What a Cyberattack Really Costs an SMB with 50 Employees
Detailed breakdown of the true cost of a cyberattack for a French SMB: direct costs, indirect costs, hidden costs, and comparison with the cost of prevention.
On March 14, 2025, a hospital in Rueil-Malmaison reverted to paper-based procedures after a ransomware attack. Eighteen months of reconstruction. A 20% drop in hospital admissions. That same month, the town hall of Thaon-les-Vosges received a ransom demand of several million euros.
These cases make headlines because they affect public services. But the statistical reality lies elsewhere: SMEs and micro-businesses account for 77% of cyberattacks handled by ANSSI (France's national cybersecurity agency) and 40% of ransomware attacks (Panorama de la cybermenace 2025, ANSSI) (source). In 2024, roughly 330,000 attacks targeted French SMBs.
The cost of a cyberattack for an SMB goes far beyond the ransom. It includes business disruption, lost clients, regulatory fines, rising insurance premiums, and team burnout, all compressed into a few weeks. For a 50-employee SMB generating 5 to 10 million euros in annual revenue, the total bill can reach up to 10% of yearly turnover.
This article breaks down, line by line, the true cost of a cyberattack on a company of this size. With figures drawn from verifiable reports, a concrete simulation, and a comparison with the cost of prevention.
The big picture: what the key reports say
Before diving into a specific scenario, let's frame the topic with data published by the organizations that count incidents and measure their consequences.
The IBM Cost of a Data Breach 2025 report
The IBM 2025 report, based on analysis of 600 victim organizations across 17 industries and 16 countries, puts the global average cost of a data breach at $4.44 million (IBM Cost of a Data Breach 2025): down 9% from 2024, primarily due to automated detection (IBM Cost of a Data Breach 2025).
For small businesses, the report places the range between $120,000 and $1.24 million. These figures cover organizations with 500 or more employees, meaning a 50-person SMB falls below IBM's radar. Unit costs (forensics, notification, customer churn) remain comparable, but data volume and detection time differ.
Two findings from the IBM report deserve particular attention for SMBs:
- Phishing remains the top initial access vector, involved in 16% of analyzed breaches.
- The average cost of a ransomware incident reaches $5.08 million, a figure explained by the double hit: operational loss and extortion.
The Verizon Data Breach Investigations Report (DBIR) 2025
The DBIR 2025, which analyzes over 22,000 incidents and 12,000 confirmed breaches across 139 countries, provides specific insight into SMBs (Verizon DBIR 2025):
- Ransomware is present in 88% of attacks targeting SMBs, compared to 44% across all organizations.
- 60% of breaches involve human behavior: clicking a phishing link, misconfiguration, sending data to the wrong recipient.
- The median ransom paid dropped to $115,000, and 64% of victims now refuse to pay: up from 50% two years earlier.
The Hiscox Cyber Readiness Report 2025
The Hiscox 2025 report, built on surveys of 5,750 companies in 8 countries including 1,000 in France, is the most relevant for French SMBs (Hiscox Cyber Readiness Report 2025):
- 57% of SMEs and micro-businesses experienced at least one cyberattack over the past 12 months.
- One-third of affected companies faced a fine severe enough to threaten the financial health of the business.
- 44% suffered financial losses from wire transfer fraud, and 32% report that their employees experienced burnout after the incident.
- 39% of French companies have no cyber coverage at all.
The CESIN 2025 barometer
The 11th edition of the CESIN (French cybersecurity executives association)-OpinionWay barometer, based on 397 respondents (17% of which are SMBs), confirms a long-term trend: the number of companies hit by a significant attack is declining (40% in 2025, down from 47% in 2024 and 65% in 2019), but 81% of attacked companies report an impact on their operations (Baromètre CESIN 2025).
Phishing, spear phishing, and smishing remain the top attack vector at 55% of cases.
The Cybermalveillance.gouv.fr 2025 barometer
The national cyber maturity barometer for SMEs and micro-businesses, surveying 588 companies with fewer than 250 employees, reveals the gap between awareness and action (Cybermalveillance.gouv.fr (France's national cyber assistance platform), barometer 2025):
- 80% of SMEs and micro-businesses admit they are not prepared for attacks (49%) or don't know their level of readiness (31%).
- 65% have no incident response procedure in place.
- Three-quarters spend less than 2,000 euros per year on cybersecurity.
- The main barriers cited: lack of knowledge (63%), budget constraints (61%), lack of time (59%).
This last point is the central paradox of this article: the SMBs that spend the least on prevention are the ones that pay the most when an attack hits.
Anatomy of a cyberattack on a 50-person SMB
To make the numbers tangible, let's follow a realistic scenario. This is not a single real case, but a synthesis of dozens of incidents documented by French CERTs and cyber insurance providers.
The company
NetLogis (fictitious name) is a property management software vendor based in the Lyon area. 50 employees, 8 million euros in annual revenue. A part-time IT manager, no dedicated security officer. The infrastructure runs on a local server, Microsoft 365 for email, and a proprietary SaaS application hosted by a cloud provider.
