$4.88 million — that's the average cost of a data breach globally in 2026, according to IBM's annual Cost of a Data Breach Report. That figure has climbed steadily for four consecutive years, and for most organizations it represents not just a financial hit, but a structural one. Lost customers, shattered trust, months of remediation work, and legal exposure that can linger for years. If you've been putting off a serious conversation about your security budget, this is the number that should change your mind.
But averages can deceive. That $4.88 million figure captures enterprise-scale incidents that skew the mean. For a 30-person accounting firm or a regional e-commerce retailer, the reality looks different — and in some ways, worse, because the proportional impact is far more devastating. Understanding cost by company size, by breach type, and by industry is how you translate global statistics into decisions that actually matter for your organization.
This article breaks down the real numbers behind cyberattack costs in 2026 — what you're actually paying for, who's getting hit hardest, and why prevention is almost always the cheaper option. For a broader strategic framework, start with our complete cybersecurity guide for 2026.
Global Average Cost of a Data Breach in 2026
The $4.88 million global average includes both direct and indirect costs — everything from forensic investigation and crisis communications to regulatory fines and the long tail of customer churn. It's a composite number that reflects a world where breaches have become more complex, attacker dwell times have shortened but damage has intensified, and regulatory frameworks have grown significantly more punishing.
What's notable about the 2026 figures is the acceleration. In 2020, the global average sat at $3.86 million. That's a 26% increase in six years, consistently outpacing inflation. Part of that increase reflects higher ransom demands. Part of it reflects stiffer regulatory penalties under GDPR, CCPA, and a growing list of sector-specific frameworks. And part of it is simply the compounding nature of digital infrastructure — the more interconnected your systems, the more a single point of failure can cascade.
How the Average Is Calculated
IBM's methodology, which has become the industry benchmark, surveys organizations that experienced a data breach during the prior year and asks them to quantify costs across four categories: detection and escalation, notification, post-breach response, and lost business. Lost business — which includes customer turnover, revenue losses during system downtime, and the cost of reacquiring customers — typically accounts for the largest share, often 35–40% of total cost.
That methodology matters because it reveals something important: the costs that are hardest to quantify are often the most significant. A manufacturer who loses a week of production isn't just losing that week's revenue — they're potentially losing contracts, supplier trust, and market position that took years to build.
Cost of a Cyberattack by Company Size
The headline $4.88 million figure masks a distribution that varies dramatically by organizational scale. Here's how costs break down across company size segments in 2026.
Small Businesses (Under 500 employees)
Small businesses face an average breach cost of $60,000 to $150,000, depending on the nature of the incident and the data involved. That range may sound manageable next to the enterprise figure, but context matters: for a business with $2 million in annual revenue, a $100,000 breach represents 5% of top-line revenue — before accounting for the productivity loss, the legal fees, and the months of distraction for leadership.
More troubling is the survival rate. Studies consistently find that 60% of small businesses that experience a significant cyberattack close within six months. Not because the attack alone is fatal, but because the combination of financial cost, reputational damage, and operational disruption is simply too much to absorb without the resilience resources that larger organizations have.
Mid-Market Companies (500–5,000 employees)
The mid-market sits in an uncomfortable position. These companies are large enough to hold significant amounts of valuable data — customer PII, financial records, intellectual property — but often lack the mature security operations that would make them harder targets. Average breach costs for mid-market companies in 2026 range from $500,000 to $2 million.
This segment has seen some of the sharpest cost increases over the past three years, driven by ransomware groups who've specifically shifted focus from consumers and small businesses toward organizations with enough assets to pay meaningful ransoms but not enough security depth to detect and contain quickly.
Enterprise (5,000+ employees)
Large enterprises bear the highest absolute costs — the $4.88 million average is pulled heavily by breaches at organizations with thousands of employees, complex supply chains, and regulatory obligations across multiple jurisdictions. Mega-breaches (affecting more than one million records) have averaged over $300 million in total cost when you include regulatory fines, class action settlements, and long-term customer attrition.
What enterprises have that smaller organizations don't is structural resilience. They can absorb a $5 million breach without existential risk. That doesn't make it acceptable, but it does mean the strategic conversation is different — for enterprises, it's about minimizing frequency and severity. For smaller organizations, it's about survival.
Cost Breakdown: Where the Money Actually Goes
Understanding the composition of breach costs is essential for building a defensible security budget. Here's where organizations actually spend money in the aftermath of a cyberattack.
Ransom Payments
The average ransom payment in 2026 sits at approximately $850,000, up from $570,000 in 2023. But the ransom itself is rarely the largest line item. Organizations that pay ransoms often discover that they still face significant recovery costs — decryption is slow, backups may be corrupted, and threat actors increasingly engage in double extortion, threatening to publish stolen data even after payment. Paying the ransom does not guarantee data recovery; it simply buys a chance at it.
