How Much Will a Data Breach Really Cost Your Small Business?

How Much Will a Data Breach Really Cost Your Small Business?

The data breach last year at popular hotel chain Marriott has cost the company $28 million so far, and statistics show that those costs will continue to rise well into the 2ndand 3rdyears after the breach happened.

The cost of data breaches for businesses of all sizes has been rising, but they are particularly costly for small businesses with less than 500 employees. This makes IT security services all the more vital to the lifeblood of a company.

A data breach can cost a small business up to 5% of their annual revenue. (IBM Security)

According to IBM’s 2019 Cost of a Data Breach Report, cybercriminals aren’t only going after large companies like Marriott, small businesses are hit especially hard by data breaches. Their losses average over $2.5 million, which can be significant for a company making $50 million or less in annual revenue and make survival after the breach difficult.

In fact, approximately 60% of small businesses have to close their doors within six months of a data breach because they’re not able to fully recover from the financial or reputation impact.

For those other 40% that do survive, data breach costs follow them for years. The IBM report studied the long-tail financial consequences of a data breach and found that just 67% of the total cost happens in the first year, with 22% occurring in the second year after the breach, and 11% of those costs accruing past the second year.

Rising Data Breach Costs & Concerns

Over the past five years, data breach costs have risen 12%, and the average current cost of a breach globally for all businesses of any size is $3.92 million.

What types of costs make up the millions in losses?

  • Immediate costs of addressing the breach and removing the malicious code
  • Additional IT security to keep the breach from happening again
  • Recovery of any data that was lost during the breach
  • Downtime costs from lost productivity during the breach response
  • Forensics to determine which records were impacted by the breach
  • Notification to those whose data was compromised (customers, vendors, etc.)
  • Cost of lost business due to lack of trust after a breach
  • Fines due for any data security non-compliance (HIPAA, etc.)

The IBM study is one of the most extensive and current. They interview over 500 companies around the world that have been victims of a breach within the past year, so the costs and other data are based upon recent figures.

Key findings of their report include:

  • Most breaches are malicious:50% of data breaches result from malicious cyberattacks.
  • Large breaches are less common:Large data breaches (more than 1 million records) are less common, but very costly at $42 million on average.
  • Being prepared pays off:Companies with a practiced incident response team reduce their data breach costs by $1.23 million.
  • S. companies pay the most:Data breaches cost the most for U.S. businesses, with an average cost of $8.19 million, more than double the global average.
  • Healthcare is hit the hardest:The healthcare industry continues to be the hardest hit by costs, paying over 60% more than other industries.

Factors that Can Reduce or Increase Your Data Breach Costs

One of the biggest cost savers when it comes to a data breach is the speed and efficiency at which a company responds to that breach. The average breach lifecycle is 279 days, with companies taking 206 days to first identify the breach after it happens.

Companies that that can detect and contain the breach faster saved $1.2 million in the cost of the data breach.

What other factors can help you reduce costs of a data breach at your business?

According to the IBM report, here are the top six factors that can help you save:

  • Forming an incident response team ($360,000 savings)
  • Extensive use of encryption ($360,000 savings)
  • Extensive testing of your incident response plan ($320,000 savings)
  • Business continuity management ($280,000 savings)
  • DevSecOps approach ($280,000 savings)
  • Employee training ($270,000 savings)

On the flip side of that, there are factors that will increase costs if you have a data breach, so identifying these and addressing them now through a security risk assessment before a breach happens is an important way to protect your business.

Factors that increase data breach costs include:

  • Compliance failures ($350,000 more in costs)
  • Extensive cloud migration ($300,000 more in costs)
  • System complexity ($290,000 more in costs)
  • Operational Technology (OT) infrastructure ($260,000 more in costs)
  • Extensive use of mobile platforms ($240,000 more in costs)

What Steps Should I Take to Reduce My Risk?

Unfortunately, data breaches are big business for cybercriminals, so they continue to be a major area of concern for every company. The trend has shown that data breach incidents continue to rise, so taking steps to reduce risk can help minimize chances for a breach and losses if one occurs.


Preventing a data breach from occurring in the first place is the best-case scenario. This step involves assessing weaknesses in your data security, so you’ll know where to employ stronger cybersecurity procedures and policies.


Once you’ve identified areas of risk for unauthorized entry into a device or network, you can choose the systems, applications, and measures to address them and create a stronger overall defense.


Creating an Incident Response Team and automating and thoroughly testing your data breach response plan has been shown to dramatically decrease the financial impact of a breach.


In the aftermath of a data breach, learn from your experience. Review your response plan, what went well, and what could be improved.

Book a Free Risk Assessment

Excedeo offers free IT security risk assessments to help you identify any network vulnerabilities so they can be addressed, and your defenses strengthened.

Book your free risk assessment now!