You probably wonder whether your business is really a target for cybercriminals. Many SMB owners think not. The reality says otherwise. According to ABN AMRO, one in four Dutch SMBs fell victim to a cyberattack in 2024. The assumption that "there's nothing worth stealing from us" is the most dangerous miscalculation you can make.
The actual cost of such an attack goes well beyond the amount on a ransom invoice. It is an avalanche of direct and hidden costs that can seriously threaten your business continuity. This article is not fearmongering — it is a realistic guide. We break down the total economic burden of a cyberattack, based on concrete figures from the Dutch market. This way you can objectively assess the risks and make an informed decision about prevention.
Direct costs: the immediate financial impact
When an attack hits, the meter starts running immediately. These are the expenses that show up on your balance sheet right away. Average damage per incident ranges from €45,000 to as much as €270,000 according to research. This sum is composed of several elements:
- Forensic investigation: You need to know exactly what happened, which data was stolen, and how the attackers got in. Specialists who investigate this easily charge hundreds of euros per hour.
- System recovery and data recovery: Servers, laptops, and software need to be cleaned or replaced. Retrieving data from backups — if they exist at all — requires specialist knowledge and time.
- Ransom payments: Recovery costs after a ransomware attack have more than doubled in a single year to an average of €1.5 million, according to Awareways. Paying offers no guarantee of getting your data back and funds criminal organizations.
- External experts: You need immediate help from IT security specialists to stop the attack, close the breach, and bring systems back online safely. Their involvement is critical but expensive.
Since 9 out of 10 attacks start by deceiving an employee, strengthening the first line of defense is essential. Phishing attacks are the most common entry point. A simple warning at the moment an employee lands on a fraudulent Microsoft 365 login page can break the start of this costly chain. Our free login protection offers exactly that kind of accessible but critical first defense.
Indirect costs: the hidden drain
The most severe damage is often invisible on the first invoices. These indirect costs creep into your organization and have a lasting effect on your revenue and reputation.
- Revenue loss from downtime: MKB Servicedesk reports that shutting down a business due to a cyberattack can cause an average of €300,000 in initial costs. Every day your systems are down, you cannot process orders, produce, or serve customers.
- Productivity loss: Your employees cannot work and spend their time dealing with the crisis, leading to frustration and stress. Focus shifts entirely away from daily operations.
- Reputation damage and customer loss: Your customers' trust is your greatest asset. A data breach or prolonged unavailability damages that trust. Winning back customers is far more expensive than retaining them. Zicht Adviseurs estimates crisis communication and PR costs alone at €14,000 to €18,000.
- Legal costs and GDPR fines: If personal data has been leaked, you are legally required to report it to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). Fines can run up to €20 million or 4% of global annual revenue. This is not a theoretical risk; the AP actively issues fines to Dutch companies, including SMBs.
Many of these consequences, especially data breaches and reputation damage, stem from a Microsoft 365 environment that is not optimally configured. Default settings are often insufficient. A solution that continuously improves and automates Microsoft 365 security prevents gaps in your defenses that criminals exploit.
The cost of inaction vs. the value of prevention: an ROI analysis for SMBs
Now that you understand the potential damage, the next question is logical: what does it cost to prevent this? Comparing the cost of doing nothing against the investment in prevention is the core of your business case.
- Cost of doing nothing: Average damage of €45,000 to €270,000 per incident, with outliers that threaten business continuity.
- Cost of prevention: According to Innvolve, annual prevention costs for small organizations range between €2,500 and €10,000.
The return on investment is clear. A relatively small, predictable annual investment can prevent an unpredictable and potentially crippling expense. It is comparable to fire insurance. MKB Servicedesk states that the probability of cybercrime is 1,600 times greater than the probability of fire, yet 34% of business owners are not concerned. This is not a technical decision but a strategic choice for business continuity. Proactive 24/7 monitoring of suspicious behavior is not a luxury but a necessary control layer for businesses that take their risks seriously.
Action plan for SMBs: building cyber resilience
Understanding the risks is the first step. The next step is building a resilient organization. This does not have to be complex or expensive. Start with a solid foundation:
1. Awareness and training: Make sure your employees recognize phishing and other risks. This is the most effective and affordable measure.
2. Access security: Use strong, unique passwords and enable multi-factor authentication (MFA) wherever possible. Criminals no longer break in — they simply log in. Get visibility into who is logging in and block suspicious attempts with a solution specifically designed for active login protection.
3. Updates and backups: Install software updates immediately and maintain regular, tested backups that are disconnected from your network.
4. Automate your defenses: Use smart tools that continuously check and improve your Microsoft 365 environment. This takes repetitive work off your hands and ensures your security is always up to date. This is exactly what we also offer to Managed Service Providers (MSPs) to secure their customers efficiently and effectively.
Frequently asked questions about the cost of cybercrime
Are we too small to be a target?
No. Hackers actually see SMBs as attractive targets. Security is often less professionally managed, and through you they can try to reach larger customers or suppliers in your chain. Your data, from payroll slips to product plans, has monetary value.
What is the first step if I want to improve my security?
Start with the most common threat: phishing. Installing a simple, free tool that warns against fake login pages is already a major step. Our free login protection is designed specifically for this purpose.
Isn't a cyber insurance policy enough?
Cyber insurance is an important financial buffer for when things go wrong, but it does not prevent the attack itself. It covers damage after the fact, but not the operational chaos, customer loss, and reputation damage. In fact, many insurers require that you have taken basic preventive measures to even qualify for a payout.
How much does prevention really cost for a business like ours?
The investment is scalable. For a small business (up to about 25 employees), effective automated solutions often start at a cost comparable to a few mobile phone subscriptions per month. Compare that to tens of thousands of euros in damage, and the choice becomes clear quickly.
Next step: from insight to action
Ignoring cyber risks is no longer a strategy. The numbers show that prevention is not a cost center but a crucial investment in your business continuity and reputation. The key is not to do everything yourself but to deploy smart, automated tools that take work off your hands.
Start strengthening your foundation today. Install our Free Login Protection to immediately close off the most common attack route.
Ready to structurally secure your Microsoft 365 environment? Discover how Attic for Microsoft 365 continuously checks and improves your security, without needing to be an IT expert.
