The number that usually gets quoted is $4.88 million, which is the global average cost of a data breach in IBM's 2024 Cost of a Data Breach Report. That's the all-time high. But it includes large enterprises. The number that's relevant to a small business is the SMB-specific figure: $3.31 million.
That's not a rounding error or a statistical outlier. That's the average. Half of breached SMBs paid more.
This post is a financial analysis of what that number is made of. Not to frighten anyone, but because the CFO asking "why should we spend money on security?" deserves a rigorous answer, not a vague appeal to risk.
The Line Items
1. Incident Response and Forensics
When a breach is discovered, the first cost is figuring out what happened. You need a forensic investigation to identify the entry point, understand what data was accessed or exfiltrated, determine the scope of the compromise, and provide evidence for regulators and insurers.
Forensic incident response firms in Australia charge $250 to $500 per hour. A moderate-complexity breach investigation takes 200 to 500 hours. That's $50,000 to $250,000 before you've notified a single customer or fixed anything.
For ransomware specifically, add the cost of the ransom itself. Sophos' State of Ransomware 2024 report found that average ransom demands reached $2 million, with total recovery costs averaging $2.73 million after accounting for all expenses. That's not a typo. The ransom is often the smaller part of the total cost.
2. Legal and Regulatory
Once a breach is confirmed, legal counsel becomes necessary. Legal work covers: reviewing your notification obligations under the Notifiable Data Breaches scheme, advising on regulatory exposure, managing communications with the Office of the Australian Information Commissioner (OAIC), and defending any resulting litigation.
A data breach matter for an Australian SMB will typically generate $50,000 to $150,000 in legal fees before it's resolved, assuming no class action. If the breach involves sensitive personal information and there's evidence of inadequate security practices, regulatory fines can add another $50,000 to several hundred thousand dollars.
3. Notification Costs
Under the Privacy Act's Notifiable Data Breaches scheme, if you hold personal information and experience an eligible data breach, you must notify both the OAIC and affected individuals. If you have 10,000 customers and they all need notification, that involves: legal review of the notification, physical mail or email to each individual, and typically a call centre or dedicated email address to handle the resulting enquiries.
Notification at scale costs more than it looks. At a minimum, budget $5,000 to $50,000 for notification execution depending on your customer count and the channels required.
4. Business Interruption
This is usually the largest single cost for SMBs, and it's the one that's hardest to recover from.
The Ponemon Institute found the average time to identify a breach is 194 days. Containment takes another 64 days on average. That's 258 days from breach to containment, meaning you may have been operating with a compromised network for the better part of a year before anyone knew.
Once a breach is identified and containment begins, operations typically go down or severely degrade. Sophos found that ransomware victims experience an average of 24 days of downtime. For a business generating $5 million in annual revenue, 24 days of downtime at even 50% capacity is $164,000 in lost revenue. For a business where operations are fully dependent on the compromised systems, it could be full revenue loss.
Add recovery costs: rebuilding systems, restoring data from backups (or paying to decrypt if backups were compromised), replacing hardware, and paying overtime for the staff working through the recovery.
5. Reputational Damage and Customer Loss
This is the line item that's hardest to quantify, and it often matters more than all the others combined.
Forty-six per cent of SMBs that experience a significant cyberattack close within six months, according to research cited by Middletown Life Magazine. Not all of those closures are directly caused by the breach. Some are the result of reputational damage driving customer churn, which reduces revenue below the level needed to service debt taken on to fund recovery.
For businesses where customer trust is the product, like accounting firms, legal practices, or healthcare providers, a data breach can permanently alter the client relationship. Clients leave. Referrals dry up. Winning new business becomes harder because prospects search your name and find the breach in the results.
IBM's research found that businesses lose an average of 5% of their customer base following a major breach. For a $5 million revenue business, that's $250,000 in recurring annual revenue, compounding indefinitely.
6. Insurance Premium Increases
Cyber insurance premiums increased significantly after the wave of ransomware attacks in 2021 and 2022, and insurers have continued tightening terms. A business that makes a claim can expect its renewal premium to increase materially, assuming the insurer renews at all. Businesses in some sectors that have claimed once find themselves effectively uninsurable at reasonable rates.
Post-claim premium increases of 50 to 200% are common. If your current annual premium is $20,000, expect to pay $30,000 to $60,000 at renewal.
The Full Picture
Here's a conservative, realistic breakdown for a breach at a 50-person Australian SMB:
| Cost Category | Conservative Estimate |
|---|---|
| Forensic incident response | $75,000 |
| Legal and regulatory | $100,000 |
| Notification (5,000 customers) | $15,000 |
| Business interruption (10 days at 50%) | $70,000 |
| System recovery and rebuild | $50,000 |
| Ransom payment (if ransomware) | $200,000 |
| Customer loss (5% at $3M revenue) | $150,000/year ongoing |
| Insurance premium increase | $15,000/year ongoing |
| Total first-year cost (with ransom) | $675,000 |
This is a conservative estimate for a moderate-scale breach. It doesn't account for a class action, a regulatory enforcement action, or a business interruption longer than 10 days. The IBM average of $3.31 million includes these scenarios.
What Prevention Costs
The back-of-envelope business case for security investment is straightforward. The question is: how much would you spend to reduce a $675,000 expected loss by 80%?
For most SMBs, a comprehensive baseline security posture costs $20,000 to $40,000 per year. That covers:
Multi-factor authentication (MFA) on all accounts. Implementation cost is negligible for most businesses already on Microsoft 365 or Google Workspace. This single control blocks an estimated 99.9% of automated credential-based attacks, according to Microsoft.
Endpoint detection and response (EDR). A step above standard antivirus, EDR detects unusual behaviour on endpoints and can isolate a compromised machine before the attack spreads. Cost: $5 to $15 per device per month.
Tested backup and recovery. Not just having backups, but verifying they work. The 3-2-1 rule: three copies of data, two different media types, one offsite. An untested backup is a false sense of security. Cost: $500 to $2,000 per month for a managed backup service covering a 50-person business.
Security awareness training. Acrisure found that cybercriminals are increasingly targeting employee credentials directly rather than hunting for technical vulnerabilities. Monthly simulated phishing campaigns and short training modules reduce click rates on phishing emails by 60 to 80% within six months. Cost: $3 to $8 per user per month.
Incident response planning. Having a documented, tested plan reduces the time to contain a breach. IBM's research found that organisations with an incident response team and regularly tested plan saved an average of $1.49 million compared to those without. The plan itself costs almost nothing to create. Testing it costs time.
The annual cost of these five controls, for a 50-person business, is roughly $25,000 to $50,000. The expected reduction in breach probability and severity is significant.
The Rational Decision
No security investment eliminates risk entirely. The question is whether the reduction in expected loss justifies the cost.
Spending $35,000 per year on baseline security controls to reduce a $675,000 expected loss scenario by 80% is a reasonable investment by any standard financial analysis. The business case gets stronger if you factor in the insurance premium discount that good security controls typically attract, the regulatory obligations that require certain controls regardless of risk preference, and the reputational premium that comes from being able to tell clients their data is protected.
Sixty-one per cent of SMBs that experience a significant cyberattack close within six months. That's not a statistic about bad luck. It's a statistic about organisations that found out the hard way that the cost of prevention was lower than the cost of response.
