What Does Cybercrime Really Cost? The (Real) Numbers for SMEs
"Cybercrime will cost the world $10.5 trillion a year." Numbers like this appear in every article and every sales deck. They are striking, but to someone running a small or medium business they say little or nothing: they are too big to mean anything. The useful question is not what cybercrime costs the planet, but what it can cost your company — and here serious figures do exist, and they differ from the headline ones.
The Trillions Circulating Online
The $10.5 trillion a year figure comes from Cybersecurity Ventures, a research firm, and is a projection made back in 2016 for the year 2025. It is the most cited estimate in the world, but also the most contested: economists fault it for a non-reproducible methodology and the risk of double counting (the same damage counted as lost productivity and as intellectual property theft). Other estimates, based on losses actually reported, point to a far lower figure, around $1.2 trillion. When a range runs from 1.2 to 10.5 trillion, the number is not a data point: it is an order of magnitude.
One thing is certain: the phenomenon is huge and growing. The World Economic Forum, in its Global Cybersecurity Outlook 2025, reports — citing the Global Anti-Scam Alliance — that online scams alone siphoned off more than $1 trillion in the past year. But the message for a business owner is not "there is a great global enemy." It is: a slice of that money leaves the accounts of companies like yours, every day.
The Number That Matters to You: What a Breach Costs
Here we move from projections to measured facts. IBM's Cost of a Data Breach Report (conducted by the Ponemon Institute) analyses every year the real breaches suffered by hundreds of organisations — 604 in the 2024 edition. The key figure: the global average cost of a data breach is $4.88 million, up 10% on the previous year, the steepest jump since the pandemic.
The average hides sharp differences by sector. The hardest hit, for the fourteenth year running, is healthcare, with an average cost of $9.77 million per breach; the financial sector follows, at around $6 million. These are large-organisation figures, true. But the point, for an SME, is a different one — and it is counterintuitive.
Italy Is a Target, and SMEs Are the Weak Link
The Clusit 2025 Report — the annual snapshot of Italian cybersecurity — describes a disproportionately hit country: Italy accounts for over 10% of all serious incidents recorded worldwide, against a far smaller economic weight. Attacks are rising (+15% year on year), and profit-driven ones — pure cybercrime — grow by about 40%.
The techniques remain, for the most part, unsophisticated: malware (36% of cases), DDoS attacks (19%), exploitation of known vulnerabilities (11%), phishing (11%). This is not precision cyberwarfare: it is, in the analysts' words, "trawl fishing." And the trawl net catches above all those with the lowest defences: small and medium businesses.
Why an SME, Proportionally, Pays More
A multinational that suffers a $5 million breach absorbs it: it has reserves, insurance, a dedicated team. For an SME the same event — even at a much lower nominal cost — can be fatal, because it hits thin margins and a single line of business. For a small company the damage is rarely the ransom figure: it is the downtime (days of lost production), the loss of customers, the halt to invoicing, the inability to deliver. Items that make no headlines, but weigh more than the ransom itself.
This is what truly translates the global trillions: not "how big is the problem in the world," but "how many days would my company be down, and with what consequences, if tomorrow I could not access my systems."
From Numbers to Action
The good news is the flip side of the Clusit data: if attacks are mostly unsophisticated, then a large share is prevented with basic measures. Timely updates (the exploited vulnerabilities are almost always known and already patched by the vendor), verified and isolated backups, multi-factor authentication, minimal staff training against phishing. You don't need a multinational's budget: you need method.
And here the regulatory dimension comes in, which for many companies is becoming an obligation rather than a choice. The NIS2 directive extends security obligations to entire sectors and their supply chains: even an SME that supplies a larger company may have to meet its requirements. For the financial sector, DORA already imposes strict operational resilience rules. Turning these obligations from a cost into a competitive advantage starts with a single first step: knowing what you are exposed to.
The global numbers serve one purpose only: to remind us that the risk is real and widespread. Everything else — how valuable a target you are, which systems are critical, how long you would withstand an outage — is measured only by looking at your company. That is where you start.
How long would your company withstand an outage?
We start from your company's numbers: we map critical systems, assess exposure, and build the baseline measures and the NIS2 / DORA obligations that apply to you.
Talk to us →Sources
- IBM & Ponemon Institute — Cost of a Data Breach Report 2024: ibm.com/reports/data-breach
- Clusit — Rapporto Clusit 2025 sulla sicurezza ICT in Italia: clusit.it/rapporto-clusit
- World Economic Forum — Global Cybersecurity Outlook 2025: weforum.org
- Cybersecurity Ventures — Cybercrime Damage Costs (proiezione $10,5T, da leggere con cautela metodologica): cybersecurityventures.com