What Does a Cyberattack Actually Cost a Small Business?

The numbers are real. This article uses data from IBM, Verizon, and the U.S. Small Business Administration. The goal is not to scare you but to help you understand what is actually at stake, and how little it costs to prevent it.

When small business owners think about cyberattacks, they often imagine something that happens to other people. Big corporations. Banks. Government agencies. Not a 10-person landscaping company or a family dental practice in suburban Pennsylvania.

That assumption is exactly why small businesses are now the most common target. Attackers know that most small businesses have valuable data, no dedicated IT staff, and no real defenses. It is the path of least resistance. And the cost when something goes wrong is far higher than most owners expect.

The Average Cost: $25,000 to $200,000

According to the U.S. Small Business Administration, the average cost of a cyberattack on a small business falls between $25,000 and $200,000 when all costs are added up. IBM's annual Cost of a Data Breach report puts the global small business average at over $3 million for companies with under 500 employees when a significant breach occurs.

Those numbers sound abstract until you break down where the money actually goes.

Where the Money Goes After a Breach

Downtime and lost productivity — The #1 cost. Most small businesses are offline for 3 to 7 days after a significant attack. At $10,000–$50,000 per day for a typical small business, this adds up fast.

IT recovery and remediation — Hiring someone to clean up the damage, rebuild systems, and investigate how the attack happened. Rates run $150 to $350 per hour for emergency response.

Legal and compliance fees — If any customer or employee data was exposed, you may be required by law to notify them, hire a lawyer, and potentially face regulatory fines. Pennsylvania has a data breach notification law.

Customer notification costs — Sending breach notifications, setting up credit monitoring for affected customers, and managing the PR fallout. Average: $4,000 to $15,000.

Ransomware payment (if applicable) — The FBI recommends against paying, but many businesses do. The average ransomware demand for small businesses in 2024 exceeded $100,000. And paying does not guarantee you get your files back.

Reputation damage — Harder to measure but often the most lasting. One in three customers say they would stop using a business after a data breach.

The Statistic That Should Stop You Cold

According to the National Cybersecurity Alliance, 60% of small businesses that suffer a significant cyberattack close within six months. Not because the attack itself destroyed them, but because the combined cost of recovery, legal exposure, and lost customer trust made it impossible to continue operating.

That is not a scare statistic invented by a security company trying to sell you something. It is the documented outcome of real businesses run by real people who thought it would not happen to them.

What Kind of Attack Are We Talking About?

The most common attacks on small businesses are not sophisticated. They do not involve hackers in dark rooms writing custom code. They are mostly opportunistic and automated:

Phishing emails that trick an employee into giving up their password or clicking a malicious link (accounts for 91% of breaches)
Ransomware deployed after a phishing click, which locks all your files and demands payment
Credential stuffing — automated tools that try stolen passwords from other breaches against your accounts
Unsecured Wi-Fi that lets attackers intercept traffic or get onto your network
Unpatched software with known vulnerabilities that automated scanners find and exploit

Notice that none of these require a sophisticated attacker. They require a business that has not done basic security hygiene. And basic security hygiene is exactly what a security audit covers.

Prevention vs. Recovery: The Real Math

After a Breach

$25,000+

Average recovery cost for a small business. That is the optimistic end of the range. Many pay far more, and some never recover.

Prevention with G&J

$99/mo

Our monthly maintenance plan covers ongoing monitoring, updates, device review, and priority support. No contract.

A full year of our maintenance plan costs $1,188. That is less than 5% of the low end of what a breach costs. It is not a hard decision when you put the numbers side by side.

What Does a Security Audit Actually Check?

A G&J security audit looks at the specific, known entry points that attackers actually use against small businesses:

Router and firewall configuration
Wi-Fi encryption strength and guest network setup
Software patch status across all devices
Password practices and multi-factor authentication
Former employee account cleanup
Email forwarding rules (a common sign of a compromised account)
Backup status and recovery testing
Staff awareness of phishing tactics

You get a plain-language written report with a prioritized list of what to fix and exactly how to fix it. Not a 50-page document you will never read.

Find Out Where You Stand

A security audit takes 2 to 4 hours and gives you a clear picture of your real risk. Most clients fix the highest-priority issues the same week.

Book a Free Consultation

Keep Reading

5 Steps to Protect Your Company's Network Right Now → What Is Included in a G&J Security Audit → Schedule a Free Consultation →