Although a cyberattack doesn't have the same financial impact on a small business as it does on a large company, it still makes a significant dent on a small business's bottom line, new research finds.
The average direct costs of a security breach on small businesses are $38,000, according to a study from Kaspersky Lab. This total includes the costs of downtime, lost business opportunities and the professional services small businesses hire to mitigate the security breach.
The research shows that, on average, small businesses can expect to pay $10,000 in professional services following a cyberattack. These services can include the hiring of IT security consultants, risk-management consultants, lawyers, physical security consultants, auditors and accountants, management consultants, and public relations consultants.
Besides the professional services, the study estimates that cyberattacks cost businesses $5,000 in lost business opportunities and $23,000 in downtime.
In addition to the direct costs, small businesses experience a number of indirect costs following a security breach. The study discovered that small businesses spend, on average, $8,000 trying to ensure a similar incident doesn't happen again. This includes adding new staff members, training current employees and making IT infrastructure upgrades.
Most businesses also suffer reputational effects after an attack. The research estimates the reputational damage of a security breach could cost small businesses $8,653. [Could a Cyberattack Put You Out of Business? How to Protect Yourself ]
When everything is added together, small businesses could face losses of nearly $55,000 following a cyberattack.
"Although real damages can be very different from our average estimation, in this report we've made a unique attempt to connect potential risks and real consequences of a security breach, defined in dollars, not gigabytes of data and hours of downtime," the study's authors wrote in the research.
Large businesses face even more staggering numbers, with costs totaling more than 15 times of those for small businesses. The research estimates that cyberattacks cost large enterprises $824,750 on average.
"Businesses have known for a long time that any cyberattack has its consequences, but the high cost associated with addressing a cyberattack after an incident occurs is quite alarming," Chris Doggett, managing director of Kaspersky Lab North America, said in a statement. "These numbers should serve as a wake-up call for both large and small businesses."
The study found that malware attacks are the most prevalent type of cyberattack. Other common categories of security breach that the surveyed businesses faced include phishing attacks and accidental data leaks by employees. Overall, 90 percent of the 5,500 surveyed companies, both large and small, have had at least one security incident. Nearly half lost sensitive data due to internal or external security threats.
Despite the potentially crippling financial impact of such attacks, many businesses aren't making cybersecurity a top priority. Only 50 percent of the IT professionals surveyed list prevention of security breaches as one of their major concerns.
The study was based on surveys of top managers and IT professionals at 5,500 businesses in 26 countries.