When IBM publishes its Cost of a Data Breach Report the headline figures feel abstract for a business with twenty employees. The reality for Australian small businesses is more nuanced — and in some ways more concerning. While absolute costs are lower, the proportion of annual revenue is often far higher, and the financial resilience to absorb that disruption is typically absent.
Direct Costs
Incident Response and Investigation
Engaging external forensic and incident response specialists is priced by the hour and by complexity. A contained email account compromise might involve days of work. A ransomware incident with lateral movement could involve weeks. Specialist IR engagement at premium rates for an SMB incident typically costs $20,000–$100,000+ depending on scope.
System Restoration and Business Interruption
Restoring systems — or rebuilding them where backups are unavailable — takes days to weeks. Staff cannot work effectively. Customer commitments cannot be met. The opportunity cost of extended downtime is often the largest single component of total incident cost.
Notification and Legal Costs
Legal counsel for assessing NDB obligations, managing OAIC inquiries, and advising on liability. For a business with thousands of customers, the cost of preparing and sending breach notifications is material. Legal defence in regulatory proceedings is significant.
Prevention vs Response Economics
The annual cost of a properly configured M365 environment with Business Premium licensing, a managed security retainer, and an annual penetration test is a fraction of a single serious incident. Prevention costs are visible and predictable. Incident costs are invisible until they are not.
What does cyber insurance typically cover?
Incident response costs, business interruption, ransom payments, notification costs, and regulatory defence — but with conditions and sub-limits. Read the exclusions carefully. Many claims are partially or fully declined due to failure to maintain specified security controls at the time of incident.