NetLogis's cyber profile matches the majority of French SMBs described in the Cybermalveillance.gouv.fr (France's national cyber assistance platform) 2025 barometer: antivirus installed (84% of SMBs), backups in place (78%), firewall active (69%), but no MFA (absent in most SMBs of this size), no structured phishing training, and no incident response procedure (65% of SMEs and micro-businesses have none). The annual cybersecurity budget: roughly 1,800 euros: less than the monthly cloud hosting bill.
Day 0: Friday, 3 PM
An accountant receives an email mimicking a DocuSign notification. The message contains a link to a form requesting her Microsoft 365 credentials. She enters them. The attacker now has access to her mailbox and OneDrive.
This scenario matches the most common attack vector identified by CESIN (French cybersecurity executives association): targeted phishing. In France, the most effective variant impersonates services used daily (DocuSign, Chronopost, the company's bank). Our guide explains how to recognize a fraudulent email before it is too late.
Day 0 to Day 3: the silence
The attacker stays quiet. He reads emails, identifies financial flows, spots key contacts (management, CFO, major clients). He sets up automatic forwarding rules to silently exfiltrate emails containing "wire transfer," "invoice," or "bank details."
The IBM 2025 report shows an average detection time of 194 days for organizations without automated detection tools. For an SMB with no SOC (Security Operations Center), no EDR (Endpoint Detection and Response), and no monitoring for unusual logins, the compromise goes unnoticed.
Day 4: Monday morning
From the accountant's mailbox, the attacker sends an email to the CFO with a modified invoice from a real supplier, accompanied by altered bank details. The amount: 23,500 euros. The invoice is credible: the supplier is known, the amount is typical, and the email comes from the accountant's internal address.
In parallel, the attacker uses the stolen credentials to access the company VPN and starts mapping the internal network.
Day 7: the ransomware
The following Sunday, at 3 AM, the ransomware executes. The production server files are encrypted. The backups on the local NAS, accessible from the network, are also encrypted. The cloud backup exists but hasn't been tested in eight months.
Early that morning, the IT manager discovers the ransom message: 4 bitcoins, roughly 180,000 euros at the current exchange rate.
Day 8 to Day 14: the crisis
Operations are shut down. The 50 employees can no longer work normally. The client application is offline. The phone system no longer works because it was hosted as VoIP on the compromised infrastructure.
The CEO calls the insurer (who has professional liability coverage but no cyber guarantee), the IT provider (who has no forensics expertise), then a specialized incident response firm found in a rush.
The "crisis" rate of an incident response firm: between 1,200 and 1,500 euros per day per consultant. Two are needed for ten days.
Day 15 to Day 45: the reconstruction
The cloud backup is partially usable. It restores 70% of the data, but the remaining 30%, including client contracts and the last quarter's accounting records, are lost. Rebuilding the information system takes five weeks.
During this time, the company runs in degraded mode. The sales team loses two major deals because prospects can't get a product demo. Three existing clients, worried about the security of their property data, demand written guarantees, and two terminate their contracts.
Day 46 and beyond: the long-term consequences
The GDPR requires notification to the CNIL (France's data protection authority) within 72 hours of discovering the personal data breach. The company missed this deadline by two days. Notifying affected individuals (tenants and property owners whose data was in the system) costs money in postage, outsourced helplines, and management time.
The insurer refuses to renew the professional liability policy on the same terms. The premium rises by 40%.
The executive committee must decide: invest 45,000 euros in a serious cybersecurity program (the one it had rejected eight months earlier as "too expensive") or risk a second incident. The CEO discovers that the cyber insurance he wanted to buy now requires proof of prior security measures: measures he hasn't yet deployed. A vicious circle.
Three months after the incident, the accountant who clicked the phishing link still feels guilty. No one explained to her that the fault lay not with her, but with the lack of training and MFA. The mood in the open-plan office has deteriorated. Two employees mention the incident in their annual reviews as a source of stress.
Six months later, the IT manager resigns from exhaustion. It will take four months to find a replacement: the cybersecurity job market is tight, and a 50-person SMB in a regional area is not candidates' first choice. During this period, IT management relies on an external contractor billed at 900 euros per day, two days per week.
Real cases in France: what SMBs have experienced
The scenario above is fictitious in its details, but every element comes from documented cases. Here is what official figures tell us about real incidents that occurred in France.
The CEO fraud that cost 450,000 euros
In 2024, an industrial SMB in the Nantes region (65 employees, mechanical components manufacturing) suffered a Business Email Compromise (BEC) attack. An attacker accessed the sales director's email account for two weeks without being detected. During that time, he studied exchanges with suppliers and clients, identified regular payment flows, and forged three fake invoices with altered bank details.
By the time the fraud was identified, when the actual supplier followed up on a missed payment, 450,000 euros had been wired to foreign accounts. The bank managed to recall only 85,000 euros. The balance, 365,000 euros, represented four months of cash reserves.
This type of BEC fraud accounts for 44% of financial losses reported by SMBs in the Hiscox Cyber Readiness Report 2025. The cognitive biases exploited by phishing explain why even experienced employees fall for these attacks. The FBI estimates global BEC losses at $2.9 billion in 2023 (IC3 Internet Crime Report).
