The Real Cost of a Cyber Incident for a 30-Person SMB: The Calculation Nobody Does

When cybersecurity comes up in conversations with SMB owners, two responses dominate: "We're too small to be a target" and "We can't afford to invest in that." Both statements are wrong. And the problem is that believing them turns out to be extraordinarily expensive.
A cyber incident in a 30-person business is not a temporary inconvenience. It is a crisis that hits cash flow, reputation, operations, and sometimes the business's very survival simultaneously. The goal of this article is to make that concrete: here is what it actually costs, line by line.
First, What Kind of Incident Are We Talking About?
Not all incidents are equal. A phishing email that gets caught early is not the same as a full ransomware deployment that takes down your entire infrastructure. For the purposes of this calculation, we are working with a realistic mid-severity scenario: a ransomware attack that encrypts the primary server and several workstations, causing 5 to 10 days of significant disruption before operations can resume.
This is not a worst-case scenario. It is a median one. It happens every day to businesses exactly like yours.
Cost 1: Lost Productivity The Invisible Iceberg
The first and most immediately felt cost is the paralysis of your workforce. With 30 employees unable to access their files, tools, or communication systems, you are effectively paying 30 salaries for people who cannot do their jobs.
Take an average fully-loaded cost per employee of €3,500 per month. That is approximately €160 per person per day. Across 30 employees over 7 days of significant disruption, you are looking at €33,600 in salary costs for work that simply did not happen.
This figure does not account for the fact that key people, your IT contact, your management team, your most senior staff, will be working far longer hours than usual managing the crisis. Multiply their daily cost by two or three during the incident period and the number climbs further.
Estimated productivity loss: €30,000 to €50,000
Cost 2: Technical Recovery Getting Systems Back Online
Recovering from a ransomware attack is not a matter of running an antivirus scan and restarting your machines. It requires a structured, methodical process that takes time and specialized expertise.
Typical technical recovery work includes forensic analysis to understand the scope of the breach, complete wipe and rebuild of compromised systems, restoration from backups (assuming clean backups exist), security hardening to prevent reinfection, and validation testing before systems go back into production.
If you have a managed IT provider, this work will be billed at emergency rates. If you do not, you will be scrambling to find a specialist who can start immediately, which means paying a premium. A realistic estimate for external technical recovery support for a 30-person business sits between €5,000 and €20,000 depending on the complexity of the environment and the quality of your existing backups.
If no clean backup exists, add the cost of data recovery specialists, which can run €2,000 to €10,000 per device with no guarantee of success.
Estimated technical recovery cost: €8,000 to €30,000
Cost 3: The Ransom Paying Is Not a Solution
Many SMB owners, faced with total operational paralysis, consider paying the ransom. The logic is understandable: the attacker promises a decryption key, the business gets back online, and life resumes. Reality is more complicated.
Roughly 40% of businesses that pay the ransom do not receive a working decryption key, or receive one that only partially restores their data. Paying also marks you as a target who will pay, increasing the likelihood of future attacks. And it funds the criminal ecosystem that attacked you in the first place.
Ransom demands targeting SMBs typically range from €5,000 to €100,000. The median for businesses in the 20 to 50 employee range sits around €20,000 to €40,000.
Law enforcement agencies across Europe and North America consistently advise against paying. The decision, however, lands on the business owner's desk in the middle of a crisis, which is precisely why attackers structure their demands the way they do.
Potential ransom demand: €20,000 to €50,000 (with no guarantee of recovery)
Cost 4: Revenue Loss The Business That Didn't Happen
While systems are down, business does not stop needing to happen. Orders go unfulfilled. Invoices go unsent. Customer calls go unanswered. Projects miss deadlines.
For a 30-person SMB generating €3 million in annual revenue, 7 days of disruption represents approximately €57,000 in revenue that either does not materialize or is significantly delayed. For businesses with tighter margins or project-based revenue, the impact is often worse because the work cannot simply be rescheduled without downstream consequences.
Add to this the contracts that may include penalty clauses for late delivery, the prospects who called during the outage and chose a competitor instead, and the clients whose confidence in your reliability has been permanently damaged.
Estimated revenue impact: €20,000 to €80,000
Cost 5: Legal and Regulatory Exposure
Under GDPR, any breach involving personal data must be reported to the relevant supervisory authority within 72 hours of becoming aware of it. For most ransomware incidents, personal data is considered compromised by default.
Failure to notify, or notification that reveals inadequate data protection practices, can result in regulatory fines. For SMBs, these fines are typically proportionate to revenue rather than hitting the headline figures reserved for large corporations, but they are not trivial. First-time violations with demonstrated good faith typically result in warnings or modest fines. Repeated violations or evidence of negligent data handling can reach 2% to 4% of annual global turnover.
Beyond regulatory exposure, there is legal liability if client data is compromised and clients suffer demonstrable harm. Legal fees for advice, notification management, and potential litigation add a layer of cost that many SMBs do not anticipate.
Estimated legal and compliance cost: €3,000 to €25,000
Cost 6: Reputational Damage — The Cost You Can't Put on a Spreadsheet
This is the hardest cost to quantify and often the most lasting. A cyber incident becomes known. Clients find out. Prospects hear about it. Key employees start questioning whether they want to work for a company with this level of exposure.
Research consistently shows that a significant percentage of SMBs that suffer a major cyber incident lose at least one major client within the following twelve months. Some never fully recover their market position.
The reputational cost is asymmetric: it accumulates slowly and invisibly until it becomes visible as lost renewals, stalled pipeline, and talent that chose to go elsewhere.
What Reduces the Cost Dramatically
Not every incident plays out at the high end of these estimates. The businesses that come through cyber incidents fastest and cheapest share a common profile:
They had tested, immutable backups. Clean backups that cannot be reached or encrypted by ransomware collapse the technical recovery timeline from weeks to days. This single factor has the largest impact on total incident cost.
They had an incident response plan. Knowing who to call, what to do first, and how to communicate internally and externally in the first 24 hours prevents the chaotic decision-making that multiplies costs.
They had cyber insurance. Policies designed for SMBs can cover ransom negotiation, technical recovery costs, business interruption, and legal fees. Coverage is increasingly tied to demonstrating baseline security hygiene, which means insurers are effectively incentivizing better security practices.
They had a cybersecurity partner monitoring their environment. Catching an intrusion early, before ransomware is deployed, turns a potential disaster into a contained incident. The difference in cost between catching an attacker in week one versus week six of their presence in your network is often the difference between €10,000 and €150,000.
Conclusion: The Question Is Not Whether You Can Afford Cybersecurity
The question is whether you can afford not to have it.
The average SMB owner who reads through this calculation and recognizes their current exposure has two options. Wait and hope the incident never comes, absorbing a cost that could range from €60,000 to €230,000 when it does. Or invest in prevention now, at a fraction of that cost, and dramatically reduce both the likelihood and the severity of an incident.
Gladiatek works with SMBs to build cybersecurity programs that are proportionate to real business risk, not enterprise budgets. If you want to understand your actual exposure before an incident forces the question, contact us for a free security assessment.


