Skip to content
CyberCosts

How much does a cyber attack cost a small business?

A sourced breakdown of what ransomware, data breaches, downtime and BEC actually cost SMEs — and how to estimate your own exposure.

Published on 2 min read
cyber riskransomwarecost of a data breachSME

When executives ask "what would a cyber attack cost us?", they usually want a single number. The honest answer is a distribution — but you can estimate it the same way an insurer does, and that estimate is genuinely useful for budgeting and for deciding which safeguards are worth paying for.

The five costs that actually add up

A serious incident rarely has one bill. It has five:

  1. Ransomware — the ransom (if you pay) plus the far larger cost of rebuilding and recovering systems.
  2. Data breach — forensics, legal counsel, breach notification, call centres and credit monitoring.
  3. Business interruption — revenue and productivity lost while you're down.
  4. Business email compromise (BEC) — fraudulent wire transfers and invoice redirection, one of the highest-frequency losses for SMEs.
  5. Regulatory & legal — fines and legal costs from a reportable breach (under GDPR, up to 4% of turnover — though fines are scaled to size and rarely reach the ceiling).

Expected annual loss: the number insurers start from

Insurers don't price your worst case. They price your expected annual loss:

Expected Annual Loss = Σ Probability(incident) × Cost(incident)

summed across those scenarios. A €2M breach that's 10% likely this year contributes €200k of expected loss. Add up every scenario and you have the "pure premium" — the figure an insurer grosses up for their own costs and margin to quote you.

Why controls change the number so much

The same model shows why security spending pays for itself. Multi-factor authentication, endpoint detection, tested offline backups, staff training, an incident-response plan and encryption each reduce the frequency and/or severity of specific scenarios — often cutting expected loss by 30–60% for a fraction of the cost of one incident.

Estimate your own exposure

Rather than guess, use the calculator to model your sector, size, revenue and the controls you have in place. Every figure is sourced (IBM, Verizon DBIR, Sophos, ENISA, FBI IC3) and the full methodology is published so you can challenge the assumptions.

Related articles

Is cyber insurance worth it for a small business?
What cyber insurance actually covers, what it costs, the exclusions that bite at claim time, and how to decide whether your SME needs it or should self-insure.
cyber insuranceSMErisk transferransomware
The cost of downtime: the cyber loss nobody puts on the invoice
Business interruption is often the largest line in a cyber incident and the one companies estimate worst. How to actually cost an hour of downtime for an SME, and why your RTO is probably fiction.
business interruptiondowntimeransomwaredisaster recovery
The cost of a data breach for an SME, without the per-record myth
Forensics, legal, notification, regulatory exposure: what a data breach actually costs a small business, and why the famous cost-per-record number misleads almost everyone.
data breachcost of a data breachGDPRregulatory