Downtime and Business Interruption
This is consistently the most expensive component of a breach. Average downtime following a ransomware attack now exceeds 21 days. For a company with $10 million in annual revenue, 21 days of operational disruption represents roughly $575,000 in lost revenue alone — before any recovery costs. Add in the cost of manual workarounds, emergency contractor fees, and expedited hardware procurement, and downtime costs routinely exceed the ransom payment by a factor of five to ten.
Remediation and Technical Recovery
Forensic investigation, system rebuilding, vulnerability patching, and security hardening post-incident typically run $150,000 to $500,000 for mid-market companies. Enterprises engaging Tier 1 incident response firms can see these costs exceed $2 million. Importantly, these costs are non-negotiable — you cannot skip forensics and simply restore from backup, because without understanding the attack vector, you risk reinfection.
Legal and Regulatory Costs
GDPR fines can reach 4% of global annual revenue. CCPA violations carry statutory damages of $100–$750 per consumer per incident. Healthcare organizations face HIPAA penalties that can stack per violation. Even companies that navigate regulatory proceedings successfully will spend $100,000 to $300,000 in legal fees doing so. Class action settlements add another layer — they've become more common and more expensive as breach fatigue among consumers has transformed into genuine litigation appetite.
Reputational Damage and Customer Churn
This is the hardest cost to quantify and the one most organizations underestimate. Studies tracking consumer behavior post-breach consistently show 20–30% customer attrition in the year following a publicly disclosed incident. For a SaaS company with $5 million in annual recurring revenue, losing 25% of its customer base represents a $1.25 million hit to ARR — every year, until that trust is rebuilt, which typically takes two to three years.
Year-Over-Year Trends: The Trajectory Matters
The cost of data breaches has increased in 15 of the last 16 years. That's not a random fluctuation — it's a structural trend driven by several converging forces.
Attack sophistication has outpaced defense investment at most organizations. The adoption of AI-assisted attack tools has lowered the skill floor for attackers while raising the complexity ceiling for defenders. Supply chain attacks — where a single compromised vendor can expose hundreds of downstream customers — have become a preferred vector precisely because they multiply an attacker's leverage.
Regulatory environments have also matured. The average time to comply with breach notification requirements is now measured in hours in many jurisdictions, not days, which means incident response has to be faster and more resource-intensive than it was five years ago.
One countertrend worth noting: organizations with mature AI-powered security operations have seen average breach costs 15–20% lower than those without. Automated detection and containment directly shortens dwell time, which is one of the strongest predictors of total breach cost.
Most Targeted Industries in 2026
Healthcare remains the most targeted and most expensive sector for data breaches, with an average cost of $10.9 million per incident. The combination of highly sensitive data, aging infrastructure, and the life-critical nature of operations — which creates extreme pressure to pay ransoms quickly — makes healthcare an enduringly attractive target.
Financial services come second at $6.1 million average breach cost. The regulatory overhead is significant, and the data is directly monetizable. Energy and utilities have seen a sharp increase in targeting as critical infrastructure attacks have moved from nation-state actors to criminal groups. Technology companies, retail, and professional services round out the top six.
Notable is the rise of legal and accounting firms as targets. These organizations hold extraordinarily sensitive client data but have historically invested less in security than financial services or healthcare. That gap is being exploited aggressively.
Cost of Prevention vs. Cost of a Breach
The math here is straightforward and yet somehow still controversial in boardroom conversations. A mid-market company spending $150,000 annually on a mature security stack — endpoint detection and response, email security, privileged access management, employee training, and regular penetration testing — is investing roughly 1.5% of the average breach cost for that segment.
Framed differently: if a $150,000 annual security investment reduces your breach probability by even 30%, and your expected breach cost is $1 million, the expected value of that investment is $300,000 per year. The return is obvious.
What makes this calculation harder in practice is that security spending is invisible when it works. Nobody celebrates the ransomware attack that didn't happen. This is why security budget conversations benefit from anchoring on breach cost data rather than abstract risk assessments — numbers like $4.88 million and 21 days of downtime are concrete enough to shift the conversation from "do we need to spend this?" to "how do we spend this most effectively?"
If you're working through the practical steps of building or hardening your security infrastructure, our guide on how to secure your IT infrastructure covers the prioritization framework in detail.
What This Means for Your Security Budget
The data points in one clear direction: underinvestment in security is not a cost-saving strategy. It's a deferred payment plan with interest. The organizations that fare best after a breach — in terms of both recovery speed and total cost — are those that invested in detection and response capabilities before the incident, not those that tried to minimize pre-breach spending.
The $4.88 million global average will not go down on its own. Threat actors are better resourced, better organized, and better equipped than at any point in history. The question for every organization in 2026 is not whether the risk is real — it manifestly is — but whether your current investment level is proportional to what a breach would actually cost you.
Start with an honest assessment of your current exposure. Map your most sensitive data, identify your highest-risk entry points, and build your security spend around the specific scenarios that would hurt your organization most. That's a more defensible approach than any single product or policy — and it's the foundation of a security posture that can actually hold up when it matters.