The ransomware that paralyzed an automotive subcontractor
A 48-employee automotive parts supplier in eastern France was hit by ransomware in September 2024. The attack encrypted production servers (ERP, CAD, technical documentation) and network backups. The ransom demand: 280,000 euros in bitcoin.
The company had no offline backup. The disaster recovery plan (DRP) had never been tested. The local IT provider lacked the forensic skills to analyze the incident.
Result: 12 days of complete production shutdown, followed by 6 weeks in degraded mode. The main OEM client (an automotive manufacturer) triggered the penalty clause for non-delivery: 1,500 euros per day of delay per order. A second client transferred its orders to a competitor during the downtime and never came back.
The company ultimately paid the ransom (180,000 euros after negotiation), recovered 85% of its data, and spent an additional 65,000 euros on IT reconstruction and forensics. The total cost estimated by the CEO: between 700,000 and 900,000 euros, counting lost revenue over the following six months.
Hospitals: a magnifying glass for SMB vulnerabilities
Cyberattacks on French hospitals are documented because they affect public services and are subject to official communications. They illustrate dynamics identical to those of SMBs, at a larger scale.
The Cour des comptes (France's national audit office), in a January 2025 report, warned about the fragility of hospital IT systems: 30 hospitals fell victim to ransomware in 2022 and 2023. In 2024, the hospital of Armentieres (Nord) in February and the CHU of Cannes in April were hit.
The Centre hospitalier Stell in Rueil-Malmaison, struck in March 2025, reverted to paper-based procedures for several weeks. The private hospital of La Loire (Saint-Etienne), attacked in July 2025, had 126,000 patients' data stolen.
The Cour des comptes' findings echo the Cybermalveillance.gouv.fr (France's national cyber assistance platform) barometer for SMBs: 70% of successful cyberattacks in hospitals are caused by human error: weak passwords, lack of awareness training, poor access management. The same causes produce the same effects in SMBs.
What these cases have in common
Real-world incidents follow a repetitive pattern:
-
The entry point is human: phishing, credential compromise, social engineering. Technical solutions (firewalls, antivirus) are bypassed because the attack exploits trust, not a technical vulnerability. New phishing forms (quishing, vishing, smishing) multiply the entry vectors.
-
Detection comes late: several days to several weeks. The IBM 2025 report documents an average detection time of 194 days for organizations without automated detection.
-
Backups don't work as expected: either they are accessible from the compromised network (and therefore encrypted), or they were never tested (and the restore fails), or they are too old (and recent data is lost).
-
Without a response plan, an incident becomes a crisis: when nobody knows who to call, how to isolate systems, or how to communicate with clients, every lost hour costs money and credibility. Establishing a phishing response protocol is the first step.
-
The consequences last months, not days: technical reconstruction is the visible part. The loss of client trust, team exhaustion, and cash flow impact extend well beyond.
Test your team's phishing resistance - first campaign in 48 hours.
Direct costs: the visible bill
Direct costs are the expenses incurred to contain the incident, understand what happened, and get the business back on its feet.
Incident response and forensics
The first expense is bringing in a specialized provider. The daily rate of a senior incident response consultant ranges from 950 to 1,500 euros depending on the region and urgency. In crisis situations (weekends, response within 24 hours), the rate can double.
For a 50-employee SMB, a ransomware incident typically requires two consultants for 8 to 12 days: a forensic analyst to determine the intrusion vector and the extent of the compromise, and a systems engineer to rebuild the infrastructure.
Estimated cost: 18,000 to 36,000 euros.
Information system reconstruction
Replacing compromised hardware (servers, potentially infected workstations), reinstalling operating systems, restoring data from backups, and reconfiguring business applications represent a project spanning several weeks.
For an SMB with one local server, 50 workstations, and a proprietary SaaS application, the reconstruction cost ranges from 15,000 to 45,000 euros in services and licenses, depending on the state of backups and the number of servers to rebuild.
Estimated cost: 20,000 to 45,000 euros.
Legal counsel
Engaging a lawyer specializing in digital law is necessary for the CNIL (France's data protection authority) notification, assessment of contractual obligations to clients, and handling potential lawsuits. Hourly rates for a cyber-specialized lawyer range from 250 to 500 euros (excluding VAT).
Estimated cost: 5,000 to 15,000 euros.
Regulatory notification (GDPR)
The GDPR requires notification to the CNIL (France's data protection authority) and, if the risk to affected individuals is high, individual notification to every person whose data was compromised. The unit notification cost is estimated at roughly 7 euros per person (letter design, mailing, helpline setup).
For an SMB managing the data of 2,000 to 5,000 people (clients, suppliers, employees), notification costs 14,000 to 35,000 euros.
In cases of serious GDPR non-compliance, the CNIL can impose a fine of up to 4% of global annual revenue or 20 million euros. For a 50-employee SMB, fines issued by the CNIL in recent years have generally ranged from 10,000 to 150,000 euros.
Estimated cost (notification only): 14,000 to 35,000 euros.
Ransom
ANSSI (France's national cybersecurity agency) and Cybermalveillance.gouv.fr (France's national cyber assistance platform) strongly advise against paying ransoms. Paying does not guarantee data recovery, funds the criminal network, and exposes the company to further attacks: attackers know you will pay.
