When people talk about the cost of a data breach, they usually quote the IBM global average — around $4.88 million. Business owners hear that number and think, “Well, that’s for big corporations, not for my 15-person business.”

They’re right that the IBM number doesn’t apply directly. But they’re wrong if they think their costs would be trivial. A data breach at an Australian small business typically costs between $50,000 and $300,000 when you add everything up. For many SMBs, that’s the difference between survival and closure.

Let me break down where the money actually goes.

Phase 1: Discovery and Incident Response ($15,000-$75,000)

Most SMBs don’t have a security operations centre monitoring for breaches. They find out something’s wrong when a customer complains, when ransomware locks their files, or when the bank calls about suspicious transactions. On average, Australian SMBs take 200+ days to detect a breach, according to the Office of the Australian Information Commissioner (OAIC) reporting data.

Once you know something’s happened, you need an incident response team. Unless you have in-house security expertise (most SMBs don’t), you’re hiring external help. Typical costs:

• Forensic investigation: $15,000-$50,000 for a mid-sized environment. This involves analysing logs, identifying the attack vector, determining what data was accessed, and containing the breach. Forensic firms in Australia charge $250-$400 per hour, and investigations typically take 40-150 hours.
• Legal counsel: $5,000-$25,000 initially. You need a lawyer who specialises in privacy and data breach law to advise on your notification obligations and potential liability. This isn’t optional — getting the legal response wrong can multiply your exposure dramatically.
• Emergency IT support: $5,000-$15,000 for system restoration, credential resets, and security patching if your regular IT provider isn’t equipped for incident response.

Phase 2: Notification and Compliance ($10,000-$40,000)

Under the Notifiable Data Breaches (NDB) scheme, which has been in effect since February 2018, Australian businesses covered by the Privacy Act must notify affected individuals and the OAIC if a breach is likely to result in serious harm.

The notification process isn’t just sending an email. It involves:

Assessment: Determining whether the breach meets the “likely to result in serious harm” threshold. This requires legal analysis of the type of data exposed, the number of affected individuals, and the circumstances of the breach.

Individual notifications: Each affected person must be told what data was compromised, what steps you’re taking, and what they can do to protect themselves. For a breach affecting 5,000 customer records, the communication effort is substantial.

OAIC notification: A formal statement to the regulator including a description of the breach, the type of information involved, and your response actions.

Credit monitoring services: If financial data or identity documents were compromised, offering affected individuals credit monitoring is now standard practice. At $10-15 per person per month for 12 months, this adds up quickly. For 1,000 affected individuals, you’re looking at $120,000-$180,000 for credit monitoring alone.

Many SMBs don’t realise they’re covered by the Privacy Act. If your business has an annual turnover of $3 million or more, or if you handle health information, or if you’re a credit reporting body, you’re covered. And even if you’re technically exempt, state-based consumer protection laws can still expose you to liability.

Phase 3: Business Disruption ($20,000-$100,000+)

This is the cost that’s hardest to quantify but often the most damaging. When your systems are down — whether from ransomware, a compromised network, or a precautionary shutdown during investigation — your business stops generating revenue.

For a service business billing $50,000 per week, five days of downtime is $50,000 in lost revenue. For a retail business during peak season, it could be more.

Then there’s the recovery effort:

• System rebuilding: If systems need to be wiped and rebuilt from backups (assuming backups exist and weren’t compromised), expect 3-10 business days for a typical SMB environment.
• Data recovery: If backups are incomplete or corrupted, data recovery services cost $5,000-$30,000 with no guarantee of success.
• Temporary workarounds: Staff working on manual processes, using personal devices, or operating at reduced capacity while systems are restored.

One Brisbane professional services firm I know of was down for 11 business days after a ransomware attack. Between lost billings, overtime for recovery work, and temporary manual processes, they estimated the business disruption cost at $140,000.

Phase 4: Regulatory and Legal Consequences ($0-$100,000+)

The OAIC can investigate breaches and impose penalties. For serious or repeated breaches of the Privacy Act, the maximum penalty for individuals is $2.5 million and for corporations, $50 million or 30% of turnover, whichever is greater. Those are the extremes. For SMBs, the OAIC is more likely to issue enforceable undertakings requiring specific security improvements, but the legal costs of responding to an investigation still run $20,000-$50,000.

Class action risk is also real. After the Medibank and Optus breaches, Australian consumers are more aware of their rights. Law firms like Maurice Blackburn and Slater & Gordon actively seek affected individuals for class actions. Even a small class action settlement can cost an SMB $50,000-$200,000.

And then there’s your customer contracts. Many B2B contracts include data protection clauses with indemnification requirements. If you breach a customer’s data and they suffer loss, you could be liable under contract as well as privacy law.

Phase 5: Reputational Damage (Hard to Quantify, But Real)

Customer trust is hard to earn and easy to lose. Research from the Ponemon Institute consistently shows that businesses lose an average of 3-5% of customers following a publicly disclosed data breach. For an SMB with $2 million in annual revenue, that’s $60,000-$100,000 in lost business per year, potentially for several years.

The reputational damage is worse in industries where trust is the product: accounting firms, medical practices, legal services, financial advisers. If clients can’t trust you with their data, they won’t trust you with their business.

The Total Picture

Adding it all up for a “typical” SMB data breach affecting a few thousand records:

Cost Category	Low Estimate	High Estimate
Incident response	$15,000	$75,000
Notification and compliance	$10,000	$40,000
Business disruption	$20,000	$100,000
Legal and regulatory	$5,000	$100,000
Reputational/customer loss	$20,000	$100,000
Total	$70,000	$415,000

Most SMB breaches land somewhere in the $100,000-$250,000 range when all costs are included. And that’s before any ransomware payment (which I’d strongly advise against paying, but that’s another article).

What This Means for Prevention Spending

Here’s the uncomfortable maths. If the average breach costs your business $150,000, and Australian SMBs have roughly a 1-in-4 chance of experiencing a significant cyber incident over a three-year period, your expected loss is around $37,500 over three years, or about $12,500 per year.

Most SMBs spend less than $5,000 per year on cybersecurity. The gap between what they spend and what they should spend is where the risk lives.

You don’t need enterprise-grade security. But you need the basics done properly: MFA on all accounts, regular patched systems, tested backups, an incident response plan, and staff who understand the threats. That combination typically costs $10,000-$20,000 per year for a 10-20 person business.

Compared to the alternative, it’s a bargain.