Phishing cost for small business: $3.31M per incident, 60% closure rate

Phishing cost for organisations with fewer than 500 employees sits at $3.31M average per IBM Cost of a Data Breach 2025. The figure is materially smaller than the cross-sector $4.88M mean but represents a far larger share of typical SMB annual revenue. A mid-sized SMB with $20M annual revenue facing a $3.31M phishing event has lost 16 percent of revenue in a single incident; a Fortune 500 firm with $20B revenue facing a $5M event has lost 0.025 percent. The relative impact is three orders of magnitude different even though the absolute dollar figures are comparable.

The relative-impact difference translates directly into business-survival outcomes. Approximately 60 percent of small businesses that experience a serious cyber incident close within six months, per US Small Business Administration and National Cyber Security Alliance survey data that has been roughly consistent through 2018-2024. The closure drivers are not the IT cost itself but the second-order effects: cash-flow disruption during the recovery window when invoices cannot be issued and payments cannot be processed; customer loss as customers move to competitors during the outage; supplier and vendor loss as terms tighten in response to the disclosed incident; and the absence of capital reserves to fund the recovery work that larger organisations can simply spend through.[IBM 2025 + SBA + National Cyber Security Alliance survey data 2018-2024]

The single largest source of SMB phishing cost is not direct attacks on individual SMBs; it is compromise of the managed-service providers (MSPs) that serve multiple SMB customers. The pattern is straightforward: most SMBs cannot afford in-house IT and security capability, so they outsource to an MSP that manages IT for a portfolio of small clients. The MSP's tooling typically includes remote-access capability into every client environment. A successful phishing attack against the MSP yields the attacker simultaneous access to every downstream client.

The Kaseya VSA case of July 2021 is the canonical reference. The REvil ransomware affiliate exploited a vulnerability in the Kaseya VSA remote-monitoring-and-management platform (used by hundreds of MSPs) and cascaded ransomware deployment across approximately 1,500 downstream SMB customers in a single weekend. The customers affected included groceries, manufacturers, dental practices, and other typical SMB profiles across multiple countries. Aggregate damage was estimated at hundreds of millions of dollars. The Kaseya incident drove a sustained tightening of MSP-platform security practices and a substantial reset in SMB cyber-insurance pricing.

The MSP-pivot pattern continues to be the largest single-event driver in SMB phishing. Phishing-initiated compromise of MSP credentials, followed by deployment of ransomware or data-exfiltration tooling across the downstream client base, is a recurring pattern in the IC3 and CISA advisories through 2023-2025. The defender implication for the SMB owner is that the controls deployed by the MSP matter more than the controls deployed by the SMB itself, and SMBs should explicitly evaluate MSP cyber-posture (MFA enforcement, EDR deployment, incident-response capability) before signing or renewing an MSP contract.[Kaseya VSA July 2021 + CISA + FBI joint advisories on MSP compromise 2022-2025]

The cash-flow disruption line is the single largest cost category for SMBs and the line that most directly drives the closure-within-six-months statistic. The line is not captured cleanly in IBM's standard methodology for larger organisations because they have working-capital reserves that absorb the disruption.[IBM 2025 SMB sub-cohort + SBA + Hiscox Cyber Readiness Report 2024]

The SMB cyber-insurance market is the single best external benchmark for SMB phishing-risk pricing because underwriters have direct economic incentive to price the risk accurately. SMB cyber-insurance premiums in 2025-2026 typically run $1,000 to $7,500 per year for $1M of aggregate coverage, depending on industry, geography, claims history, and deployed controls. The substantial premium reductions (sometimes 30 to 50 percent) for documented MFA enforcement, employee awareness training, and an incident-response plan signal the underwriter view of which controls actually move the risk.

Coverage exclusions and sub-limits are universal in SMB cyber policies. BEC and social-engineering coverage is typically carved out as a separate sub-limit of $250K to $500K regardless of the policy's aggregate limit, with strict conditions including dual-authorisation on outbound wires and documented out-of-band confirmation procedures. Ransomware coverage typically has its own sub-limit and may exclude payment of ransom entirely depending on the carrier and the specific policy. War and state-actor exclusions have tightened materially since 2022 in response to the Russia-Ukraine conflict and now create real coverage uncertainty for any incident with possible state-actor attribution.

The practical implication for SMB owners is that cyber insurance is a real but bounded backstop. The premium-reduction signals also serve as a useful proxy for which controls deserve priority investment: any control that reduces premium by more than the control's annual cost is a positive-ROI investment by definition. MFA enforcement is universally the highest-leverage example: a $50-per-user one-time hardware-key purchase plus minimal recurring cost typically yields a $1K-$3K annual premium reduction for SMBs.[Hiscox Cyber Readiness Report 2024 + Coalition + Cowbell SMB cyber-insurance pricing surveys 2024-2025]

NIST SP 1271 (Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide) and the NIST CSF 2.0 Small Business Quick Start Guide (released 2024) are the most-cited federal SMB-oriented cybersecurity guidance documents. Neither imposes regulatory obligations; both are framework documents widely used by cyber-insurance underwriters, state attorneys general, and reasonable-care standard determinations after-the-fact.

The guidance organises around the six CSF functions (Govern, Identify, Protect, Detect, Respond, Recover). For SMB phishing-defence purposes, the practical recommendations cluster around five high-leverage actions: enforce MFA on all systems that support it; train employees on phishing recognition and reporting; implement endpoint protection with active updates; maintain tested backups; and have a written incident-response plan even if it is a single page. The recommendations are deliberately conservative and aimed at making the case to SMB owners that something can be done within realistic SMB budget constraints.

The guidance is increasingly being used as the reasonable-care reference in post-incident legal analysis. Where an SMB has not implemented the basic CSF 2.0 SMB-quick-start controls and subsequently experiences a phishing-driven breach affecting customer or employee data, plaintiffs' attorneys are increasingly citing the SP 1271 baseline in negligence claims. The practical effect is that the NIST guidance is gradually becoming a soft-mandatory baseline through the indirect path of litigation precedent, even though it is not regulation in itself.[NIST SP 1271 + NIST CSF 2.0 Small Business Quick Start Guide 2024]

• Phishing cost for mid-market
• Phishing cost for enterprise
• BEC cost (dominant SMB loss vector)
• Callback phishing cost (ransomware pipeline)
• Phishing cost in financial services
• KnowBe4 cost (SMB-friendly training)
• Abnormal Security cost
• databreachcost.com
• incidentcost.com
• mdrcost.com