When a CEO hears "data breach," the first question is rarely about firewalls or encryption. It is about money. How much will this cost me? How long will we be down? Will we survive?
The answers are harder to find than you would expect. Most breach cost studies focus on enterprises with thousands of employees and dedicated security teams. But the businesses that face the sharpest consequences—companies with 20 to 200 employees—rarely see themselves in the data.
This article translates the two most authoritative breach studies in the world into language that matters to your business: currency, time, and probability.
The Global Numbers: What a Breach Costs on Average
According to IBM’s 2025 Cost of a Data Breach Report, the global average cost of a data breach dropped to $4.44 million—a 9% decrease from the previous year’s $4.88 million. For the first time in five years, breach costs actually went down, largely because organisations are getting faster at detecting and containing incidents.
Average time to identify and contain a breach in 2025—the lowest in nine years. Faster detection directly reduces cost. Time is money in breach recovery.
That sounds like progress. But the global average masks a harsher reality for smaller businesses and for specific regions. In the United States, for example, the average breach cost actually rose 9% to $10.22 million—driven by steeper regulatory fines and longer recovery timelines.
Why SMBs Pay a Higher Price
Here is where the numbers stop being abstract. Verizon’s 2025 Data Breach Investigations Report analysed over 22,000 security incidents and found that small and medium-sized businesses are bearing the brunt of the ransomware wave. Ransomware appeared in 88% of SMB breaches, compared to 39% at larger organisations.
Read that again. Nearly nine out of every ten breaches at SMBs involve ransomware.
Median ransom payment in 2025. For an SMB with 50 employees, that could represent an entire quarter’s operating margin—and that is before you count the downtime, lost clients, and recovery costs.
Why are smaller companies targeted so heavily? The Verizon report is blunt: organisations without mature IT and cybersecurity defences are easier targets. Attackers follow the path of least resistance. A company with 80 employees and no dedicated security team is far more vulnerable than an enterprise with a 24/7 security operations centre.
The Five Layers of Breach Cost
The ransom payment (if there is one) is only the first line on the invoice. IBM breaks breach costs into four categories, and for SMBs we need to add a fifth that the research often underestimates:
| Cost Layer | Global Average (2025) | What It Means for SMBs |
|---|---|---|
| Detection and escalation | $1.47M | Forensic investigation, incident triage, external consultants |
| Lost business | $1.38M | Client churn, contract penalties, reputational damage |
| Post-breach response | $1.20M | Credit monitoring, legal fees, regulatory reporting |
| Notification costs | $0.39M | Informing affected parties, communications, call centres |
| Operational downtime | Varies widely | Revenue stops flowing; staff idle; supply chain disrupted |
That fifth layer—operational downtime—is where SMBs feel the sharpest pain. IBM found that 86% of breached organisations experienced operational disruptions such as halted production, delayed sales, or interrupted customer service. Among those that recovered, the majority took more than 100 days to do so.
For a law firm with 40 employees, 100 days of degraded operations could mean lost cases, missed filing deadlines, and departing clients. For a manufacturing business, production halts can cascade through an entire supply chain.
Industry Matters: Where the Risk Is Highest
Not all sectors carry equal risk. Healthcare organisations continue to face the highest breach costs globally at $7.42 million per incident, even after a significant drop from the previous year. But the industries that many SMBs operate in—professional services, retail, manufacturing—are far from safe.
Phishing overtook stolen credentials as the most common initial attack method in 2025, responsible for 16% of breaches at an average cost of $4.8 million per incident. Supply chain compromises were close behind, costing $4.91 million on average and taking the longest to resolve at 267 days.
For SMBs that depend on third-party vendors and cloud services, the supply chain finding is particularly relevant. Verizon found that third-party involvement in breaches doubled from 15% to 30% in a single year.
The Hidden Multiplier: Regulatory Fines
If your business handles personal data—and nearly every business does—a breach triggers compliance obligations. In South Africa, POPIA requires breach notification. In Europe, GDPR can impose fines up to 4% of global turnover. In the US, sector-specific regulations like HIPAA carry penalties reaching millions.
IBM’s 2025 report found that 32% of breached organisations paid regulatory fines, with nearly half of those exceeding $100,000. One in four paid fines over $250,000. These penalties layer on top of every other cost the business is already absorbing.
What SMBs Can Actually Do About It
The research points to three actions that measurably reduce both the likelihood and the cost of a breach:
Invest in detection speed. IBM’s data shows that organisations using AI-powered security tools reduced their breach lifecycle by 80 days and saved an average of $1.9 million compared to those without. You do not need an enterprise SOC to benefit. Managed detection and response services bring this capability within reach of businesses with 20 to 200 employees.
Manage your identities. Stolen credentials remain the most common way attackers get in. Phishing-resistant multi-factor authentication, proper password policies, and managing who has access to what are not optional—they are foundational. Verizon found that 88% of basic web application attacks involved stolen credentials.
Know your risk in currency. A traffic-light dashboard that shows "amber" does not tell a CFO what to budget for. Quantifying your risk in monetary terms—this is what we stand to lose, and this is what it costs to protect against it—turns cybersecurity from a cost centre into a business decision.
Security is not a technology problem. It is a business problem with a technology component. The question is not "are we secure?" but "what is our exposure, and is our investment proportionate?"
The Bottom Line
A cyber attack does not just cost money. It costs time, trust, contracts, and sometimes the business itself. The data from IBM and Verizon makes one thing clear: smaller organisations face disproportionate risk with fewer resources to absorb the impact.
The businesses that survive and recover quickly are those that invested before the breach, not after. They detected faster, contained sooner, and knew exactly what was at stake—because they measured their risk in the same language they use for every other business decision: currency.
If you manage a business with 20 to 200 employees and you have not quantified your cyber risk in monetary terms, that is the single most valuable step you can take today.
Sources
- IBM, Cost of a Data Breach Report 2025. ibm.com/reports/data-breach
- Verizon, 2025 Data Breach Investigations Report. verizon.com/dbir