90% of Small Business Leaders Underestimate Cyber Incident Costs

Blocksurvey blog author
Nov 6, 2023 · 4 mins read

Small businesses can face severe financial hardship or even go bankrupt as a direct result of cyber incidents. That’s because they underestimate the costs of recovery and fail to prepare adequately for the disruption and fallout of a cyber security incident. They also underestimate their exposure to cyber risks because they mistakenly assume that cybercriminals have bigger fish to fry.

In fact, cybercriminals more frequently target small and medium-sized businesses (SMBs) than large companies. According to Infosecurity Magazine, cyber-attacks cost small US businesses $25k annually.

Cyber insurance provider Cowbell has released its Cyber Round-Up: Q2 2023 report, revealing that 90% of the small and medium-sized business (SMB) leaders underestimate the costs of a cyber incident. The report also explores the way in which a cyber security insurance provider can help SMBs proactively strengthen their defenses against cyber threats.

Why small businesses are bigger targets than they think

There are several reasons why small businesses are bigger targets for hackers than they think:

●  SMBs have limited tech resources: cybersecurity specialists demand substantial salaries, which smaller companies often can’t afford. SMBs also have limited IT and tech budgets and may not be able to afford cutting-edge hardware or security solutions. Hackers know this. It makes smaller businesses a much more appealing target than large companies with dedicated security resources and enterprise-level defenses.

●  SMBs have to outsource to vulnerable contractors and third parties: small businesses usually outsource cybersecurity and sensitive services like payment processing or payroll to Outsource Accelerator. SMBs have to relinquish control over their data to their supplier and contractor chain, which can introduce vulnerabilities.

●  Lack of knowledge about the threat landscape: small business owners are seldom IT specialists and may be completely disinterested in the digital landscape. They may be specialists in their niche yet remain blissfully unaware of the scale of the cyber threat landscape. That creates a false sense of invulnerability, which makes SMBs easier targets.

●  Valuable customer and financial data: customer and personal data is a dark web commodity. Stolen PII can be resold to hundreds of hackers over several years. Financial records, people’s personal information, and intellectual property are all up for grabs in dark web communities.

What harm may SMBs suffer in a cyberattack?

When a thief clears out an office, they steal things they can sell for quick cash, which makes it easy to list the cost of stolen computers and appliances after a physical break-in. But a cyberattack can inflict far more subtle and lasting damage on a small business.

●  Loss of income: a cyberattack can bring a small business to a complete halt. Few small businesses can afford to face a long downtime while they scramble (and pay specialists a premium) to restore normal services. Customer service disruptions can cost them dearly in the longer term.

●  Financial implications: theft of company funds is just the beginning. Criminals can also demand ransom payments to release the company’s files. Consultation fees for security specialists can run into many thousands of dollars. The company may need to replace hardware and software. Each step costs thousands, and there won’t be an income while you’re trying to mitigate the breach. To add insult to injury, SMBs may also face regulatory fines, legal liabilities, and even lawsuits from customers who suffered harm as a result of the cyber incident.

●  Reputational damage: the mere mention of news that your business has been compromised can destroy a brand’s reputation because people sometimes unfairly associate cyber breaches with incompetence and neglectful data practices.

●  Theft of Intellectual Property: small businesses that do specialist research and development or that specializes in innovation can lose their entire reason for existing if someone steals their intellectual property.

Cybercrime heaps layers upon layers of costs on small businesses

It can be hard to define a cut-off point for the expenses of recovering from cybercrime. Besides the immediate costs of re-establishing normal business operations, fines and lawsuits can take a toll for years afterward. According to the Hiscox Cyber Readiness Report 2021, the average cost of a cyber incident for small businesses was $200,000.  Data breaches are particularly costly: IBM’s Cost of a data breach 2022 report established that the average cost of a data breach was $9.44M.

What steps can you take to mitigate the risks of cyber attacks:

The most important step is to have a recovery plan that includes provisioning for considerable emergency expenses. Consult a cybersecurity insurance expert about the measures you can take to mitigate your risks. Securing an SMB against cybersecurity is far more than just a box-ticking exercise.

Prepare a formal recovery plan, which must contain at least these key elements:

●  Secure all devices: do an audit of all tech and IoT equipment, including laptops, mobile devices, and servers. Review physical access policies and implement an asset tracking system that can be audited on a regular basis.

●  Back up important data regularly: store backups securely offsite or in the cloud, and practice restoring the systems from backups to make sure the recovery plan can be successfully implemented.

●  Secure the network: protect your business network from intrusion. Install firewalls and intrusion detection systems. Employees who work from home or who access your systems while on the road must use a VPN to encrypt their data exchanges.

●  Keep hardware and software updated: not everyone needs the newest computers, but take some care to replace and rotate devices as often as you can afford. Any device that connects to the internet could be at risk, so include mobile phones and IoT devices in the planning. Keep all software patched and updated to prevent attackers from using exploits to penetrate your network.

●  Install an Anti-Malware solution on all devices: mobile phones are especially vulnerable because people tend to be less security-conscious when they use them for work. It needs a protective layer to scan a file for viruses before an unsuspecting employee opens an email or document.

●  Implement access controls and a password policy: discourage employees from using token passwords for shared devices or accounts - it’s better to implement a password management solution to manage login credentials.

●  Implement employee cybersecurity awareness training: most breaches occur because of user slip-ups. Provide compulsory, ongoing training about common types of cyber threats, such as phishing emails and social engineering.

●  Make provision for the worst-case scenario: if your company succumbs to a cyberattack, you’ll need cash to remedy the situation. Consider taking out a cyber insurance policy to cover the costs of a cyber incident.


The cybersecurity threat landscape keeps evolving, and most small businesses can’t throw vast resources to keep up with the threats. Consider partnering with a cybersecurity insurance company to help you draw up a plan to prevent an incident and cover your expenses if the worst should happen.

Like what you see? Share with a friend.

blog author description

Vimala Balamurugan

Vimala heads the Content and SEO Team at BlockSurvey. She is the curator of all the content that BlockSurvey puts out into the public domain. Blogging, music, and exploring new places around is how she spends most of her leisure time.


Explore more