Drained system resources -- If your business, like many small and midsized businesses, has plenty of muscle (top or near top of the line business machines, for instance) but limited IT management resources, you're just what the bot wranglers and herders are looking for.
E-mail servers, particular targets for spambots, obviously, experiencing performance drains once the bot has a foothold, at which point the second hidden cost starts to be paid:
Bandwidth leeching -- even a "minor" spambot pumping out junk or worse consumes part of your bandwidth. In worst-case situations, the traffic becomes large enough to overload your capacity (at which point some victims realize for the first time that they have been compromised).
For companies using metered or restricted bandwidth capacity -- satellite services such as Hughesnet, for example -- the spam traffic doesn't have to be large enough to crash the connection, just large enough to exceed the daily capacity the provider permits.
Power consumption -- admittedly the least of the three hidden costs discussed here, but still worth noting that if you're allowing a per centage of your IT resources to serve the botnet's needs, a portion of your power bill is going to subsidize them as well.
The primary reason to guard aggressively against bots is to protect your business, your customers, your data, your integrity.
But the hidden costs are worth guarding against, too. The nice thing is that by guarding against the one, you protect the resources of the other.
Take a look at some of bMighty's bSecure SMB Security On A Budget advice on-demand edition of our popular online event: