It's a question I hear all the time: “How much should I spend on my cyber security this year?” But I'll tell you straight away, that's the wrong question to be asking. The real question should be; How much should I invest in cyber security?
With years of experience successfully supporting businesses like yours with their cyber security needs, we understand the unique security challenges you face each day. As a seasoned cyber security expert and advisor on cyber security budgeting, I’ve helped thousands of organisations navigate these complexities, and recognise that a one-size-fits-all approach simply doesn’t work for all.
In this article, we'll guide you through the key factors that influence your cyber security budget, help you understand the real costs involved, and demonstrate how to think about cyber security as an essential investment, not just an expense.
In my experience, every business, regardless of size, should allocate a percentage of their IT spend to security. The specific percentage will always vary depending on the size and nature of the organisation, however, I generally advise that for each individual user, at least 30% of what you're spending on them, should be directed toward security in some form.
Often times, I like to put the costs into perspective and a good example that I like to use is Microsoft 365 Business Premium. For around £20 per user per month, you can get Business Premium plus a third party back up license which gives you endpoint protection, email protection, multi-factor authentication, and data backup. Not only does this provide a solid foundation for security at a relatively low cost, if you think about it, that £20 is less than the cost of a weekly coffee for many people. Yet, it can help prevent much larger problems in the future!
It's perfectly acceptable to start with basic security measures and gradually build upon them over time, but the thing is that you need to start somewhere. As I often tell my clients, if you can't afford a full blown cyber security solution, then you probably need to think about some sort of backup or resilience to build on that protection over a period of time rather than saying “it's too expensive, so I'm just not going to do it!”
If you're operating with a very limited budget, prioritise the areas where you interact most, such as email and customer data. These are often the primary targets for cybercriminals and the areas where a breach can cause the most significant damage. Securing these critical functions should be your first line of defence.
Investing in cyber security isn't just about protecting your data; it's about safeguarding your business's future and ensuring its continued operation. It’s about building resilience and demonstrating to your customers, partners, and stakeholders that you take their security seriously.
I often recommend Cyber Essentials as a good starting point, even if you don't pursue the full certification. It encourages you to assess your current practices and determine if you're adequately protecting your users and data. It prompts you to ask: "What am I doing at the moment, do I meet the criteria? And can I say honestly that I'm spending an adequate amount to protect our users and the data that they're managing?"
Now, I know what many of you really want: some idea of costs. So, to give you a clearer picture of what various cyber security measures might cost, I've put together a table outlining typical price considerations. Keep in mind that this is just a general guide.
The actual costs can vary quite a bit depending on your specific requirements, the vendors you choose, and how complex the implementation is. But it should give you a solid starting point for your planning.
|
Category |
Description |
Cost Factors |
Example Costs & Considerations |
|
Baseline Security |
Essential security measures for basic protection. |
Number of users, type of devices, level of protection. |
|
|
Employee Training |
Educating employees to identify and respond to cyber threats. |
Training frequency, content complexity, delivery method. |
|
|
Data Backup & Recovery |
Solutions for backing up critical data and restoring it in case of loss. |
Data volume, backup frequency, storage location, recovery time. |
|
|
Advanced Security |
Enhanced security measures for organisations with higher risk profiles or specific compliance needs. |
Complexity of security needs, industry regulations, sensitivity of data. |
|
|
Ongoing Management |
Costs associated with managing and maintaining cyber security systems. |
Internal vs. external management, complexity of systems, level of monitoring. |
|
Now that you’ve got a better idea of all the parts that go into a cyber security budget, you might have picked up on some of the less obvious expenses associated with keeping a business and its people safe. Employee training is a nice example of this as it can be incredibly hard to provide comprehensive training on every possible threat, but it's still important to deliver training that's specific to the threats employees may encounter in their daily work. So you want to ensure you’re spending enough money to make sure this training offers real-life examples and guidance on how to respond.
Data backup is another frequently overlooked element. There's a common misconception, particularly among smaller businesses, that if you use Microsoft 365, your data is automatically backed up and I’m here to tell you that, well, it doesn’t. Microsoft themselves recommend backing up your data using a third-party tool in their Shared Responsibility model. Therefore, it's essential to have a separate backup solution for your Microsoft 365 data.
When you look at cyber security this way, it becomes clearer to see that a truly effective cyber security strategy demands a holistic approach, one that accounts for all costs, both obvious and hidden! Failing to recognise the importance of elements like comprehensive data backup – and the potential for catastrophic loss that comes with neglecting it – can undermine your entire investment, leaving your business vulnerable to disasters that could have been avoided.
Here are the top 5 things I think any SMB should consider when deciding on how much to spend on cyber security to start with:
Getting buy-in for cyber security investments and demonstrating a clear return on these investments can be challenging. As I often explain to clients, "The only way that you can know that it's doing a good job is that you haven't had a problem, what makes this tricky is that's not necessarily really visible and really obvious".
Instead of focusing solely on direct financial returns, consider the potential costs of inaction. What would be the true cost if your business was unable to operate for a day? What would be the impact of lost productivity or the disruption of rescheduled meetings? As an example, I often ask, “What if so-and-so wasn't able to work for one day? What would be the cost to the business physically? And what would be the knock on effect to the business?”
Another approach is to break down the cost to a per-user, per-day basis. Using the Microsoft license example, the £20 monthly cost equates to a very small daily investment to mitigate some potentially significant losses.
It's also vital to factor in the less tangible costs, such as damage to your business’s reputation, loss of customer trust, potential legal fees, and regulatory fines. Ultimately, proactive cyber security is about deterring cybercriminals.
We’ve tackled the issue of cyber security investment for SMBs and highlighted a common challenge: the tendency for smaller businesses to underestimate their risk and, consequently, underinvest in adequate protection. While there might not be an exact answer to how much you should be investing annually into your cyber security, you should now have a better understanding of what needs to be considered.
This means moving away from reactive measures taken after an incident and embracing a strategy that prioritises investing in prevention and resilience and thinking about your cyber security as an investment and not just an expense. In moving forward, it's crucial for SMBs to integrate cyber security into their core business planning.
This requires a commitment to allocating the appropriate resources, staying informed about evolving threats, and fostering a security-conscious culture within their organisations. If you’d like to get a better idea of where you currently at, read our article that covers exactly what goes into a Cyber Security Budget in much more detail, and start planning a cyber security strategy that truly protects your business's assets.