The median ransom observed by the Verizon DBIR 2025 is $115,000 (roughly 105,000 euros). The report notes that 64% of victims now refuse to pay, up from 50% two years earlier.
Estimated cost (if paid): 50,000 to 200,000 euros. If not paid: 0 euros, but loss of any data not backed up.
Direct costs summary
| Item | Low estimate | High estimate |
|---|---|---|
| Incident response / forensics | 18,000 euros | 36,000 euros |
| IT system reconstruction | 20,000 euros | 45,000 euros |
| Legal counsel | 5,000 euros | 15,000 euros |
| GDPR notification | 14,000 euros | 35,000 euros |
| Ransom (if paid) | 50,000 euros | 200,000 euros |
| Total direct costs | 57,000 euros (no ransom) | 331,000 euros (with ransom) |
Indirect costs: the invisible but very real bill
Indirect costs often exceed direct costs. These are the revenue losses, the clients who leave, and the contracts that never materialize.
Business disruption
This is the heaviest line item. A cyberattack can halt operations for 3 to 7 weeks on average for an SMB, according to data compiled by CriseHelp.fr and confirmed by French CERT post-incident reviews.
Let's calculate the impact for our 50-employee SMB with 8 million euros in annual revenue:
- Daily revenue: 8,000,000 euros / 220 working days = 36,360 euros per day
- Full shutdown (days 8 to 14): 7 days x 36,360 euros = 254,500 euros
- Degraded operations (days 15 to 45): 30 days x 36,360 euros x 40% loss = 436,300 euros
- Total estimated revenue loss: 690,000 euros
Of course, lost revenue does not translate entirely into net loss. Fixed costs keep running (salaries, rent, subscriptions), while some business can be recovered after operations resume. The net margin impact typically falls between 30% and 50% of gross revenue loss, meaning 207,000 to 345,000 euros.
Loss of existing clients
The Hiscox Cyber Readiness Report 2025 indicates that 29% of attacked companies struggle to attract new clients and that 30% experience a decline in their performance metrics.
For a B2B services SMB, losing a client means losing their annual recurring revenue. If two clients terminate (out of a portfolio of 80, that's a 2.5% churn rate), the shortfall is significant.
Estimated cost: 80,000 to 200,000 euros in lost recurring revenue.
Contractual penalties
IT services contracts often include SLA (Service Level Agreement) clauses with penalties for extended downtime. For a SaaS software vendor, five weeks of disruption can trigger penalties in the range of 5 to 15% of the annual value of affected contracts.
Estimated cost: 15,000 to 60,000 euros.
Lost prospects and business opportunities
Deals in progress are frozen or lost. Responses to requests for proposals can't be submitted. Product demos are impossible. This cost is the hardest to quantify but it is real.
Estimated cost: 50,000 to 150,000 euros in lost business opportunities.
Indirect costs summary
| Item | Low estimate | High estimate |
|---|---|---|
| Business disruption (margin impact) | 207,000 euros | 345,000 euros |
| Loss of existing clients | 80,000 euros | 200,000 euros |
| Contractual penalties | 15,000 euros | 60,000 euros |
| Lost business opportunities | 50,000 euros | 150,000 euros |
| Total indirect costs | 352,000 euros | 755,000 euros |
Assess your phishing exposure - realistic simulation, results in 48 hours.
Hidden costs: what nobody quantifies in the reports
Beyond direct and indirect costs, there is a third category: costs that surface in the months and years following the incident, that appear on no invoice, and that no report precisely quantifies.
Rising insurance premiums
The cyber insurance market in France is rapidly maturing. According to the LUCY report by AMRAE (French risk management association), premiums for SMBs with fewer than 50 employees range from 1,000 to 5,000 euros per year for 1 to 5 million euros in coverage.
After a claim, premiums increase by 30 to 100% at renewal. Some insurers simply refuse to renew altogether.
The annual insurance surcharge after an incident runs between 2,000 and 10,000 euros, multiplied by the 3 to 5 years needed to regain a favorable claims history.
Estimated cost over 3 years: 6,000 to 30,000 euros.
Cost of management time diverted
For 4 to 8 weeks, the CEO and key executives devote 60 to 80% of their time to crisis management instead of growing the business. Meetings with the incident response firm, client communications, managing team stress, financial trade-offs.
If we value the time of the CEO and two executives at 150,000 euros in annual loaded cost each, 6 weeks at 70% represents roughly 36,000 euros in management time diverted from productive work.
Estimated cost: 25,000 to 45,000 euros.
Turnover and recruitment
The Hiscox 2025 study reveals that 32% of companies report their employees experienced burnout after a cyberattack. The IT manager, first in line during the crisis, is particularly exposed.
The replacement cost of a skilled employee (recruitment, training, onboarding period) is estimated at 6 to 9 months of salary. For an IT manager earning 55,000 euros gross annually, that comes to 27,000 to 41,000 euros.
Estimated cost: 27,000 to 41,000 euros (for one departure).
Reputation damage
The effect on reputation is the most insidious because it is diffuse and lasting. Clients don't say "I'm leaving because you were hacked." They simply don't renew. They don't refer others. They choose a competitor.
