Real business loss from cyber attacks now US$861K per security incident

On average, a single cybersecurity incident now costs large businesses US$861,000, while small and medium businesses (SMB) end up paying US$86,500.

Most alarmingly, the cost of recovery significantly increases depending on the time of discovery. SMBs tend to pay 44% more to recover from an attack discovered a week or more after the initial breach, compared to attacks spotted within one day. Enterprises pay a 27% premium in the same circumstances.

These are the main findings of Kaspersky Lab’s report Measuring the Financial Impact of IT Security on Businesses based on the 2016 Corporate IT Security Risks survey.

Estimating the average financial impact of a data breach

Kaspersky Lab asked businesses to divide their recovery cost into several categories, in order to better estimate the overall impact of a security breach, which almost always goes beyond the need to hire additional IT resource. The typical loss for SMBs and enterprises consists of the following expenses:


This is just the average across a range of attack vectors, with some types of attacks costing a business more. Previously unknown ‘zero’ day vulnerabilities – whilst rare – have cost SMBs an estimated US$149,000 and enterprises US$2 million, with targeted attacks resulting in a financial impact of US$143,000 and US$1.7 million respectively.

Budget increases address complexity

In the 2016 survey, Kaspersky Lab, for the first time, compared an organisation’s security budget to losses incurred from serious incidents. Overall, businesses expect IT security budgets to grow at least 14% over the next three years, due to the increased complexity of IT infrastructure.

A typical small business currently spends 18% of their total IT budget on security, whereas enterprises allocate 21%. The research shows a significant disparity between businesses of differing sizes, with annual security budget varying from just US$1000 for very small businesses to more than one million US dollars for large companies.

Cost of recovery: employee overtime and more

To estimate the total cost of recovery, Kaspersky Lab and B2B International asked businesses to report their losses from the most serious security incident in different categories. Although the most frequent cost is for additional staff wages, businesses reported significant spending due to lost business opportunities, improvement in IT security, employing external specialists and hiring new staff.

Enterprises spend US$79,000 on training and US$85,000 on requesting help from external experts –19% of the total loss.


Edited from press release by Cecilia Rehn.