How Much Should Your Business Budget for Cyber Security?
Cyber Security Should Be Planned, Not Purchased After an Incident
Cyber security is now an essential business expense.
Most organisations depend on email, Microsoft 365, cloud applications, computers, mobile devices, internet connections and online banking every day.
A successful cyber attack could prevent employees from working, expose confidential information, interrupt customer services and create significant recovery costs.
Despite this, many businesses do not have a defined cyber security budget.
Security products may be purchased individually whenever a new concern appears. One employee may buy antivirus software, another may arrange a backup service and a third may introduce a password manager.
The result can be an expensive collection of products that do not work together and may not address the organisation’s greatest risks.
A cyber security budget should be based on:
- The information the business holds
- The systems it depends on
- The likelihood of an attack
- The potential impact of disruption
- Customer and regulatory requirements
- Existing security weaknesses
- The organisation’s ability to respond and recover
The objective is not to purchase every available security product.
It is to invest in the controls that reduce the greatest business risks.
Why does every business need a cyber security budget?
Cyber security is sometimes treated as an unexpected IT cost.
A business may invest only after:
- A phishing incident
- A ransomware attack
- A customer security questionnaire
- A failed insurance application
- A data breach
- A regulatory concern
- A major software vulnerability
This reactive approach often costs more.
Emergency work may need to be completed quickly, affected systems may be unavailable and the organisation may have limited time to compare solutions.
A planned budget allows the business to improve its security gradually and prioritise the areas with the greatest risk.
It can also prevent important controls from being postponed because they were not included in the annual financial plan.
Cyber security is a business risk
A cyber security budget should not be viewed only as an IT department expense.
A serious incident may affect:
- Sales
- Finance
- Customer service
- Operations
- Legal responsibilities
- Insurance
- Reputation
- Business continuity
- Senior management
For example, a compromised Microsoft 365 account could allow a criminal to monitor invoices and send fraudulent payment instructions.
A ransomware attack could prevent access to shared files, business applications and customer records.
A stolen laptop could expose confidential information if the device is not encrypted.
These are business risks supported by technology, rather than purely technical problems.
Senior management should therefore be involved in deciding:
- Which risks are acceptable
- Which systems are most important
- How much downtime the organisation can tolerate
- Which improvements should be prioritised
- Who is responsible for maintaining the controls
- How much should a business spend on cyber security?
There is no single amount that is suitable for every organisation.
Two businesses with the same number of employees may have very different security requirements.
A small professional-services firm holding confidential client information may require stronger controls than a similarly sized business processing little sensitive data.
The appropriate budget may be influenced by:
- Number of employees
- Number of computers and mobile devices
- Remote working
- Number of business locations
- Use of cloud services
- Type of information held
- Regulatory requirements
- Customer contracts
- Dependence on technology
- Existing security maturity
- Internal IT capability
A business should avoid selecting its budget only by copying a percentage used by another organisation.
A better approach is to identify the risks, determine the required controls and calculate the cost of implementing and maintaining them.
Start with a cyber security assessment
Before deciding what to spend, understand the current position.
A cyber security assessment may review:
- Microsoft 365
- User accounts
- Administrator permissions
- Multifactor authentication
- Computers and mobile devices
- Antivirus and endpoint protection
- Security updates
- Firewalls
- Wi-Fi
- Backups
- Remote access
- Employee training
- Security monitoring
- Incident response
- Supplier access
The review should identify:
- Existing controls
- Missing controls
- Unsupported systems
- Immediate risks
- Areas requiring further investigation
- Longer-term improvements
Without this assessment, the business may spend money on a highly visible security product while leaving a more serious weakness unresolved.
For example, an organisation may purchase an advanced firewall while several Microsoft 365 administrator accounts still have no multifactor authentication.
The firewall may be useful, but the identity risk should probably have been addressed first.
Focus on risk, not fear
Cyber security marketing can create pressure to purchase products immediately.
Businesses may be warned about ransomware, artificial intelligence, data theft and advanced criminal groups.
These threats are real, but fear should not determine the budget.
Each proposed investment should answer clear questions:
- Which risk does this control address?
- How likely is that risk?
- What would the impact be?
- Do we already have a control?
- Who will manage the product?
- How will we know it is working?
- What happens when it creates an alert?
- Is there a simpler way to reduce the risk?
The most expensive product is not automatically the most effective.
Strong cyber security normally comes from several well-managed controls rather than one large purchase.
The main areas of a cyber security budget
A complete cyber security budget may need to cover several different areas.
Identity and access protection
This may include:
- Multifactor authentication
- Conditional Access
- Single sign-on
- Password management
- Privileged-access controls
- Administrator-account reviews
- User onboarding and offboarding
Identity protection is particularly important because many attacks begin with a stolen password rather than a direct attack against the office network.
