractors, agents, and affiliates from and against any claims, demands, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or related to: (a) your submission of a request for a Domain; (b) your access to or use of any Report; (c) your violation of these Terms; (d) your violation of any law or the rights of any third party; or (e) any allegation that your request or use was unauthorized, deceptive, abusive, defamatory, or otherwise improper.

16. Suspension; Termination; Removal

PRMT may suspend, restrict, or terminate access to the Service and may remove, suppress, modify, or reissue any Report at any time, with or without notice, including to prevent abuse, comply with law, mitigate risk, correct errors, or improve the Service.

17. Changes

PRMT may update these Terms at any time by posting an updated version on the Site. Continued use after the effective date of updated Terms constitutes acceptance.

18. Governing Law; Dispute Resolution; Venue

These Terms are governed by the laws of the State of New York, excluding conflict of laws principles. Any dispute arising out of or relating to the Service, Reports, or these Terms must be brought exclusively in the state or federal courts located in New York County, New York, and you consent to personal jurisdiction and venue there.

19. Contact

Questions or notices: [email protected]

Mailing address: Promethean IT, LTD, 426 West Broadway, 6D, New York, NY 10012

5. Dispute or Request Suppression of a Domain Report

If you are the owner/operator (or an authorized agent) of a domain and you believe a Report is inaccurate, unlawfully published, or was requested without authorization, you may submit a dispute or suppression request to [email protected].

Please include:

  1. Domain name

  2. The Report URL or identifying details (e.g., screenshot + timestamp)

  3. Your role and proof of authority (PRMT may request DNS TXT verification, an email from an administrative mailbox at the domain, or other reasonable evidence)

  4. The specific correction/suppression requested and the basis for the request

PRMT may request additional verification before acting. PRMT may retain limited records for security, audit, abuse prevention, and legal compliance.