This article details how much a cyberattack can cost a small business and explains how you can work out how much an attack might cost your business.

“SMBs are underprepared for constant attacks that can cost them thousands”

Here are some statistics to consider:

  • Security breaches due to cybercrime increased by 27.4% in 2017
  • Small and medium-sized businesses have higher average costs related to malware, online attacks and phishing than large businesses
  • On average, security intelligence systems, such as antivirus, save businesses (large and small) in the US $2.8 million (2017)
  • Only 21% of US small to medium-sized businesses say they are able to protect against threats.

(Sources: Ponemon Institute, Business Insider, CNBC)

These and other figures paint a concerning picture. Small business owners (SMBs) are underprepared for constant attacks that can cost them thousands.

How much is your data worth?

Part of the problem is that many SMBs don’t know what’s valuable – or, at least, everything that is of value. We lock our doors, keep cash in safes and have intruder alerts. But what about your digital data?

While it may not be that valuable to someone else, it’s invaluable to you, which is why ransomware attacks work to get YOU to buy it back. How much a company’s data is worth is often only quantified when a cybercriminal steals it and offers it back at a cost. How much would you pay for all of your data?

The aim is never to get to this stage.

All small businesses should aim to collect their valuable data and protect it.

What’s the data?

Contemporary businesses rely on a wide variety of data types. How these businesses manage the collection and protection of that data is crucial to ensuring customer satisfaction.

Your business gathers and uses data that relates to its core activities:

  • production
  • marketing
  • sales
  • fulfilment
  • invoicing
  • human resources

First you need to decide which data types play the biggest role in the operation and success of your business.

For example:

  1. You might need certain data and information when you want to create a new product
  2. You need contact information of your clients, suppliers or leads
  3. When you take an order, you’ll need to collect payment card details to process the transaction and an address to send out an invoice for it
  4. If you want to deliver the goods, you’ll need times, dates, a courier, as well as an address to fulfill the order
  5. You need your accounts data for filing taxes and returns

Next, you need to know how to protect those data types.

Integrating protective measures is essential from the outset: reinforcing data management processes – through staff training and written policies - and adding safeguards at the point of access. Following that with the deployment of a secure database, encryption, and password protected access ensures multiple layers of protection for each vulnerability.

For what it’s worth

The cost of cybercrime to you and your business will depend on what your business does, how it makes money and what form the attack is.

Financial loss is always harmful whether as a result of having to pay out to repair a compromised system, compensate customers, or to pay fines to the relevant authorities if you’re found to be in breach of legislation. It will have a detrimental and unforeseen effect on your revenue and cash flow.  

The ransom

Your digital data – reports, surveys, emails, corporate information – is an essential part of the service you offer. How much would you pay to get it back if you suffered a ransomware attack? On average, small companies are asked to pay £3,000 per user ($4,200.00).

The time

How much time - and therefore money - would it take to rebuild your data if it was permanently deleted? Even if you pay the ransom requested by the malicious hackers, there is no guarantee you will get your data back. Plus, ransomware is just one type of cyberattack. There are plenty of viruses that can compromise your data and not provide you the opportunity to get it back.

Many companies shut down during cyberattacks and this has a cost. For example: an attack means you and 20 employees can’t work for two days. If the average employee gets paid £200 ($275) per day, the attack has already cost you £8,000 ($10,980.) Then figure in the time to rebuild your digital assets (assuming you can.) If it takes each person a week’s work to rebuild databases, repopulate address books and scour emails for invoices, purchase orders and other data, that’s an extra £20,000 ($27,450.) Now factor in any new business you have been unable to do, what is the loss of earnings? If you turn £5,000 ($6,860) per day, that’s £25,000 ($34,310) over a working week.

Now the figure is starting to look like £53,000 ($72,740.)

Tech and protection

Of course, that £53,000 ($72,740) - or whatever your initial costs total - is before you look at other damage costs. This may include outside technical support to clean and rebuild servers, new machines and the antivirus that people invest in all too late. This could easily add a few more pounds or dollars to your bill.

Your bank account

If you or one of your team unwittingly gives security data to a cybercriminal, it could cost thousands. For example, Choice Escrow and Land Title LLC suffered a data loss incident in which cybercriminals stole the company’s online banking ID and password and transferred $440,000 ($320,580) to a bank account in Cyprus.

One small marketing business in Chicago had two separate accounts accessed by perpetrators within 12 months. The first breach was stopped by the bank, but the second account had $20,000 (£14,570) stolen in multiple withdrawals, before the business owner realized what had happened.

Fines and litigation

There are other important reasons to protect your data. In the US businesses must comply with a variety of State and Federal laws and regulations; in the UK, companies have to comply with the Data Protection Act.

Economic regions also have their own requirements that member and non-member states need to be aware of, such as the European Union General Data Protection Regulation (GDPR,) which came into effect on 25 May 2018.

Failure to manage your customers’ data in accordance with the relevant laws can result in fines, litigation, and even criminal convictions. Penalties for not complying with GDPR, for example, are up to 4% of your annual international turnover or, for the most serious breaches, €20million ($24million/£17.5million.) Failure to comply might also affect the ability to deliver a service or product to your customer.

Another important aspect to consider is that companies and individuals have the right to sue you, if you are the source of a breach of their data that you hold. Thousands of employees sued Morrisons supermarket over data breaches. The same fate befell Seagate, who were sued through the Northern California District Court for their data breaches.

Although small businesses are not affected by lawsuits to the same extent as bigger companies, one statistic states that the average small business earning $1million (£730,325) annually will spend about $20,000 (£14,600) on legal costs every year. So it’s worth considering the impact data breaches can make on any budget you set aside for litigation costs.

To help your business protect its data, it can follow the guidelines set out in ISO/IEC 27002, the international standard for information security. Alternatively, it could even achieve formal compliance.

Your team

Businesses have a responsibility to protect the data of their employees, and breaches can endanger your colleagues: people with families and livelihoods of their own.

Some businesses even end up having to close after an attack, which means everyone is out of business and looking for a job. By failing to protect your digital assets you are placing everyone at risk.


And what about your reputation? You might say it’s hard to quantify value like that, but if negative press and subsequent distrust means your revenue drops by 20%, it’s easier to quantify.

Equifax is not only being sued, but its plummeting share price shows the impact of distrust.

Any loss in customer trust could also hamper your future success and the reputation of your brand or business. Your customers may reasonably think that, if you were hacked once, why couldn’t it happen again? Confidence in your brand or business can drain faster than the battery of your smartphone.

Protecting your business

  • 9% of small businesses get burgled
  • 0.1% of UK businesses were affected by fire*
  • 90% of all data breaches affect small businesses.

You lock up at night. You have security cameras and burglar alarms. Your phone has a screen lock. You have smoke detectors and sprinklers. And then you insure your premises and other liabilities, to make sure that if these measures don’t work, you can recoup damage costs and rebuild your business.

So, why don’t small business protect their digital assets in the same way? It costs a fraction of an attack and gives you peace of mind, just as your locks, insurance and smoke detectors do.

Learn more about the price of protection compared to the cost of a cyberattack, or discover how AVG Business antivirus can protect your small business.



*This figure is the number of fires (7209) as a proportion of the total number of businesses in the UK according to UK Gov: 5.7m.

2016 figures for number of fires by business sector:

1725 – retail premises

602 - Offices

2113 – Industrial premises

596 - Accommodation

1621 – food and drink premises

552 – agricultural premises

Total: 7209

Source: UK GOV.