Device protection
This may include:
- Managed antivirus
- Endpoint detection and response
- Disk encryption
- Device management
- Security policies
- Remote wipe
- Mobile-device protection
The business should know which computers and mobile devices can access company information and whether those devices remain secure.
Email security
This may include:
- Anti-phishing protection
- Malicious attachment scanning
- Unsafe link protection
- Domain protection
- Email authentication
- Security awareness training
Email remains one of the most common ways attackers target employees.
Security-update management
The budget may need to include:
- Operating-system updates
- Third-party application updates
- Server updates
- Firewall firmware
- Replacement of unsupported devices
- Vulnerability assessment
Security updates require more than enabling an automatic setting.
Somebody should identify failed updates, unsupported software and devices that have stopped reporting.
Backup and disaster recovery
This may include:
- Server backups
- Microsoft 365 backups
- Cloud application backups
- Off-site storage
- Immutable recovery points
- Disaster recovery systems
- Recovery testing
Backups should be protected from the same accounts and systems they are intended to recover.
Security monitoring
This may include:
- Endpoint monitoring
- Microsoft 365 sign-in monitoring
- Security alert investigation
- Firewall monitoring
- Managed detection and response
- Out-of-hours security coverage
Installing a security product does not provide full protection when nobody reviews its warnings.
Employee training
This may include:
- Phishing simulations
- Security-awareness training
- Password guidance
- Data-handling training
- Incident-reporting procedures
- Role-specific training
Employees should know how to recognise and report suspicious activity without fearing that they will be blamed for making a mistake.
Policies and compliance
This may include:
- Cyber security policies
- Acceptable-use policies
- Incident-response plans
- Business-continuity plans
- Cyber Essentials
- Supplier assessments
- Data-protection support
- Audit preparation
Policies should reflect what the business genuinely does.
A policy stating that every device is encrypted provides limited value when nobody has confirmed that encryption is enabled.
Incident response
The business may need to budget for:
- Specialist cyber incident support
- Forensic investigation
- Legal advice
- Emergency recovery
- Public-relations support
- Cyber insurance excesses
- Temporary replacement equipment
Not every cost needs to be paid in advance.
However, the business should know who it would contact and how emergency assistance would be funded.
Budget for ongoing management
A common mistake is budgeting only for the initial purchase.
Cyber security requires ongoing work.
For example, purchasing a password manager may also require:
- Initial configuration
- Employee training
- Importing credentials
- Replacing weak passwords
- Creating shared folders
- Reviewing access
- Removing former employees
- Monitoring adoption
An endpoint-security platform may require:
- Device onboarding
- Policy configuration
- Alert monitoring
- Software exclusions
- Investigation
- Incident response
- Regular reporting
The budget should therefore include:
- Licences
- Implementation
- Management
- Monitoring
- Training
- Review
- Replacement
A product that is never configured or reviewed may provide far less protection than the business expects.
Avoid buying duplicate security products
Businesses frequently pay for overlapping products.
For example, they may have:
- Antivirus included with Microsoft licensing
- A separate antivirus product
- Another endpoint monitoring platform
- Email security from several suppliers
- Multiple file-sharing applications
- Several backup services
- More than one password manager
Some overlap may be intentional and useful.
However, unnecessary duplication can increase cost and create confusion about which system is responsible for each task.
A licence review should identify:
- Products already included
- Features that are enabled
- Features that remain unused
- Applications that perform similar functions
- Products that can be consolidated
- Services that are no longer required
The objective should not be to cancel everything that appears similar.
It should be to understand why each product exists and whether it provides sufficient value.
Make better use of existing Microsoft licences
Many businesses already pay for Microsoft 365 but use only email, Word and Excel.
Depending on the subscription held, the organisation may also have access to security and management capabilities covering areas such as:
- Device management
- Identity protection
- Endpoint security
- Email protection
- Data controls
- Conditional Access
Before purchasing another platform, the business should review what is already included in its Microsoft licensing.
However, included does not mean automatically configured.
Security features may still need to be:
- Enabled
- Tested
- Deployed
- Monitored
- Supported
The cost of professional configuration and management should be included in the budget.
Prioritise the security basics
Businesses do not always need to begin with the most advanced security technology.
A strong foundation should normally include:
- Multifactor authentication
- Supported operating systems
- Prompt security updates
- Managed antivirus or endpoint protection
- Restricted administrator access
- Secure backups
- Device encryption
- Email protection
- Employee training
- An incident-response plan
These controls can prevent or reduce the impact of many common attacks.
Advanced monitoring, data-loss prevention and privileged-access tools may then be added according to risk and business requirements.
