The Real Cost of a Cyber Incident for Small Business
Everyone talks about ransom payments and data breaches. But when I work with businesses recovering from cyber incidents, the ransom is often the smallest cost they face.
Let me break down what a typical incident actually costs a small Australian business.
The Numbers
The ACSC reports the average cost of a cyber incident for small businesses at around $46,000. But that’s an average, and averages hide a lot.
Some incidents cost almost nothing - a phishing email caught in time, a quick password reset. Others destroy businesses entirely. The distribution is skewed by the businesses that didn’t survive to report their full costs.
Here’s a more realistic breakdown for a “moderate” incident at a 20-person professional services firm:
Direct Costs
Incident response and forensics: $15,000-50,000 You’ll need experts to figure out what happened, how they got in, and whether they’re still there. Good incident response firms charge $300-500 per hour, and investigations take time.
If your cyber insurance covers this (check your policy), you might pay only the excess. If not, it’s coming out of pocket.
Systems recovery and remediation: $10,000-30,000 Rebuilding infected systems, restoring from backups (if they exist and work), patching the vulnerability that let attackers in. Even if your IT support does this, they’re not doing it for free.
Legal fees: $5,000-25,000 You’ll probably want legal advice on notification requirements, liability, and communications. If you need to notify regulators or customers, that process takes lawyering.
Notification costs: $5,000-20,000 If personal information was compromised, you may be legally required to notify affected individuals. That means identifying who was affected, drafting communications, managing responses. It adds up.
Credit monitoring and identity protection: $2,000-10,000 Offering affected customers credit monitoring isn’t always required, but it’s often expected. Twelve months of monitoring for 500 affected individuals costs real money.
Potential fines and regulatory costs: Varies wildly Serious breaches involving personal information can attract regulatory attention. Fines under the Privacy Act can reach millions for serious or repeated breaches. Most SMB incidents don’t get there, but it’s a risk.
Running total: $37,000-135,000 in direct costs
Indirect Costs (Often Higher)
Business interruption: $20,000-100,000+ How long can your business operate without its systems? Ransomware might have you down for days or weeks. Even a smaller incident might cost you two or three days of productivity.
For a 20-person firm billing $200/hour, one week of downtime is $160,000 in lost revenue (assuming everyone’s billable, which they’re not, but you get the idea).
Overtime and additional staffing: $5,000-20,000 Your team will be working extra hours. You might need temporary contractors. Someone has to answer all the calls from worried clients.
Reputational damage: Hard to quantify How many clients will leave? How many prospects will choose a competitor? How much harder will sales be for the next year? This varies enormously but it’s rarely zero.
One accounting firm I know lost three major clients within a month of a breach - not because data was stolen, but because the clients lost confidence. That was $150,000 in annual recurring revenue, gone.
Increased insurance premiums: Ongoing After an incident, your cyber insurance premium is going up. Often by 25-50%, sometimes more. That’s a cost you’ll pay for years.
Management distraction: Real but invisible For weeks after an incident, leadership is dealing with the fallout instead of running the business. Opportunities get missed. Strategy gets delayed. This doesn’t show up on any invoice but it’s very real.
A Case Study
Let me give you a real example (details changed for confidentiality).
A Brisbane accounting firm with 15 staff got hit by ransomware in August - right before tax deadline season. Here’s what it cost them:
| Cost Category | Amount |
|---|---|
| Ransom (paid on insurer advice) | $40,000 |
| Incident response firm | $35,000 |
| IT rebuild and overtime | $22,000 |
| Legal fees | $12,000 |
| Client notifications | $8,000 |
| Insurance excess | $10,000 |
| Lost revenue (2 weeks down) | $85,000 |
| Staff overtime | $15,000 |
| Increased insurance premium (3 years) | $24,000 |
| Total | $251,000 |
And that doesn’t count the two clients who left, the partner who worked 80-hour weeks for a month, or the stress-related health issues that followed.
The ransom was only 16% of the total cost.
What Insurance Actually Covers
Cyber insurance is valuable but it doesn’t cover everything. Typical policies cover:
- Incident response costs
- Forensic investigation
- Legal fees related to the breach
- Notification costs
- Business interruption (often with waiting periods and caps)
- Ransomware payments (some policies, with restrictions)
They typically don’t cover:
- Full revenue losses
- Future increased premiums
- Reputational damage
- Long-term client loss
- Management time and distraction
Read your policy carefully. Understand the limits, the excess, and the exclusions.
The Cost of Prevention
Here’s the contrast. A similar firm implementing reasonable security might spend:
| Security Measure | Annual Cost |
|---|---|
| Microsoft 365 Business Premium (includes Defender) | $7,300 |
| Password manager | $1,800 |
| Backup solution with ransomware protection | $1,500 |
| Security awareness training | $900 |
| Annual security assessment | $5,000 |
| Cyber insurance | $8,000 |
| Total | $24,500/year |
The cost of prevention is roughly what the accounting firm spent on just the ransom payment. And that prevention spend covers multiple years, not a single incident.
The Bottom Line
Cyber incidents cost more than people expect because:
- The ransom (if any) is just the beginning
- Business interruption often exceeds direct costs
- Recovery takes longer than anticipated
- Hidden costs (reputation, management time, future premiums) accumulate
The businesses that survive and recover are the ones that:
- Had backups they could actually restore from
- Had insurance that covered material costs
- Had a plan for operating while systems were down
- Communicated quickly and honestly with affected parties
- Used the incident as motivation to improve
Prevention is genuinely cheaper than recovery. The maths works. But you have to do the prevention before the incident, not after.
What’s your business worth? What would a month of downtime cost? What would losing your three biggest clients cost?
That’s what you’re protecting when you invest in security.