Ransomware Is a $131 Billion Hidden Tax on Main Street
72% of small businesses were hit by ransomware or fraud last year. A practical budgeting guide for SMB owners and CFOs.
A 116-year-old business nearly closed last year because of a ransomware attack. The owner spent $100,000 on recovery and still almost lost everything. That story, published by Fortune in April, isn’t an outlier. A national survey by the Public Private Strategies Institute found that 72% of American small businesses were hit by fraud, scams, or ransomware in 2025, imposing a collective $131 billion cost on Main Street businesses.
Most of that cost lands on owners who never budgeted for it. Understanding where the money actually goes, and what prevention costs by comparison, is the first step toward keeping a cyber incident from becoming a financial crisis.
That $131 billion doesn’t show up on any tax return. It comes as ransom payments, lost revenue during downtime, forensics bills, legal fees, regulatory fines, and higher insurance premiums. For business owners who haven’t budgeted for cybersecurity, the first invoice often arrives as a ransom note.
The Numbers That Should Change Your Budget
The aggregate figure is staggering, but the per-business numbers are what matter for planning. Here’s what the data shows for companies in the 50 to 500 employee range:
- Average ransomware downtime: 24 days. That’s 24 days of no orders processed, no invoices sent, no accounting access, and limited or zero customer communication. For a business doing $5 million in annual revenue, 24 days of downtime represents roughly $329,000 in lost revenue alone, before you add recovery costs. (Huntress, 2026 Ransomware Statistics)
- Average claim severity for companies under $25 million revenue: $422,000. This is the real, documented insurance claim amount, not a projection. (At-Bay, 2024 InsurSec Report)
- Payment fraud and business email compromise remain top threats. These aren’t exotic attacks. They’re the everyday threats that email security and employee training are designed to stop. The FBI’s Internet Crime Complaint Center consistently ranks BEC among the costliest attack types for businesses of all sizes.
The pattern is consistent: the cost of an incident dwarfs the cost of prevention by a factor of 10 to 100.
Why Cybersecurity Isn’t a Cost Center
CFOs often categorize cybersecurity spending as an overhead cost, similar to office supplies or janitorial services. That framing leads to underinvestment because overhead is the first thing to get cut when margins tighten.
A more accurate model is insurance. You don’t buy property insurance because you expect a fire this quarter. You buy it because the loss would be catastrophic if one happened. Cybersecurity spending follows the same logic: the probability of any single attack succeeding may feel low, but the financial impact is severe enough to threaten the business.
There’s one critical difference, though. Property insurance pays out after the damage is done. Cybersecurity spending actually prevents the damage. A properly configured managed security program with endpoint detection, email filtering, and 24/7 monitoring stops most attacks before they reach your data. That makes it closer to a revenue protection investment than a cost center.
A Practical Budget Framework for 50 to 500 Employee Businesses
The common question from business owners is straightforward: how much should I actually spend? The answer depends on your industry, your compliance requirements, and your risk tolerance, but there are solid benchmarks.
A common benchmark is 7% to 10% of your total IT budget going to cybersecurity. For a 100-person company spending $300,000 annually on IT, that’s $21,000 to $30,000 per year on security, or roughly $1,750 to $2,500 per month.
Here’s what a minimum viable security investment looks like at that scale:
- Endpoint detection and response (EDR) on every workstation and server. This is the layer that catches ransomware before it encrypts your files. Budget roughly $5 to $10 per endpoint per month.
- Email security beyond what Microsoft 365 includes by default. Dedicated filtering for phishing, impersonation, and malicious attachments. This is where most attacks start.
- Multi-factor authentication on every account, especially email, VPN, and admin portals. This is the single cheapest, highest-impact security control available.
- Security awareness training for all employees, run quarterly at minimum. Your people are the last line of defense, and training significantly reduces phishing click rates.
- 24/7 monitoring and incident response. Attacks don’t wait for business hours. Having a security operations center watching your environment around the clock is the difference between a contained alert and a full-scale breach.
- Regular vulnerability assessments to identify gaps before attackers do. A cybersecurity risk assessment gives you a documented baseline of where you stand.
For most businesses in this size range, a comprehensive managed security program that bundles these capabilities runs $3,000 to $5,000 per month. Compare that to the $422,000 average claim or 24 days of downtime, and the math is clear.
The Pay-Now-or-Pay-Later Calculation
Put the numbers side by side:
| Scenario | Cost |
|---|---|
| Managed security program (annual) | $36,000 to $60,000 |
| Average ransomware insurance claim | $422,000 |
| 24 days of downtime (lost revenue for $5M business) | ~$329,000 |
| Forensics, legal, notification costs | $50,000 to $150,000 |
| Cyber insurance premium increase after a claim | Significant increase |
The prevention cost is a fraction of the incident cost. And unlike insurance premiums, which only go up after a claim, security spending actually reduces the probability of needing to file one. Many cyber insurance carriers now require these controls as a condition of coverage anyway. Skip them and your policy may not pay out when you need it most.
Three Steps to Take This Quarter
If your cybersecurity budget is currently zero or “whatever our IT person handles,” here’s where to start:
Get a baseline assessment. You can’t budget for what you don’t measure. A risk assessment identifies your actual gaps, compliance exposure, and the specific threats most relevant to your industry. This gives your CFO real numbers to work with instead of guesses.
Calculate your downtime cost. Take your annual revenue, divide by 365, and multiply by 24. That’s your rough exposure to the average ransomware downtime scenario. Show that number to anyone in your organization who questions the security budget.
Talk to a managed security provider. Building an in-house security team for a 100-person company isn’t realistic. A full-time security analyst costs $90,000 to $130,000 in salary alone, and you need more than one person to provide 24/7 coverage. Outsourcing to a managed security provider gives you a full security operations center, incident response, and ongoing monitoring for a fraction of that cost.
The Fortune article about that 116-year-old business ended with the owner describing the experience as “the worst year of my life.” Every dollar spent on recovery was a dollar that could have gone toward prevention at a tenth of the price. The businesses that avoid those headlines are the ones that treated cybersecurity as a budget line item before they had to treat it as an emergency.
Need Help With Your Cybersecurity Budget?
Our team can help you build a security program that fits your business and your budget.
Get a Free Assessment