There is limited value in purchasing an expensive artificial-intelligence security platform when:
- Former employees still have active accounts
- Backups have never been restored
- Administrator passwords are shared
- Computers are unsupported
- Employees do not use MFA
Cyber security maturity should be built in a sensible order.
Use Cyber Essentials as a budget framework
Cyber Essentials can provide businesses with a practical baseline.
The scheme focuses on five areas:
- Firewalls
- Secure configuration
- Security update management
- User access control
- Malware protection
Preparing for certification can help identify budget requirements such as:
- Replacing unsupported computers
Updating network equipment
Removing administrator permissions
Introducing device management
Improving malware protection
Cyber Essentials does not cover every aspect of business security.
It does not replace backups, employee training, monitoring or incident response.
However, it can provide a structured starting point and help the organisation demonstrate that important basic controls are in place.
Consider the cost of doing nothing
Cyber security discussions often focus only on the cost of prevention.
The business should also consider the potential cost of an incident.
This may include:
- Employee downtime
- Lost sales
- Emergency IT support
- Data recovery
- Legal advice
- Customer notification
- Regulatory investigation
- Replacing equipment
- Increased insurance costs
- Reputation damage
- Lost contracts
A security investment should not need to prevent an enormous theoretical loss to be worthwhile.
Even repeated smaller incidents can create significant costs.
For example, compromised employee accounts may cause:
- Fraudulent invoice requests
- Password resets
- Account investigations
- Customer warnings
- Several hours of lost work
Reducing the frequency and impact of these incidents can provide measurable value.
Calculate the value of employee time
Security tools can sometimes improve productivity as well as reduce risk.
A password manager may reduce time spent:
- Searching for credentials
- Resetting passwords
- Sharing access
- Recovering accounts
Central device management can reduce time spent manually configuring computers.
Automated update management can reduce emergency support caused by outdated software.
The business should consider both:
- Security improvement
- Time saved
A solution that reduces risk and removes repetitive work may provide greater value than its licence price initially suggests.
Include hardware replacement
Cyber security budgets often focus only on software.
However, unsupported or unreliable hardware can create security risks.
The organisation may need to replace:
- Old laptops
- Unsupported servers
- Firewalls
- Network switches
- Wireless access points
- Backup equipment
- Mobile devices
A device lifecycle plan can spread these costs across several years.
The plan should record:
- Device age
- Warranty
- Operating-system support
- Security capability
- Replacement date
- Estimated cost
This reduces the likelihood of discovering that a large number of computers must be replaced at the same time.
Budget for cyber insurance requirements
Cyber insurers may require evidence that certain controls are in place.
These may include:
- Multifactor authentication
- Endpoint protection
- Security updates
- Protected backups
- Administrator controls
- Employee training
- Incident-response procedures
Businesses should review insurance questions carefully and provide accurate answers.
A control should not be described as fully implemented when it covers only part of the organisation.
For example, stating that MFA is enabled may be misleading when it protects ordinary users but not important administrator accounts.
The cost of meeting insurance requirements should be considered before renewal rather than discovered during the application.
Regulated businesses may need a larger budget
Organisations operating within regulated sectors may require additional controls and evidence.
This can include:
- Stronger access management
- Detailed audit logs
- Data-loss prevention
- Security testing
- Business-continuity exercises
- Supplier reviews
- Documented risk assessments
- Longer log retention
- Specialist monitoring
- Compliance reporting
Regulated businesses may also need to demonstrate that controls are consistently maintained.
This can increase both technology and management costs.
The budget should reflect the organisation’s obligations rather than using a generic small-business security package without considering the sector.
Do not ignore third-party suppliers
Businesses may provide external suppliers with access to:
- Microsoft 365
- Servers
- Networks
- Applications
- Customer information
- Backup systems
The cyber security budget may need to include tools or services that control this access.
This could involve:
- Named supplier accounts
- Multifactor authentication
- Time-limited permissions
- Privileged-access management
- Session monitoring
- Access reviews
- Supplier security assessments
A supplier should not receive permanent administrator access simply because it occasionally needs to maintain one application.
How should an SME prioritise its cyber security spending?
A practical priority order may be:
Priority 1: Remove immediate risks
Examples include:
- Unsupported systems
- Missing MFA
- Shared administrator accounts
- Exposed Remote Desktop
- Failed backups
- Former employee access
- Unpatched firewalls
Priority 2: Protect identities and devices
Introduce or improve:
- Multifactor authentication
- Conditional Access
- Endpoint security
- Device management
- Encryption
- Password management
Priority 3: Protect email and information
Review:
- Phishing protection
- External sharing
- Email authentication
- Data access
- Retention
- Microsoft 365 backup
Priority 4: Improve monitoring and response
Define:
- Who monitors alerts
- Which events require escalation
- What actions can be taken
- Who will be contacted
- How incidents will be recorded
Priority 5: Improve resilience
Test:
- Backups
- Disaster recovery
- Internet failover
- Alternative working arrangements
- Incident-response plans
Priority 6: Maintain and improve
Complete:
- Regular security reviews
- Employee training
- Access reviews
- Vulnerability management
- Technology-roadmap updates
- Create a 12-to-24-month plan
Not every security improvement needs to be completed immediately.