The CESIN (French cybersecurity executives association) 2025 barometer shows that 26% of companies suffer media impact after a cyberattack. For a B2B SMB, media impact is less severe than for a consumer brand, but word-of-mouth within an industry can be devastating.
Estimated cost: difficult to quantify, but potentially 50,000 to 200,000 euros in lost revenue over 12 to 24 months.
Opportunity cost
While the company rebuilds its IT systems and regains client trust, competitors keep moving forward. A 3-month delay in a product roadmap means a competitor captures the market. A missed trade show means a year of lost visibility.
Estimated cost: impossible to quantify precisely, but real.
Hidden costs summary
| Item | Low estimate | High estimate |
|---|---|---|
| Rising insurance premiums (3 years) | 6,000 euros | 30,000 euros |
| Diverted management time | 25,000 euros | 45,000 euros |
| Turnover / replacement | 27,000 euros | 41,000 euros |
| Reputation damage | 50,000 euros | 200,000 euros |
| Total hidden costs | 108,000 euros | 316,000 euros |
Detailed calculation: the true price for a 50-person SMB
Let's consolidate all line items to arrive at the total bill.
Optimistic scenario
The attack is detected quickly, backups work, the company does not pay the ransom, GDPR notification is handled properly, and no major client terminates.
| Category | Amount |
|---|---|
| Direct costs (no ransom) | 57,000 euros |
| Indirect costs | 352,000 euros |
| Hidden costs | 108,000 euros |
| Total optimistic scenario | 517,000 euros |
Median scenario
The attack goes unnoticed for several days, backups are partially usable, two clients terminate, and operations are disrupted for 5 weeks.
| Category | Amount |
|---|---|
| Direct costs (no ransom) | 120,000 euros |
| Indirect costs | 550,000 euros |
| Hidden costs | 200,000 euros |
| Total median scenario | 870,000 euros |
Pessimistic scenario
Backups are encrypted, the company pays the ransom, the full shutdown lasts 3 weeks, degraded operations last 6 weeks, the CNIL (France's data protection authority) opens an investigation, and several clients leave.
| Category | Amount |
|---|---|
| Direct costs (with ransom) | 331,000 euros |
| Indirect costs | 755,000 euros |
| Hidden costs | 316,000 euros |
| Total pessimistic scenario | 1,402,000 euros |
What these numbers mean
For an SMB with 8 million euros in annual revenue:
- Optimistic scenario: 6.5% of annual revenue
- Median scenario: 10.9% of annual revenue
- Pessimistic scenario: 17.5% of annual revenue
The Groupama study from July 2025 confirms this order of magnitude, estimating the average cost of a successful attack at 466,000 euros for an SME or micro-business, or 5 to 10% of annual revenue.
SMB victims face prolonged financial risk. The Hiscox Cyber Readiness Report 2025 indicates that one-third of affected companies suffered an impact severe enough to threaten their financial health.
Launch an awareness campaign - starting at 3 euros per employee per month.
Comparison: cost of prevention vs. cost of an incident
If the median scenario costs 870,000 euros, how much does prevention cost?
Annual cybersecurity budget for a 50-person SMB
| Line item | Estimated annual cost |
|---|---|
| Next-generation firewall (NGFW) | 3,000 : 6,000 euros |
| EDR / managed antivirus (50 endpoints) | 4,000 : 8,000 euros |
| Multi-factor authentication (MFA) | 1,500 : 3,000 euros |
| Offsite, tested backups | 3,000 : 6,000 euros |
| Phishing awareness platform | 2,000 : 4,000 euros |
| Annual security audit | 5,000 : 10,000 euros |
| Cyber insurance | 2,000 : 5,000 euros |
| Total annual prevention | 20,500 : 42,000 euros |
The cost-benefit ratio
The prevention budget represents 2.4 to 5.3% of the median incident cost (870,000 euros). In other words, a full year of prevention costs less than two weeks of business disruption.
Put differently: the monthly cost of a phishing awareness platform for 50 employees (roughly 150 to 350 euros per month) amounts to barely 10 minutes of lost revenue during a full shutdown.
The Ponemon Institute 2024 study, cited by IBM, shows that organizations deploying security automation (automated threat detection, continuous employee training) reduce the average cost of a breach by $1.76 million compared to those that do not.
Data from the Verizon DBIR 2025 confirms the effectiveness of awareness training: organizations that invest in regular training programs see a 4x improvement in the reporting rate of phishing emails by their employees.
What the prevention budget doesn't show
The true benefit of prevention goes beyond financial risk reduction:
-
Access to cyber insurance: insurers now require technical prerequisites (MFA, backups, awareness training). Without these measures, cyber insurance is either denied or the exclusions render the policy useless. According to a CLUSIF report from April 2025, 72% of SMBs believe they are covered, but only 39% actually are under current technical criteria.
-
NIS2 compliance: the European NIS2 directive, transposed into French law, requires companies in regulated sectors to meet security obligations including employee training. Non-compliance can result in fines of up to 10 million euros or 2% of global revenue. To understand the requirements: NIS2 guide for SMBs.
