What a cyber attack actually costs a small business

The financial number is the smallest part. Operational disruption, reputational damage, and regulatory consequences are the costs that compound. Plus the positive case for getting this right.

_Part 3 of 12 in the Cyber security for the small business series._

Understanding threats in the abstract is one thing. Understanding what they cost your business is another. This month we put real numbers and real consequences on the risks we covered in February — not to frighten you, but to help you make informed decisions about where to invest your time and attention.

The direct financial cost is the smaller half

The headline cost of a cyber incident includes things like ransom payments, fraudulent transfers, emergency IT support, replacement hardware, regulatory fines, legal fees, and compensation to affected customers. The UK Government's Cyber Security Breaches Survey consistently finds the average cost of a breach for a small business is in the thousands of pounds. For more severe incidents the figure reaches tens of thousands.

That number is real and it stings. But the direct costs are usually the smaller part of the picture. The indirect costs — lost business, damaged relationships, staff time diverted to recovery — almost always dwarf the immediate financial impact, and rarely make it into the survey number.

Operational disruption

When your systems go down, your business slows or stops. Emails cannot be sent. Orders cannot be processed. Invoices cannot be raised. Staff sit idle, or scramble to work around the problem using personal devices and ad hoc methods that create further security risks.

Recovery is rarely instant. Restoring from backups (if they exist and work) takes time. Rebuilding compromised systems takes more time. Investigating what happened, what data was accessed, and what needs to be reported takes more time still. For a small business without dedicated IT staff, this process can run for weeks.

A week of full operational disruption for a 20-person business carries a wage bill in the high four figures alone, before any of the other costs are counted. Most small businesses cannot afford to lose that week of revenue at the same time.

Reputational damage

Trust is slow to build and quick to lose. When customers learn that their personal data has been compromised, they do not typically conduct a rational assessment of your security maturity. They feel let down, and many will take their business elsewhere.

For businesses that operate on referrals and reputation — accountants, solicitors, consultants, healthcare providers, financial advisers — a data breach can undermine the very foundation of the client relationship. The irony is that these are often the businesses that assume they are too small to be targeted.

The cost of reputational damage does not show up neatly in a P&L. It shows up in the churn rate, the lower renewal rate, the conversation at the networking event where someone says oh, didn't they have that data breach?, and the contract that was almost yours and somehow wasn't. It is real money. It is just harder to count.

Legal and regulatory consequences

Under the UK General Data Protection Regulation and the Data Protection Act 2018, any organisation that handles personal data has legal obligations to protect it. If you suffer a breach and the Information Commissioner's Office determines that you failed to take appropriate measures, fines can follow. For small businesses, the ICO tends towards proportionate enforcement, but the reputational impact of being the subject of an ICO investigation can be as damaging as any fine.

If the breach affects individuals, you may also be required to notify them directly, which is both costly and embarrassing. And if individuals suffer financial loss as a result, they may pursue compensation through the civil courts.

We will cover the legal side properly in December.

The positive case

Most security writing dwells on worst cases. Let me offer the opposite case. A business that can demonstrate good security practices — perhaps through Cyber Essentials certification — can:

Win contracts that require evidence of security standards. All central government contracts involving the handling of personal data require Cyber Essentials certification. Many private-sector buyers now require it too.

Reduce insurance premiums. Many cyber insurance providers offer discounts for Cyber Essentials certified organisations, and some now require it for cover at all.

Build client confidence, particularly when handling sensitive financial, legal, or medical information. The conversation starts in a different place when you can lead with here is what we have in place.

Operate more efficiently, because good security practices overlap heavily with good business practices: knowing where your data is, controlling who can access what, keeping systems current. None of this is wasted effort, even in a world without attackers.

The advertising legend Rory Sutherland once observed that the opposite of a good idea can also be a good idea. In security, this translates beautifully: the same effort that protects you from harm also creates value. Security is not just a shield. It is a signal of competence and reliability that customers respond to.

What March looks like

If you want to do one thing this month, do the back-of-envelope sum. Take your monthly revenue, divide by 20 working days, and look at the daily number. Now ask: if we lost five working days to a serious incident, what would that cost? Add a rough number for emergency IT, legal advice, and customer notification.

Write down the total. Pin it somewhere you can find it. You now have your baseline incident cost — the loss you are protecting against. Every piece of security investment in the rest of the year can be judged against that number.

In April we move into the practical work. The single highest-value hour you will spend on cyber security all year is the one we spend on passwords and access.