A roadmap can spread costs and reduce disruption.
For example:
- First three months
- Enable MFA
- Remove unused accounts
- Review backups
- Identify unsupported systems
- Restrict administrator access
- Three to six months
- Introduce device management
- Deploy endpoint detection and response
- Improve email security
- Create an incident-response plan
- Begin employee training
- Six to twelve months
- Replace unsupported devices
- Complete Cyber Essentials
- Test disaster recovery
- Review supplier access
- Improve security monitoring
- Twelve to twenty-four months
- Introduce advanced access controls
- Improve data-loss prevention
- Complete a wider security assessment
- Review cyber insurance
- Run an incident-response exercise
The exact order should reflect the organisation’s greatest risks.
Track whether the budget is producing results
The business should measure whether its security investment is improving protection.
Useful measures may include:
- Percentage of accounts protected by MFA
- Percentage of devices encrypted
- Number of unsupported devices
- Number of devices missing updates
- Time taken to remove former employees
- Backup success and recovery-test results
- Security incidents detected
- Time taken to investigate alerts
- Phishing-reporting rates
- Number of privileged accounts
- Cyber Essentials status
Metrics should support better decisions rather than become a paperwork exercise.
For example, a report showing 99% update compliance should also identify the important server included in the missing 1%.
Review the budget after business changes
Cyber security requirements change when the organisation:
- Recruits employees
- Opens a new office
- Acquires another business
- Introduces remote working
- Moves systems to the cloud
- Changes software
- Begins handling new types of information
- Wins a regulated contract
- Changes IT providers
A security budget created several years ago may no longer reflect the current business.
It should be reviewed at least annually and after significant changes.
Common cyber security budgeting mistakes
Businesses should avoid:
- Buying products without an assessment
- Focusing only on antivirus
- Ignoring implementation costs
- Assuming licences configure themselves
- Paying for duplicate services
- Forgetting employee training
- Ignoring servers and mobile devices
- Failing to budget for hardware replacement
- Purchasing monitoring without a response service
- Treating backups as a one-off setup
- Spending everything after an incident
- Choosing the cheapest provider without reviewing coverage
A low-cost service may become expensive when important protections are excluded or incidents are not investigated.
Questions to ask before approving security spending
Before approving a product or service, ask:
- Which risk does it reduce?
- What would happen without it?
- Do we already own a similar capability?
- Is it included in an existing licence?
- Who will configure it?
- Who will monitor it?
- What happens when it generates an alert?
- How will employees be trained?
- Does it cover every relevant device?
- How will success be measured?
- What is the exit plan?
- Are there ongoing management costs?
Clear answers can help prevent rushed or unnecessary purchases.
Is cyber security an expense or an investment?
Cyber security does not normally produce revenue directly.
However, it protects the systems, information and services that allow the business to operate.
It may also help the organisation:
- Win customer contracts
- Complete supplier questionnaires
- Obtain cyber insurance
- Meet regulatory obligations
- Reduce downtime
- Protect its reputation
- Improve employee productivity
- Demonstrate Cyber Essentials certification
Security spending should therefore be treated as an investment in resilience and business continuity.
How can Hamilton Group help?
At Hamilton Group, we help businesses create practical cyber security budgets based on risk rather than fear.
We can assist with:
- Cyber security assessments
- Microsoft 365 security reviews
- Microsoft Defender
- Microsoft Intune
- Conditional Access
- Multifactor authentication
- Password management
- Email security
- Security-update management
- Backup and disaster recovery
- 24/7 cyber security monitoring
- Managed detection and response
- Cyber Essentials
- Incident-response planning
- Employee training
- Technology roadmaps
- Licence and cost reviews
We can review your current systems and help answer important questions such as:
- Which security risks should we address first?
- Are we paying for duplicate products?
- Are existing Microsoft licences being used properly?
- Are all devices protected and managed?
- Who monitors security alerts?
- Are backups protected and tested?
- Which hardware needs replacing?
- What security improvements should be budgeted over the next two years?
- Are we meeting customer, insurance or regulatory requirements?
A good cyber security budget should be realistic, prioritised and linked to the actual needs of the business.
The objective is not to spend the most money.
It is to make sure the right controls are implemented, maintained and monitored.
Contact Hamilton Group to arrange a cyber security review and create a practical security roadmap for your organisation.
Call us on 0330 043 0069 or book an appointment with one of our experts.