-
Competitive advantage: in B2B procurement processes, an increasing number of large clients require cybersecurity compliance certificates. An SMB that can demonstrate it trains its employees and tests its resilience gains a measurable competitive edge.
-
Reducing the supply chain attack surface: the DBIR 2025 documents a doubling of third-party-related incidents (from 15% to 30% in one year). Your large clients are asking for cybersecurity guarantees because a breach at your company compromises their own security. An SMB that invests in cybersecurity protects its business relationships as much as its systems.
-
Access to public sector contracts: local governments and public agencies are increasingly including cybersecurity criteria in their specifications. The CaRE program (Cyberacceleration and Resilience for Healthcare Facilities), backed by 750 million euros over five years for the healthcare sector, imposes security requirements on healthcare facility contractors. For SMBs working with the public sector, cybersecurity compliance is becoming a market access requirement.
The awareness training learning curve
A point often underestimated in ROI calculations: the effectiveness of awareness training improves over time. Initial phishing simulation campaigns typically reveal a click rate of 20 to 35%: meaning one in three to five employees clicks the malicious link on the first test.
After 6 months of regular simulations (one per month) with automated micro-training modules, the click rate drops to between 5 and 10%. After 12 months, it stabilizes below 5%. These figures, documented by leading awareness platform vendors and confirmed by CESIN (French cybersecurity executives association) barometer data, show that investment in training produces measurable and lasting results.
The impact of awareness training goes beyond reducing click rates. Trained employees develop a reporting reflex: instead of clicking silently (or deleting the email and hoping no one notices), they forward the suspicious email to the IT team. This reflex accelerates the detection of real attack attempts.
For a 50-person SMB, the difference between an employee who clicks and an employee who reports can be measured in hundreds of thousands of euros: it is the difference between the scenario in this article and a phishing email detected and neutralized in minutes.
The true cost of doing nothing
The Cybermalveillance.gouv.fr (France's national cyber assistance platform) 2025 barometer shows that three-quarters of SMEs and micro-businesses spend less than 2,000 euros per year on cybersecurity. Let's compare:
| Approach | Annual cost | Residual risk |
|---|---|---|
| No specific security measures | 0 euros | Maximum exposure: 57% probability of being attacked (Hiscox 2025), median cost of 870,000 euros |
| Minimal measures (antivirus + firewall) | 3,000 : 5,000 euros | Partial reduction: blocks automated attacks but not targeted phishing or ransomware |
| Full program (MFA + backups + awareness training + audit + insurance) | 20,500 : 42,000 euros | Major reduction: residual risk remains but incident cost is divided by 3 to 5 |
The difference between "minimal measures" and "full program" is roughly 17,000 to 37,000 euros per year. That is the price of two days of business disruption for a company with 8 million euros in revenue. The math speaks for itself.
To go further on the return on investment of awareness training: ROI of cybersecurity awareness: how to convince your leadership.
Does cyber insurance cover everything?
The short answer: no. And the long answer is even less reassuring.
What a standard cyber insurance policy covers
A cyber insurance policy for SMBs typically covers:
- Incident response costs: forensics, legal counsel, notification
- Business interruption losses related to operational downtime
- Third-party liability in case of a data breach affecting others
- Crisis management costs: communications, helpline, credit monitoring for affected individuals
What insurance does not cover
Exclusions are numerous and often misunderstood by business leaders:
- Regulatory fines (CNIL, GDPR) are not insurable under French law: they are punitive sanctions.
- Ransoms are covered by some French insurers since 2023, but only if the company files a police report within 72 hours (LOPMI, French law on digital security). Several insurers exclude them regardless.
- Pre-existing damages: if the compromise existed before the policy was taken out, the insurer can deny the claim.
- Proven negligence: no MFA, no backups, default passwords: all grounds for claim denial.
Insurer prerequisites in 2025
According to MaSolutionIT, insurers now require a non-negotiable list of prerequisites to grant coverage:
- Multi-factor authentication on all remote access points
- Offline or immutable backups, regularly tested
- EDR or managed antivirus on all endpoints
- Employee phishing awareness training
- Documented incident response plan
Without these elements, the policy contains exclusion clauses that render it useless at the moment the company needs it most.
The numbers
- Only 1.2% of French SMBs have cyber insurance (LUCY report, AMRAE (French risk management association)).
- The average deductible for an SMB is around 15,000 euros: down from previous years, but high enough that small incidents remain entirely at the company's expense.
- Typical coverage caps out between 1 and 5 million euros: sufficient for the optimistic scenario, but potentially inadequate for the pessimistic scenario when combining business interruption losses and third-party liability.
The underinsurance trap
The AMRAE (French risk management association) LUCY report for 2025 reveals a paradoxical dynamic: premiums are declining and insurers are opening up to the SMB segment, but underwriting requirements are tightening. The French cyber insurance market is maturing, meaning insurers have learned from their early years of losses and now select their risks with precision.
For a 50-person SMB, the annual premium runs around 2,000 to 5,000 euros: a reasonable amount. But the question is not how much the policy costs, it's what it actually covers. Two figures sum up the problem:
- 72% of SMBs believe they are covered in the event of an attack (CLUSIF report, April 2025).
