The Cost of Cybersecurity: Weighing the Cost-Benefit

Small business owners often underestimate how damaging a cyberattack could be for their company. And because of that, they often…

Small business owners often underestimate how damaging a cyberattack could be for their company. And because of that, they often don’t have plans to respond or recover if an attack occurs. Preventing an attack is obviously paramount, but for small businesses with small budgets, the cost of cybersecurity protection often limits what they can realistically do to protect sensitive information.

By looking at both sides of cybersecurity – the potential impact of an attack and the benefits of cyber defense and insurance – business owners can determine where their money is best spent.

The real costs of a cyber attack

The costs of a cyberattack fall into three categories: Hard costs, business impacts, and recovery.

Hard costs of a cyberattack

The hard costs are actual funds that you could lose as a result of an attack, breach, scam, or ransom. Hard costs also include any litigation or payout to customers and fines levied by your industry as a result of losing data. Research shows that small businesses are much more likely to pay ransoms to restore access to their data than larger companies, even though they are less likely to be able to afford to do so.

What kind of costs are we talking about? According to Verizon, 95% of cybersecurity incidents at small businesses add up to between $826 and $653,587. What’s more, a CyberCatch survey found that 75% of small businesses would have to close their doors if they were hit with such a costly attack.

Business Impacts and Recovery

The business impacts of a cyberattack are quiet costs. Companies that survive an attack often find that they’ve lost the trust of their customers, employees, partners, and vendors resulting in a loss of business and fewer opportunities. Eighty percent of small business owners are confident their business would retain its customers and reputation after an attack, yet 76 percent of consumers say they’d stop doing business with the company responsible for a breach that impacted them. Recovering from or moving past the reputational damage of a data breach can take years.

On top of the hard costs and business impacts, companies that survive a cyberattack still are at risk. These companies, ironically, are on the line to pay for the proper security controls they needed in the first place and repair, rebuild, or replace compromised systems and hardware (a process that can take weeks even if a company has backups and be costly too).

Steps to protect your business from a cyber attack

Research backs up what we already know: Small business owners don’t feel prepared to prevent a cyberattack – and gaps in cybersecurity knowledge and protection options are often the cause. Compare your own stance.

  • Offer cybersecurity training to all employees at least once a year. Just 56% of small businesses do, compared to 94% of their middle-market counterparts.
  • Regularly send phishing test emails to employees to help them stay vigilant.? Only 24% of small business owners do.
  • Obtain cyber risk insurance to help protect and offset the impacts of an attack. Less than three in 10 small business owners have cyber coverage.
  • Ensure you have an emergency response plan if a cyberattack, breach, or ransom is discovered. Small businesses are less likely to have a plan than their middle-market counterparts, yet experts warn that response speed is critical in nearly all types of attacks.

The basics of cybersecurity controls:

At a minimum, every business should have basic cyber controls in place to reduce the risk of an incident. Even businesses that are entirely in-person should be protecting customer data and payment information. And no company is too small; cybercriminals prey on small businesses precisely because they know they are less likely to have sophisticated protection and are more likely to pay a ransom to recover lost data or resume operations.

What do the basics look like? The Cybersecurity & Infrastructure Security Agency (CISA) has developed three recommendations for all US-based organizations:

Backup Data: Use a system that automatically and continuously backs up your critical data and system configurations

Multi-factor Authentication (MFA): Require MFA to access your systems, ideally for all users but especially for those with administrative and remote access

Patch & Update Management: Enable automatic updates of your operating systems, applications, and hardware. Deploy security patches quickly.

To these recommendations, we would add the following:

  • Begin to budget for cybersecurity as a necessary operating expense.
  • Provide employee security awareness training: Your employees are your first line of defense.
  • Create an incident response plan: Ensure all employees know whom to contact if they receive a suspicious email or message and what to do to prevent the attack from spreading to other devices. Also, identify resources to help with a speedy breach response.
  • Get cyber insurance: Having an insurance policy can help with recovery costs, ransom payments, and response plans. It can protect your company from taking a business-ending hit.

To understand your unique cyber risks, we strongly suggest that business owners take a risk assessment, like the one offered free at, to identify gaps and determine a plan for cyber protection and business continuity. Your risk profile is also helpful in obtaining cyber insurance, as rates are often dependent on your exposure and the cyber controls in place.

Weigh the potential costs of a cyberattack with the benefits of cybersecurity measures and cyber insurance to determine the investments you are willing to make in defense and protection. The process can be eye-opening for small businesses that have yet to understand their risks.