The Cost of a Data Breach: Real Numbers for Small to Medium Businesses

by SpireTech | Jun 16, 2026 | Security, Cybersecurity

2 professionals standing in front of a computer server with lots of wires.

When someone thinks about data breaches, they probably picture massive corporations making headlines with millions of customer records exposed. But there are a lot more "quiet" data breaches that don't make headlines that could involve businesses a lot closer to home.

Small and medium businesses face the same cyber threats as Fortune 500 companies but with far less protection. In some ways, they are assumed to be easier targets with less security, which is why we always stress a good security posture.

What would happen if your business faced a data breach? Let's talk numbers and the potential peripheral losses.

What a Data Breach Actually Costs

Breach cost data, when talking numbers from bigger companies, seem exorbitantly large. The 2024 IBM Cost of a Data Breach Report cites the average breach at $4.88 million overall, with companies under 500 employees averaging $3.31 million.

The 2023 Hiscox Cyber Readiness Report found that for roughly 20% of small firms that experienced a serious breach, costs exceeded six figures. The average breach cost for companies with fewer than 50 employees is roughly $120,000–$150,000, with response, downtime, and lost business factored in.

A significant number of small businesses struggle to survive after a major breach, with some studies indicating many close their doors within months. It's not usually one catastrophic expense that causes this, it is more often the combination of immediate response costs, lost revenue during downtime, clients leaving, and the cash flow crunch that follows. Many small businesses don't have enough monetary reserves to absorb a hit like that while simultaneously trying to win back trust and rebuild operations.

Immediate Response Costs

The moment data exfiltrates from your systems, the clock starts ticking. Here's what businesses need to protect themselves:

Forensic investigation $10,000–$50,000 to determine what was accessed, how the breach occurred, and whether the attacker is still in your network. This, unfortunately, is an expense that can't be skipped. You need to know what happened before you can fix it.

Legal counsel: $15,000–$100,000+ for attorneys who specialize in data breach notification requirements, which vary by state and industry. Oregon, Washington, and California each have different rules about who you must notify and how quickly.

Notification costs: $5–$10 per affected individual for required breach notifications. This may not seem like much, but if 500 clients are affected, that's $2,500–$5,000 just to mail letters. Email notifications still require legal review and proper documentation.

Credit monitoring services: $15–$25 per person per year if you're offering it to affected clients (increasingly expected, even if not legally required). For 500 people, that's $7,500–$12,500 annually.

Operational Disruption

This is where costs add up fast. Most SMBs lose 10–30 business days dealing with a breach. This may not be consecutive days but could be scattered across weeks of disrupted operations. For a 20-person firm billing $3 million annually, each business day represents roughly $11,500 in revenue. Lose 15 days of productivity across the team and you're looking at north of $170,000 in lost output—and that's before you account for the distraction tax on every employee who's still technically working but dealing with breach fallout.

Then there's system recovery. If ransomware encrypted your files, you're looking at $20,000–$250,000 to restore operations, depending on backup quality and how quickly you need to be functional again. Even with good backups, restoration takes time—and time is money.

Regulatory Fines and Legal Exposure

If you handle client financial data, legal records, or personal information, a breach can trigger regulatory consequences even if you're not in a heavily regulated industry like healthcare.

Oregon's Consumer Identity Theft Protection Act (ORS 646A.604) requires businesses to notify affected individuals within 45 days of discovering a breach. Failing to do so can result in enforcement action by the Oregon Attorney General under the state's Unlawful Trade Practices Act, with civil penalties up to $25,000 per violation. For a breach affecting hundreds of clients, those penalties add up fast. Washington has similar notification requirements under RCW 19.255.010 with its own enforcement mechanisms.

Accountants and financial advisors may also face obligations under the Gramm-Leach-Bliley Act (GLBA), which requires firms handling consumer financial information to maintain safeguards and notify customers of breaches. The FTC's updated Safeguards Rule now requires written security plans, access controls, and encryption for non-banking financial institutions, which includes CPA firms, tax preparers, and financial planners. Non-compliance can result in FTC enforcement actions and state-level penalties.