- 39% actually are under the technical criteria required by insurers.
The gap between these two figures, 33 percentage points, represents the companies that will discover at the time of the incident that their policy contains an exclusion they hadn't identified. The formula is simple: no MFA + no tested backups = coverage exclusion. The insurer fulfilled its disclosure obligation in the policy's special conditions. The company didn't read the 47 pages.
Cyber insurance is a safety net, not a substitute for prevention. And this net has holes.
To learn more about the link between employee training and insurance coverage: Cyber insurance: training proof as a coverage lever.
5 measures to reduce your exposure this week
The question is not whether your SMB will be targeted by a phishing attempt: it probably already has been. The question is whether that attempt will succeed, and if so, how much it will cost.
Here are five concrete actions, ranked by impact and ease of implementation.
1. Enable multi-factor authentication everywhere
The use of compromised credentials remains the leading access vector in 22% of breaches analyzed by the Verizon DBIR 2025. MFA blocks the vast majority of these attempts.
Action: enable MFA on Microsoft 365, the VPN, cloud tools, and administrator access to all your systems. Prefer authenticator apps (Microsoft Authenticator, Google Authenticator) over SMS, which the DBIR 2025 documents as bypassable at scale. Configuring SPF, DKIM, and DMARC also strengthens your email security.
Cost: 1,500 to 3,000 euros per year for a centralized solution. Free if you use the built-in MFA features in Microsoft 365 or Google Workspace.
Timeline: deployment in one week.
2. Test your backups: not next week, tomorrow
Having backups is useless if they don't work or are accessible from the compromised network. The difference between the optimistic scenario (517,000 euros) and the pessimistic scenario (1,402,000 euros) largely comes down to backup quality.
Action: verify that your backups are offsite (outside the local network), immutable (unmodifiable for a defined period), and tested (actual restoration of a data set). The "3-2-1" rule remains the standard: 3 copies, 2 different media, 1 offsite.
Cost: 3,000 to 6,000 euros per year for an immutable cloud backup solution.
Timeline: a restore test takes half a day.
3. Train your teams on phishing: for real
Phishing remains the number one attack vector in France at 55% of incidents according to CESIN (French cybersecurity executives association). Theoretical training (a PowerPoint once a year) is ineffective. What works: regular simulations that put employees in real-world conditions, followed by immediate feedback.
Action: deploy a phishing simulation platform that sends regular test emails and provides automated micro-training when an employee clicks. For a complete guide: Phishing simulation for businesses: 2026 guide. Discover nophi.sh features.
Cost: 2,000 to 4,000 euros per year for 50 users, or 3 to 7 euros per employee per month. See pricing.
Timeline: deployment in 48 hours, first simulation campaigns within one week.
For a deeper look at phishing statistics in the workplace: Phishing in the workplace: 2026 statistics, examples, and solutions.
4. Write a minimal response plan
65% of SMEs and micro-businesses have no incident response procedure (Cybermalveillance.gouv.fr (France's national cyber assistance platform) 2025 barometer). A response plan doesn't need to be 50 pages long. It must answer four questions:
- Who to call first? (incident response provider, insurer, lawyer, ANSSI (France's national cybersecurity agency) via the 17Cyber service)
- How to isolate compromised systems? (disconnect from the network, don't shut machines down: to preserve evidence)
- How to communicate with clients? (pre-drafted crisis communication template)
- Where are the backups and how to restore them? (documentation accessible outside the main network)
Cost: 3,000 to 8,000 euros if you hire a provider to draft it. Free if you use the templates available on Cybermalveillance.gouv.fr.
Timeline: one working day for a minimal version.
5. Get appropriate cyber insurance
With only 1.2% of French SMBs covered, cyber insurance remains a blind spot. The annual premium for a 50-employee SMB ranges from 2,000 to 5,000 euros: the cost of half a day of business disruption.
Action: request quotes from your broker, specifying your sector, revenue, and security measures already in place (MFA, backups, training: these reduce the premium). Compare deductibles, exclusions, and coverage limits.
Cost: 2,000 to 5,000 euros per year for 1 to 5 million in coverage.
Timeline: subscription in 2 to 4 weeks.
FAQ
What is the average cost of a cyberattack for an SMB in France?
The average cost of a cyberattack for a French SMB ranges from 58,600 euros (Cybermalveillance.gouv.fr (France's national cyber assistance platform) estimate, direct costs only) to 466,000 euros (Groupama 2025 study, including indirect costs). For a 50-employee SMB, our detailed simulation arrives at a median scenario of 870,000 euros factoring in direct, indirect, and hidden costs over 12 to 24 months. The gap between these figures comes down to scope: the low estimates count only the immediate invoices, not client loss, business disruption, or rising insurance premiums.
How long does business disruption last after a cyberattack?
Business disruption lasts an average of 3 to 7 weeks for an SMB. This breaks down into two phases: the full shutdown (5 to 15 days during which the company can barely operate) and degraded operations (2 to 5 weeks during which activity partially resumes, with productivity losses of 30 to 50%). Duration depends primarily on backup quality and whether a business continuity plan exists. An 800-bed hospital required 18 months to fully rebuild its information system.
