6 Cost-Related Questions Every Business Should Ask About Cyber Risk

The days of treating cybersecurity as an afterthought are over. It’s now a necessity in the digital world, especially for the small and midsize businesses (SMBs) that are being increasingly targeted by cyber criminals.

In fact, SMBs fall victim to cyber attacks nearly four times as often when compared to larger organizations. As cyber threats grow with each passing year, so do the questions about how businesses should address these risks and allocate their resources.

Below, we examine six cost-related questions every SMB should ask about cybersecurity.

1. How much should my business budget for cybersecurity?

When determining your cybersecurity budget, consider your risk profile in terms of employee count, industry, and the sensitivity of your business data. Your budget might be minimal if you have fewer than 100 employees and an annual revenue of less than $1 million.

For example, imagine a small plumbing business with a basic website, paper records, and limited data storage. This business would likely have a lower risk profile due to mainstay referral business, minimal storage of sensitive data, and limited reliance on technology. Yet, even this small operation would require protections for credit card payment processing and security tools to protect against unauthorized access to backend systems, inventory logs, and supplier data.

When making budget choices, weigh the benefits of proactive investment in security tools and services against the potential costs your business may face after a cyber attack. 

Now, consider a pharmacy with 150 employees, $25 million in revenue, and multiple networks and systems. As a healthcare business, it would have a higher risk profile because it stores sensitive personal data. Multiple locations may also require a more complex security strategy due to numerous technologies that expand the business’ attack surface. 

When making budget choices, weigh the benefits of proactive investment in security tools and services against the potential costs your business may face after a cyber attack. 

2. How much will a cyber attack cost my business?

The average cost of a cyber attack was $115,000 across all business sizes in 2024. However, this number can fluctuate for businesses of different sizes:

• $79,000: Average loss for businesses with less than $25 million in revenue

• $139,000: Average loss for businesses with $25 million-$100 million in revenue

• $228,000: Average loss for businesses with more than $100 million in revenue

The cost of a cyber attack typically increases as your business grows. Some of the costs that contribute to this figure are well-understood, such as a ransom payment in the event of a ransomware attack or legal fees and fines related to a data breach. However, other, lesser-known costs can influence the total impact of an attack, such as business interruption, digital asset restoration, and forensic investigation:

• $120,000: The average business interruption loss due to inability to operate after a ransomware attack. Interruptions include technology outages, data loss, system inaccessibility, or blocked employees due to inoperable tools or accounts.  

• $18,000: The average amount spent on restoring digital assets that were damaged or destroyed in a ransomware attack. Failure or disruption of your networks, services, or applications can result in missed deadlines and lost revenue. 

• $58,000: The average forensic vendor costs to investigate what happened after an attack, including data collection and analysis, identifying weaknesses in your security posture, and providing forward-looking recommendations.

The average cost of a cyber attack was $115,000 across all business sizes in 2024.

3. Which security solutions deliver the best return on investment?

Free or low-cost tools, such as multi-factor authentication (MFA), can deliver reliable security with minimal budget impact. MFA is an access control that requires you to provide two or more forms of verification to access a system, application, or account. MFA can block over 99.9% of account compromise attacks, yet only 54% of SMBs say they’re using it.

Managed detection and response (MDR) is a security solution that combines advanced threat detection technology with human security experts responding in real-time. Delivering 24/7/365 monitoring and remediation, MDR helps businesses prevent cyber incidents and respond faster to attacks.

Security awareness training is a way to educate employees on cyber threats, reduce cyber risk, help meet compliance training requirements, and protect business data. The best training programs use live phishing simulations, engaging content, and real-life stories to transform employees from a potential weakness into a strong cyber defense asset.

Remember: No security solution eliminates all risk. But adopting high-impact, low-cost tools and services is a way to proactively address cyber risk, rather than waiting until after an attack to make cybersecurity investments.

4. Can I manage security in-house or should I outsource it?

Managing security in-house requires hiring, training, and maintaining the expertise of enough employees to support an around-the-clock team. Cyber attackers like capitalizing on nights, weekends, and long holidays. These are the quiet hours (when no one’s watching) that give them time to sneak in, poke around, and wreak havoc before anyone notices. 

A significant issue affecting organizations seeking to manage security in-house with a 24/7 team is the growing IT skills shortage. The inability to hire and maintain adequately trained and capable staff must be a factor when deciding between in-house and outsourced security services. In-house management also involves upfront costs for technology, hardware, and infrastructure, which is why many SMBs opt to outsource this support to security experts.

Cyber attackers like capitalizing on nights, weekends, and long holidays. These are the quiet hours (when no one’s watching) that give them time to sneak in, poke around, and wreak havoc before anyone notices. 

Outsourcing can be beneficial for SMBs with limited IT resources, expertise, and budgets, particularly given the wide range of managed services from which businesses can choose based on size, industry, and stored data sensitivity.

A trusted provider can help your business determine the scope of your attack surface and needs, while making recommendations regarding your overall cybersecurity strategy. When working with the right partner, you still maintain control of your business's security. 

5. What should I look for in a security partner?

There’s no shortage of tools, services, and third-party vendors that will promise to take care of security on your business’ behalf — but not all cybersecurity solutions are created equal. When evaluating a potential partner, make sure you’re asking the right questions, such as:

• Does the security vendor have a holistic view of the threat landscape? 

• Do they have dedicated security experts on staff?

• Are they incentivized to spot a threat before it strikes?

The right security partner should make your life easier, not more complicated. Look for some of the common red flags that we often see in security vendors across the market, including antiquated solutions that fail to address modern threats, tools and services that are only built for large enterprises, and a lack of specialization.

Comprehensive cyber risk management means addressing threats before, during, and after an attack. Prevention should be your top priority, but you still want a security partner that’s equipped to help you mitigate risk in real time and recover from an attack, should one occur.

6. What other factors should I consider when investing in cybersecurity?

Managed services like MDR are priced based on your business’ total number of endpoints: all of the various devices and technology types that connect to your business network. This means your investment in an MDR solution is strongly tied to the size and scope of your unique business structure.

Similarly, security awareness training is priced based on your number of employees, reinforcing the importance of finding a security partner that provides solutions that are tailored to fit the size and needs of your business.

To better understand the costs associated with these services, we created an interactive cost savings calculator. Based on your business’ number of endpoints and employees, you can compare the cost of MDR and security awareness training against other vendors and determine if you’re getting best return on investment. 

See what you can save with Coalition Security™

Coalition Security products and services are purpose-built for small businesses to help you maximize savings while minimizing risk. With unique access to data from real-world risks and 90,000+ global cyber insurance policyholders, we’re able to prioritize threats based on potential impact while providing security solutions that are tailored for budget-conscious business leaders.

Try our interactive Cost Savings Calculator to see how much you could save by partnering with Coalition Security.

Security products are provided by Coalition Incident Response, Inc., d/b/a Coalition Security , a wholly owned affiliate of Coalition, Inc. with a principal place of business and registered address of 19 West 44th St., 15th Floor, Ste. 1507, New York, NY 10036. Coalition Security does not provide insurance products. The purchase of a Coalition insurance policy is not required to purchase any Coalition Security product. 

This blog post is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over nor assumes responsibility or liability for the content, privacy policy or practices of any such third-party websites. Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.