Incident Cost by Company Size: SMB vs Mid-Market vs Enterprise
Incident cost scales with company size, but not linearly. Fixed costs of incident response (forensics, legal, regulatory notification) hit small businesses disproportionately relative to their revenue. A ransomware demand of $200,000 is trivial to a Fortune 500; it may be existential for a 50-person business.
Comparison Table
| Company Size | Avg Breach Cost | Ransomware Cost | Downtime Cost/Min | Avg IR Cost |
|---|---|---|---|---|
| SMB (under 100 employees) | $120K-$1.24M | $50K-$500K | $425-$9K/min | $15K-$80K |
| Mid-market (100-1,000 employees) | $2.5M-$4M | $500K-$3M | $9K-$23K/min | $50K-$300K |
| Enterprise (1,000+ employees) | $4.88M-$10.22M | $3M-$10M+ | $23K-$40K+/min | $200K-$2M+ |
Small Business (Under 100 Employees)
of a major cyber incident. The combination of direct cost and lost business is often unrecoverable without insurance.
Forensics ($15K-$50K), legal counsel ($20K-$100K), and regulatory notification are similar costs regardless of company size.
Most SMBs have no dedicated security personnel. First responders are generalist IT staff, extending detection and containment time.
Phishing (credential theft), RDP brute force, and unpatched public-facing systems account for 80%+ of SMB ransomware entry points.
Mid-Market (100-1,000 Employees)
Mid-market organisations face a particularly challenging risk profile: they hold enough sensitive data and revenue to attract sophisticated attackers, but their security programmes are often immature relative to their enterprise peers. The average breach cost of $2.5M-$4M represents a significant impact that can disrupt multi-year financial planning. Mid-market organisations are increasingly being used as the entry point for supply chain attacks against their larger enterprise customers.
| Challenge | Impact |
|---|---|
| No dedicated CISO or security team | Delayed detection; MTTD 2-3x higher than enterprise avg |
| Limited IR retainer | Emergency hourly rates 2-3x retained rates; slower response |
| Rising regulatory footprint | More regulated data as businesses scale; HIPAA, PCI, GDPR apply |
| Supply chain entry point risk | Used to target their enterprise customers; double exposure |
Enterprise (1,000+ Employees)
Enterprise breach costs range from $4.88M globally to $10.22M in the US (IBM CODB 2025 US average). Enterprise organisations face cost multipliers that smaller organisations do not: cross-subsidiary blast radius (a breach in one business unit triggers investigation across all); board and regulatory scrutiny (SEC disclosure requirements, earnings impact disclosure); and the expectation of a formal post-incident review and remediation programme that can cost $1M-$5M in itself.
Enterprise organisations that suffer a breach typically see a 5-10% stock price drop in the first week post-disclosure (academic studies 2020-2025). For a $10B market cap company, that is $500M-$1B in market value, dwarfing the direct breach cost.
Why the Cost Gap Is Non-Linear
Enterprise costs are higher in absolute terms, but SMB costs are often higher as a percentage of annual revenue:
| Organisation | Typical Revenue | Breach Cost | Cost as % Revenue | Recovery Likelihood |
|---|---|---|---|---|
| 50-person SMB | $5M/yr | $300K avg | 6% | Challenging - 60%+ close |
| 500-person mid-market | $100M/yr | $3M avg | 3% | Survivable with insurance |
| 5,000-person enterprise | $2B/yr | $8M avg | 0.4% | Manageable - material cost |
| 50,000-person enterprise | $50B/yr | $10.22M US avg | 0.02% | Operational disruption only |
Cyber Insurance by Company Size
| Size | Typical Annual Premium | Coverage Limit | Key Requirements |
|---|---|---|---|
| SMB (under $10M revenue) | $1,200-$7,500/yr | $1M-$2M | MFA, patching, backup proof |
| Mid-market ($10M-$500M) | $10K-$100K/yr | $5M-$25M | MFA, EDR, IR plan, annual assessment |
| Enterprise ($500M+) | $200K-$2M+/yr | $25M-$500M+ | SOC, CISO, full security programme |