The average cost of a data breach reached $4.44 million globally in 2025. For U.S. businesses specifically, the number hit $10.22 million, a record. Small businesses hear those numbers and assume they do not apply because they are not large enough to attract sophisticated attackers. That assumption is the most expensive mistake in this category. Small businesses represent over 43 percent of all cyberattack targets precisely because they are large enough to have valuable data and small enough to have inadequate defenses. Ransomware operators in particular favor small businesses: the payout request is small enough to pay, the IT resources to recover independently are usually absent, and the victim is unlikely to have law enforcement relationships that complicate collection.
What Conventional Security Advice Gets Wrong
Most small business cybersecurity guidance leads with a list of technical controls, use MFA, patch your software, train employees on phishing, without addressing the economic question of how much to spend and on what, in what order. The result is businesses that implement the cheapest tools available, check the compliance box, and remain exposed to the risks those tools do not cover.
The more important framing: cybersecurity spending is risk transfer math. The question is not “what is the minimum businesses need to do.” The right question is: what is the probable loss exposure, and what does it cost to reduce it to an acceptable level? A business with 20 employees, a customer database of 5,000 records, and a credit card processing relationship has a breach exposure well above $200,000. That figure accounts for ification costs ($3 to $10 per record under most state laws), forensics, business interruption, and remediation. A $500 per month managed security service that prevents that breach generates 30x+ ROI in the year it prevents an incident.
The Threat Layer Every Small Business Actually Faces
Three threat types account for the vast majority of small business incidents. Phishing and social engineering, emails that trick employees into revealing credentials or wiring money, are responsible for over 80 percent of breaches. No technical control eliminates this entirely. The combination of email filtering, MFA, and regular phishing simulation training reduces exposure substantially. Ransomware delivered via phishing or unpatched software encrypts business data and demands payment for the decryption key. Average ransom demand to small businesses in 2025 was $200,000 to $400,000. A significant percentage of victims pay because the alternative (data loss or reconstruction cost) is worse. Business email compromise, impersonation of executives or vendors to authorize fraudulent wire transfers, cost U.S. businesses over $2.9 billion in 2023, with small businesses representing the majority of victims by volume.
What the Security Stack Actually Costs
Endpoint Detection and Response (EDR) software, the current baseline for endpoint security, replacing traditional antivirus, runs $5 to $15 per endpoint per month. It detects and alerts on suspicious endpoint behavior but requires someone with security expertise to review and respond to alerts. For a small business without an IT security specialist, EDR alerts become noise that nobody acts on. That is EDR deployed incorrectly.
Managed Detection and Response (MDR) adds 24/7 SOC (Security Operations Center) monitoring, threat hunting, and incident response on top of EDR tooling. Cost runs $8 to $50 per endpoint per month depending on coverage level and provider. For a 20-person business with 25 endpoints, that is $200 to $1,250 per month, and it means actual humans are reviewing alerts and responding to threats around the clock, not just software generating notifications nobody reads. MDR is the appropriate security model for small businesses that do not have a dedicated security person on staff, which is most of them.
Comprehensive MSSP (Managed Security Service Provider) coverage, firewall management, email security, endpoint protection, identity management, and compliance reporting, runs $50 to $350 per user per month depending on scope. For businesses with regulatory compliance requirements (HIPAA for healthcare, PCI-DSS for card processing, SOC 2 for SaaS), the compliance documentation alone justifies a significant portion of that cost.
The Five Controls That Prevent Most Incidents
Multi-factor authentication on every external-facing account, email, VPN, cloud services, banking, eliminates the largest single attack vector. Credential theft through phishing is useless to an attacker if MFA blocks the login. Implementation cost is near zero on most platforms. The friction is employee adoption. It is worth the friction.
Email filtering with sandboxing, not just spam filtering, catches phishing attachments by detonating them in an isolated environment before delivery. Microsoft Defender for Office 365 Plan 1 costs $2 per user per month and provides this. Google Workspace’s advanced protection includes similar features. This is the highest-ROI security spend available to small businesses at any size.
Patch management, ensuring operating systems, browsers, and applications are updated within 14 days of security patches, closes the vulnerability window that ransomware operators exploit. Over 60 percent of ransomware attacks exploit known vulnerabilities for which patches existed but were not applied. Automated patch management tools for small businesses run $2 to $5 per endpoint per month.
Offline or immutable backups, specifically the 3-2-1 rule (three copies, two different media, one offsite or cloud with versioning that cannot be encrypted by ransomware), are the recovery mechanism when prevention fails. Backblaze Business Backup runs $99 per computer per year. Acronis and Veeam offer business-grade solutions at $3 to $8 per endpoint per month. Businesses that pay ransomware ransoms almost always do so because they do not have clean backups to restore from.
Phishing simulation training, regular tests that send mock phishing emails to employees and immediately educate those who click, measurably reduces click rates over time. KnowBe4 and Proofpoint Security Awareness Training both offer small business tiers at $10 to $25 per user per year. The investment is minor. The impact on the most common attack vector is substantial.
The Right Spending Sequence
For a business starting from minimal security investment, the sequence that gets maximum risk reduction per dollar spent: MFA everywhere (free to $5/month), email filtering with sandboxing ($2/user/month), offline backups ($3-8/endpoint/month), patch management automation ($2-5/endpoint/month), phishing simulation training ($1-2/user/month). That full stack costs $10 to $20 per user per month and eliminates exposure to the most common attack types.
Businesses with compliance requirements or higher risk profiles, healthcare, financial services, legal, businesses handling sensitive customer data, add MDR on top: $15 to $50 per endpoint per month for 24/7 monitoring with human response. The combination covers the full threat surface at a total cost that is a fraction of one prevented incident.
The businesses that get breached are not usually the ones who invested in security and failed. They are the ones who assumed the risk applied to larger organizations, implemented the cheapest available tools without managed monitoring, or treated security as a compliance checkbox rather than an economic risk management decision.
