Ransomware coverage tends to focus on large enterprises, with headlines about hospital systems or major retailers paying seven-figure ransoms. This gives small businesses a false sense of distance from the problem. A 20-person company is not a less likely target. It is often an easier one, and the financial impact, while smaller in absolute terms than a Fortune 500 incident, can be proportionally far more damaging to a business of that size.
When people picture the cost of ransomware, they picture the ransom itself. In practice, the ransom payment, if a business chooses to pay it at all, is frequently the smallest part of the total cost. Many security advisors and law enforcement agencies recommend against paying, partly because payment does not guarantee data recovery and partly because it marks the business as willing to pay, inviting repeat targeting. Regardless of whether a ransom is paid, the larger costs sit elsewhere.
For a 20-person company, a ransomware attack typically takes systems offline for days, sometimes weeks, depending on how quickly clean backups can be restored and verified. During that window, the business is not simply inconvenienced. It usually cannot invoice clients, cannot access project files, cannot process orders, and in many cases cannot communicate through its normal email system if that system was also affected.
Lost revenue during this period adds up quickly for a business of this size, since there is rarely a large operating cushion to absorb weeks of reduced output. Staff still need to be paid during the outage even though their ability to do billable work is limited or gone entirely. A business running on tight margins can lose more in a few weeks of downtime than it would have spent on the security measures that might have prevented the attack in the first place.
Restoring systems after an attack is rarely a simple matter of reinstalling software from backup. Investigators need to determine how the attacker got in, what they accessed while inside, and whether they left any other access points behind before systems can be considered safe to bring back online. For a 20-person company without in-house security expertise, this almost always means bringing in outside specialists, at rates that reflect the urgency of the situation rather than a planned IT budget.
If backups were incomplete, outdated, or themselves affected by the attack, which happens more often than businesses expect, recovery extends further still. Rebuilding lost work, re-entering data, and reconstructing records that existed only in compromised systems adds time and labor cost on top of the technical recovery itself.
If customer or client data was accessed during the attack, the business likely has a legal obligation to notify those affected, along with relevant data protection authorities, within a defined timeframe. Meeting that obligation properly often requires legal guidance to determine exactly what must be disclosed and to whom, which is an additional cost most businesses have not budgeted for because they did not expect to need it.
These notifications also carry a cost beyond the immediate compliance requirement. Clients who receive a breach notice from a 20-person vendor will reasonably ask questions about what happened and what is being done differently going forward. How that conversation goes often determines whether the relationship survives the incident.
The hardest cost to quantify is the one that shows up over the following months rather than the following days. Clients who experienced delayed deliverables or who were notified that their data may have been exposed do not always say so directly, but contract renewals slow down, referrals dry up, and prospective clients doing due diligence sometimes find out about the incident on their own.
For a business of this size, reputation often functions as the primary sales asset, built through word of mouth and long-standing client relationships rather than brand marketing. An incident that damages that reputation can suppress revenue well after the technical recovery is complete, in ways that rarely appear in any single line item.
Added together, the realistic cost of a ransomware attack on a 20-person company, factoring in downtime, recovery, compliance, and the slower erosion of client trust, regularly exceeds what that same business would have spent over several years on basic preventive measures: multi-factor authentication, properly tested backups, and a clear incident response plan. None of these measures eliminate risk entirely, but they consistently change the outcome from a business-threatening event into a manageable disruption.
The businesses that treat this kind of preparation as a real budget item, rather than something to revisit later, are making a financial decision as much as a security one.