Lawyers, meanwhile, have professional conduct obligations around client confidentiality. A breach that exposes privileged information can trigger bar complaints and malpractice claims on top of the regulatory exposure.

And then there are the lawsuits. Defense costs alone can run $50,000–$200,000 even if you win. Settlements can multiply that several times over. (So don't skip notification requirements, no matter what.)

Lost Business and Reputation Damage

Here's the cost that bankrupts small businesses: clients who leave and prospects who work with someone else.

The Hiscox report found that one in five businesses that experienced a cyberattack said it threatened their financial stability. For professional services firms built on trust, like accountants handling tax returns, lawyers managing confidential case files, or property managers with tenant data, a breach won't just lose you existing clients. It loses referrals, renewals, and the reputation a business spent years building.

Attracting new clients gets harder, too. How does someone answer, "What happened with that data breach last year?" in a sales conversation? It's possible, but you work from a position of mistrust.

What Drives Costs Up (or Down)

Not every breach costs six figures, but several factors consistently drive costs higher:

Delayed detection: Most SMBs assume they'd spot a breach quickly, but the reality is that many breaches don't look like an alarm going off. An attacker sitting in your email system, quietly forwarding messages or harvesting client data, can go unnoticed for weeks or months. Even a few weeks of undetected access means a bigger mess and a bigger cleanup bill. Every day matters.

Lack of incident response plan: Businesses without a documented response plan spend 30–40% more on breach costs because they're figuring out next steps in crisis mode rather than executing a rehearsed process.

Poor backup practices: If you're paying ransom or spending weeks manually reconstructing data, your costs will be exponentially higher than firms that can restore clean backups within hours.

Regulated data: GLBA or other protected information categories trigger mandatory reporting, potential fines, and higher legal costs.

What Actually Reduces Risk (and Cost)

You can't make breach risk zero, but you can dramatically reduce both likelihood and cost with very attainable practices:

Employee security training: According to Verizon's 2024 Data Breach Investigations Report, 68% of breaches involve a human element, such as phishing, stolen credentials, or simple mistakes. Training with simulated phishing cuts your risk substantially.

Multi-factor authentication everywhere: MFA blocks the vast majority of automated attacks. If you're not requiring it for email, financial systems, and remote access, you're leaving the door open.

Tested backup and recovery: Backups stored separately from production systems (ideally cloud-based with immutable storage) mean you can recover data without paying ransom. Testing restoration at least quarterly ensures backups actually work.

Endpoint detection and response (EDR): Modern EDR tools monitor devices for suspicious behavior and can stop attacks in progress.

Cyber insurance: Policies for SMBs can cover forensics, legal fees, notification costs, and sometimes even lost revenue. Read the fine print, because most require basic security controls (MFA, backups, training) to pay claims.

What To Do Next

If you've read this far and are starting to get nervous, that's good, because you can start preparations now.

Start with an honest assessment of where your business stands:

  • Do you have MFA enabled on every business application?
  • When did you last test restoring from backup?
  • Would your team recognize a phishing email?
  • Do you know what data you have and where it lives?
  • Could you execute a breach response tomorrow if you had to?

If you answered "no" or "I'm not sure" to more than one of those questions, you have gaps worth closing.

Closing Thoughts

The average data breach costs SMBs $3.31 million. Your specific risk depends on your industry, your data, and your current security posture. But one thing's certain: finding out after a breach is far more expensive than finding out now.

The measures that make the biggest difference, like MFA, tested backups, a written incident response plan, and regular training, aren't expensive. They aren't glamorous, but you'll be glad you did it.

Want to know what gaps exist in your current setup and what it would actually cost to close them? Schedule a 30-minute security assessment. We'll walk through your specific risks and map out a realistic plan.