The headline numbers
There is no single definitive figure — costs vary enormously based on the type of attack, how quickly it is detected, what data is involved, and whether adequate defences were in place. But the range of credible UK data points a consistent picture for SMEs.
Sources: AMVIA UK SME Cybersecurity Report 2026; PolicyBee citing Hiscox 2024; Gov.UK — Economic Impact of Cyber Attacks, KPMG 2025
The spread between these numbers reflects a genuine difference in scope: the £6,400 AMVIA figure covers all SME incidents including minor ones that were quickly contained. The Hiscox and KPMG figures reflect breaches significant enough to require meaningful response — the kind that keep business owners up at night. Both types happen, and both cost real money.
Why most SMEs underestimate the cost
Research by Sky Business found that UK SMEs yet to experience a cyber attack underestimate the financial impact by almost £85,000 compared to what victims actually report spending. This is not a rounding error — it reflects a fundamental blind spot in how business owners think about the risk before it affects them personally.
Estimated four-day loss for businesses that have never been attacked
Actual four-day loss estimated by businesses that have been through an attack
Source: Sky Business — SMEs Miscalculate the Cost of Cyber Attacks, Censuswide 2024
The gap exists because businesses that haven't been through it tend to think about the obvious, visible costs — fixing the IT, maybe paying a ransom. They rarely account for the full picture: the days of staff unable to work, the clients who don't come back, the insurer who won't pay out, the regulator who wants answers, and the months it takes to rebuild trust.
The real cost breakdown — what you actually pay
A cyber attack generates costs across multiple categories, many of which are invisible until the invoice arrives. These are the main cost areas for UK SMEs:
Incident response and technical recovery
Bringing in specialist support to contain the attack, investigate how it happened, clean affected systems, and restore data from backup. For ransomware incidents, this alone can run to thousands — even if no ransom is paid. If no tested backup exists, data recovery costs escalate sharply.
Business downtime
The cost of staff unable to work, orders that cannot be fulfilled, clients who cannot be served. UK SMEs estimate an average of four days offline following an attack — at an estimated loss of nearly £31,000 per day for those who have been through it. For a business running on thin margins, even two days can be existential.
Ransom payments
The NCSC advises against paying ransoms — payment does not guarantee decryption, funds further attacks, and may create legal exposure. Yet research shows an increasing proportion of SMEs pay when cornered. Average ransom demands targeting smaller businesses are typically calibrated to be painful but payable — typically £3,000–£10,000 — precisely because attackers know large demands get refused.
Legal and regulatory costs
If personal data was involved, ICO notification is mandatory within 72 hours. Depending on the circumstances, this can escalate to formal investigation and fines — up to 4% of global annual turnover under UK GDPR, or £17.5 million for the most serious breaches. Even without an ICO fine, legal advice around notification obligations, contractual liability, and client communication adds cost quickly.
Customer loss and reputational damage
In 2024, Hiscox found that 43% of businesses lost customers following a cyber attack, and 38% reported damaging publicity. For a small business built on trust and repeat custom, this is often the most lasting cost — and the one that does not show up in any immediate calculation. Revenue impact can persist for 12–18 months after the incident.
Insurance premium increases
A business that has made a cyber insurance claim will typically face premium increases of 25–50% at renewal, or stricter conditions. Some policies require completion of remediation work before renewal is offered at all. The attack changes your risk profile in the eyes of underwriters — sometimes permanently.
Security investment post-incident
Most businesses invest significantly more in security after an attack than they would have spent preventing it. The controls that would have cost £2,000–£5,000 to put in place beforehand often cost £10,000–£20,000 to retrofit properly after an incident, alongside the remediation work already paid for.
The closure risk — numbers most owners don't know
A significant proportion of small businesses do not survive a serious cyber attack. Research consistently shows that businesses forced offline for extended periods, or those that lose significant client trust, face closure within months of an incident. Of the SMEs surveyed that had experienced an attack, 100% said they would have to close if forced offline for an extended period — compared to 21% of those who had never been attacked who thought the same. The reality is always worse than the forecast.
Source: Sky Business / Censuswide 2024
The NCSC's own data, published via the Government's independent economic impact research, puts the total annual cost of cybercrime to the UK economy at £14.7 billion — with individual business costs averaging almost £195,000 per significant incident across all sizes. For sectors including financial services, information services, and manufacturing, the average per-incident cost exceeds £300,000.
Source: Gov.UK — Summary of Research on the Economic Impact of Cyber Attacks, KPMG 2025
How the cost unfolds over time
One of the reasons costs are consistently underestimated is that they do not arrive all at once. They accumulate over weeks and months, by which point the business owner's attention has moved on and the full picture is never tallied.
Immediate response costs
Emergency IT support, system isolation, initial forensic investigation. Staff time lost across the business. First decisions about whether to notify the ICO, the bank, and clients. Potential ransom demand received.
Recovery and restoration
System rebuilding, data restoration from backup (if available), new hardware if required, password resets across all accounts. ICO notification filed if applicable. First client communications sent. Insurance claim opened — and insurer's own investigation begins.
Operational and reputational fallout
Lost contracts and delayed projects become apparent. Client attrition begins. Legal and regulatory correspondence continues. Insurance claim progresses — or is disputed. Security improvements commissioned to prevent recurrence.
Long tail of recovery
Revenue rebuilding. Reputation recovery — slower than the damage. Increased insurance premiums at renewal. Ongoing monitoring costs. Staff turnover in some cases, as the incident affects team confidence and culture. Even surviving businesses often need 12–18 months to recover revenue fully.
What makes the cost lower — or survivable
The businesses that recover most effectively from cyber attacks share a small number of characteristics. None of them are expensive or technically complex to put in place beforehand.
- Tested, offsite backups — the single biggest determinant of recovery time and cost. A business that can restore from a clean backup within hours pays a fraction of what one faces that cannot restore at all.
- An incident response plan — knowing who to call, what to isolate, and what to report before it happens cuts response time dramatically. Only 22% of UK businesses have one in place.
- Cyber insurance that will actually pay out — coverage that matches what insurers actually require, verified before the incident rather than during it.
- Cyber Essentials certification — IASME data shows certified businesses make 92% fewer insurance claims. The controls required by CE directly address the vulnerabilities most commonly exploited.
- Staff who know what to report and to whom — early detection cuts cost. A phishing click reported within minutes costs a fraction of one discovered days later.
The prevention maths are straightforward. The NCSC-aligned controls that make up Cyber Essentials cost a few thousand pounds to implement properly for a typical SME. Cyber insurance for an SME with those controls in place costs £1,000–£3,000 per year. A serious incident without either in place can cost £25,000–£195,000 — and that assumes the business survives it.
Want to know where your business actually stands?
A GET-IT Cyber Vitals scan gives you a clear picture of your current exposure — email authentication, breach data, attack surface, and an honest assessment of the controls that would make the biggest difference to your risk profile.
Free. Remote. No site access required. Results same session.
Book Your Free Vitals Scan Run Free Exposure Checks Now[ FCA broker specialists. East Midlands based. UK-wide remote. ]