Long gone are the days when Cyber Attacks were just for large corporations' IT Departments to worry about. Most cyber attacks target Small-to-Medium Businesses now, so it’s no longer a matter of IF, but WHEN. Stats from the National Cyber Security Alliance paint a sobering picture:

• 70% of cyber attacks target SMBs, 60% of whom fold within 6 months.

I write this not to evoke fear, but to highlight the importance of knowing how to measure the cost of a cyber attack for planning purposes. Some costs are easy to quantify: downtime, ransom amounts, and fees for recovery specialists. However, other costs are more elusive and also often the primary cause of business failure.

Fear not - the following framework will help you estimate the cost of a cyber attack on your business, so you can properly allocate resources to mitigate a potential attack and help ensure your business continues to thrive no matter what comes your way.

7 Types Of Financial Costs To Consider

A cyber attack is not just an IT problem — it also affects sales, brand reputation, human resources, and customer trust. The direct and indirect costs can be categorized into these buckets:

1. Immediate Incident Response:

Costs incurred to stop an attack and remedy immediate effects, including paying ransoms, hiring forensic experts, and legal fees.

2. Longer-Term Recovery:

Costs for rebuilding networks, replacing hardware and software, and post-incident investigation.

3. Regulatory and Compliance Fines:

Any fines resulting from data breaches, which can be incredibly steep.

4. Brand Damage and Customer Churn:

The long-term effects on your brand and customer loyalty, which is challenging to quantify but can be devastating.

5. Intellectual Property Theft or Loss:

For businesses reliant on proprietary data or software, theft or loss can be catastrophic, involving potential legal battles.

6. Productivity Loss:

Employees needing to focus on resolving the incident, as well as time spent re-establishing normal business operations.

7. Opportunity Costs:

The loss of potential sales, up-selling opportunities, and new business due to customer concerns about the business's ability to protect their data.

Each of these categories may have a different weight depending on the nature of your business, but together they represent a comprehensive view of the costs associated with a cyber attack.

8 Direct Costs

1. Specialized Cyber/ Privacy Attorney


2. Computer Forensics Fees:

$300/hour - $700/hour

3. Fines (potential):

6-figures (wide range based on industry)

4. HIPAA Fines/ Penalties:

6-figures up to $2.5 million

5. Public Relations:

$10,000/month or $400/hour

6. Credit/ Identity Monitoring Costs:

$9 - $12/ redemption

7. Notification Costs:

$1.50/person - $3.00/person

8. Vendor Contract Violations:


One Cyber Attack Could Cost Your SMB Over $1.1 Million


That’s right - even for an SMB with only 20 employees, a single cyber attack will likely cost you over $1.1MM. In addition to the direct costs listed above, here are the 7 financial assumptions I used to get to this total cost.

1. Total Employees:

2 executives, 18 non-executives

2. Average Employee Cost:

Executive $100/hour, Non-Executive $50/hour

3. Billable Rate:


4. Breakdown of Billable Employees:

10 Billable, 10 Non-billable

5. Productivity Rate Affected:


6. Number of Months Affected:

1 - 6 months

7. Total Clients:


Cybersecurity Infrastructure Is Not Optional

I hope that this framework helps you to assess the costs of a cyber attack for your business. It’s important to understand that statistically speaking, your company is going to get hacked. Without a proper Cybersecurity plan for your company, one click or one phone call could truly end your business. An IT Managed Services Provider like GroupOne IT protects your data, your networks, and your sanity so you can focus on growing your business.

Let's Talk