Does cyber insurance reimburse all losses?
Cyber insurance never reimburses all losses. Deductibles for SMBs average 15,000 euros. CNIL (France's data protection authority) fines are not insurable under French law. Most policies exclude losses caused by proven negligence (no MFA, no backups). Coverage caps (1 to 5 million euros for an SMB) may be insufficient in severe scenarios. In 2025, only 1.2% of French SMBs carry cyber insurance, and according to CLUSIF, 72% of SMBs that believe they are covered are not actually covered under the technical criteria required by insurers.
Should you pay the ransom in a ransomware attack?
ANSSI (France's national cybersecurity agency) and Cybermalveillance.gouv.fr (France's national cyber assistance platform) advise against paying ransoms. Paying does not guarantee data recovery (in 20 to 30% of cases, data is not fully restored after payment). Payment funds the criminal network and signals that your company is willing to pay, increasing the likelihood of a second attack. The Verizon DBIR 2025 shows that 64% of victims refuse to pay, up from 50% two years earlier. If payment is made, the LOPMI (French law on digital security) requires filing a police report within 72 hours for insurance to potentially intervene.
How much does prevention cost for an SMB with 50 employees?
A full cybersecurity program for a 50-employee SMB costs between 20,500 and 42,000 euros per year, including firewall, EDR, MFA, offsite backups, phishing awareness platform, annual audit, and cyber insurance. This amounts to 2.4 to 5.3% of the median incident cost. Phishing awareness training alone costs between 2,000 and 4,000 euros per year (3 to 7 euros per employee per month) and addresses the number one attack vector (55% of incidents according to CESIN (French cybersecurity executives association)).
What are the legal obligations after a cyberattack?
In France, a company that suffers a cyberattack involving personal data must notify the CNIL (France's data protection authority) within 72 hours of discovering the breach (Article 33 of the GDPR). If the risk to affected individuals is high, the company must also notify those individuals directly (Article 34). Non-compliance can result in a CNIL fine of up to 4% of global annual revenue. Additionally, companies subject to the NIS2 directive have supplementary notification obligations to ANSSI (France's national cybersecurity agency). In the case of ransomware, filing a police report is recommended, and mandatory within 72 hours if the company wants its insurance to cover any ransom payment (LOPMI (French law on digital security), April 2023).
How is AI changing the phishing threat?
Artificial intelligence has transformed phishing in 2024-2025. The Hiscox Cyber Readiness Report 2025 indicates that 60% of companies consider AI-powered social engineering the leading emerging threat. AI-generated phishing emails are harder to detect because they no longer contain the spelling errors and awkward phrasing that once helped employees identify them. They are written in correct French (or English), personalized with information found on LinkedIn or the company's website, and faithfully mimic internal communication styles. The DBIR 2025 documents a doubling in the volume of AI-generated phishing emails between 2024 and 2025. For SMBs, this means phishing training must evolve: spotting spelling mistakes is no longer enough; employees need to develop a systematic verification reflex for any email requesting a financial action or credential entry.
What should you do in the first hours of a cyberattack?
The first hours determine the extent of the damage. Four immediate actions: (1) isolate compromised systems by disconnecting them from the network without shutting them down, to preserve forensic evidence; (2) contact your incident response provider or 17Cyber (a service from Cybermalveillance.gouv.fr (France's national cyber assistance platform)) for initial guidance; (3) notify your insurer within the timeframe specified in your policy, typically 48 to 72 hours; (4) document everything chronologically: every action taken, every decision made, every communication sent: this documentation will be required by the insurer, the lawyer, and potentially the CNIL (France's data protection authority). The most common mistake: trying to "clean up" systems yourself, which destroys evidence and prevents forensic analysis from determining the true extent of the compromise. See also: What to do in case of phishing: complete guide.
Conclusion
The cost of a cyberattack for a 50-person SMB cannot be reduced to the ransom or the IT provider's invoice. Our simulation arrives at a median scenario of 870,000 euros: over 10% of annual revenue for a company generating 8 million euros.
This figure aggregates dozens of expense items that business leaders overlook when assessing their risk exposure: business disruption (the heaviest item), client loss, contractual penalties, rising insurance premiums, employee turnover, and weeks of management time diverted from productive work.
The good news: prevention costs between 20,000 and 42,000 euros per year. That is 20 to 40 times less than the median incident scenario. It is also the prerequisite for obtaining cyber insurance that actually works: without MFA, without tested backups, and without employee training, an insurance policy is a reassuring legal document but financially useless.
The Cybermalveillance.gouv.fr (France's national cyber assistance platform) 2025 barometer shows that awareness is growing: 44% of SMB leaders consider their company highly exposed, up from 38% a year earlier. But awareness without action protects nothing. And 80% of SMEs and micro-businesses admit they are not prepared.
The question for your leadership team is not "can we afford to invest in cybersecurity?" It is: "can we afford a five-week production shutdown, a 10% loss in annual revenue, and a lasting threat to business viability?"
Launch your first phishing simulation - measurable results within 90 days, starting at 3 euros per employee per month.
To go further: calculate the ROI of awareness training | features | pricing