Skip to main content

How Much Should Your Business Budget for Cyber Security?

Media IT strategy meeting

Cyber Security Should Be Planned, Not Purchased After an Incident

Cyber security is now an essential business expense.

Most organisations depend on email, Microsoft 365, cloud applications, computers, mobile devices, internet connections and online banking every day.

A successful cyber attack could prevent employees from working, expose confidential information, interrupt customer services and create significant recovery costs.

Despite this, many businesses do not have a defined cyber security budget.

Security products may be purchased individually whenever a new concern appears. One employee may buy antivirus software, another may arrange a backup service and a third may introduce a password manager.

The result can be an expensive collection of products that do not work together and may not address the organisation’s greatest risks.

A cyber security budget should be based on:

  • The information the business holds
  • The systems it depends on
  • The likelihood of an attack
  • The potential impact of disruption
  • Customer and regulatory requirements
  • Existing security weaknesses
  • The organisation’s ability to respond and recover

The objective is not to purchase every available security product.

It is to invest in the controls that reduce the greatest business risks.

Why does every business need a cyber security budget?

Cyber security is sometimes treated as an unexpected IT cost.

A business may invest only after:

  • A phishing incident
  • A ransomware attack
  • A customer security questionnaire
  • A failed insurance application
  • A data breach
  • A regulatory concern
  • A major software vulnerability

This reactive approach often costs more.

Emergency work may need to be completed quickly, affected systems may be unavailable and the organisation may have limited time to compare solutions.

A planned budget allows the business to improve its security gradually and prioritise the areas with the greatest risk.

It can also prevent important controls from being postponed because they were not included in the annual financial plan.

Cyber security is a business risk

A cyber security budget should not be viewed only as an IT department expense.

A serious incident may affect:

  • Sales
  • Finance
  • Customer service
  • Operations
  • Legal responsibilities
  • Insurance
  • Reputation
  • Business continuity
  • Senior management

For example, a compromised Microsoft 365 account could allow a criminal to monitor invoices and send fraudulent payment instructions.

A ransomware attack could prevent access to shared files, business applications and customer records.

A stolen laptop could expose confidential information if the device is not encrypted.

These are business risks supported by technology, rather than purely technical problems.

Senior management should therefore be involved in deciding:

  • Which risks are acceptable
  • Which systems are most important
  • How much downtime the organisation can tolerate
  • Which improvements should be prioritised
  • Who is responsible for maintaining the controls
  • How much should a business spend on cyber security?

There is no single amount that is suitable for every organisation.

Two businesses with the same number of employees may have very different security requirements.

A small professional-services firm holding confidential client information may require stronger controls than a similarly sized business processing little sensitive data.

The appropriate budget may be influenced by:

  • Number of employees
  • Number of computers and mobile devices
  • Remote working
  • Number of business locations
  • Use of cloud services
  • Type of information held
  • Regulatory requirements
  • Customer contracts
  • Dependence on technology
  • Existing security maturity
  • Internal IT capability

A business should avoid selecting its budget only by copying a percentage used by another organisation.

A better approach is to identify the risks, determine the required controls and calculate the cost of implementing and maintaining them.

Start with a cyber security assessment

Before deciding what to spend, understand the current position.

A cyber security assessment may review:

The review should identify:

  • Existing controls
  • Missing controls
  • Unsupported systems
  • Immediate risks
  • Areas requiring further investigation
  • Longer-term improvements

Without this assessment, the business may spend money on a highly visible security product while leaving a more serious weakness unresolved.

For example, an organisation may purchase an advanced firewall while several Microsoft 365 administrator accounts still have no multifactor authentication.

The firewall may be useful, but the identity risk should probably have been addressed first.

Focus on risk, not fear

Cyber security marketing can create pressure to purchase products immediately.

Businesses may be warned about ransomware, artificial intelligence, data theft and advanced criminal groups.

These threats are real, but fear should not determine the budget.

Each proposed investment should answer clear questions:

  • Which risk does this control address?
  • How likely is that risk?
  • What would the impact be?
  • Do we already have a control?
  • Who will manage the product?
  • How will we know it is working?
  • What happens when it creates an alert?
  • Is there a simpler way to reduce the risk?

The most expensive product is not automatically the most effective.

Strong cyber security normally comes from several well-managed controls rather than one large purchase.

The main areas of a cyber security budget

A complete cyber security budget may need to cover several different areas.

Identity and access protection

This may include:

  • Multifactor authentication
  • Conditional Access
  • Single sign-on
  • Password management
  • Privileged-access controls
  • Administrator-account reviews
  • User onboarding and offboarding

Identity protection is particularly important because many attacks begin with a stolen password rather than a direct attack against the office network.

Device protection

This may include:

  • Managed antivirus
  • Endpoint detection and response
  • Disk encryption
  • Device management
  • Security policies
  • Remote wipe
  • Mobile-device protection

The business should know which computers and mobile devices can access company information and whether those devices remain secure.

Email security

This may include:

  • Anti-phishing protection
  • Malicious attachment scanning
  • Unsafe link protection
  • Domain protection
  • Email authentication
  • Security awareness training

Email remains one of the most common ways attackers target employees.

Security-update management

The budget may need to include:

  • Operating-system updates
  • Third-party application updates
  • Server updates
  • Firewall firmware
  • Replacement of unsupported devices
  • Vulnerability assessment

Security updates require more than enabling an automatic setting.

Somebody should identify failed updates, unsupported software and devices that have stopped reporting.

Backup and disaster recovery

This may include:

  • Server backups
  • Microsoft 365 backups
  • Cloud application backups
  • Off-site storage
  • Immutable recovery points
  • Disaster recovery systems
  • Recovery testing

Backups should be protected from the same accounts and systems they are intended to recover.

Security monitoring

This may include:

  • Endpoint monitoring
  • Microsoft 365 sign-in monitoring
  • Security alert investigation
  • Firewall monitoring
  • Managed detection and response
  • Out-of-hours security coverage

Installing a security product does not provide full protection when nobody reviews its warnings.

Employee training

This may include:

  • Phishing simulations
  • Security-awareness training
  • Password guidance
  • Data-handling training
  • Incident-reporting procedures
  • Role-specific training

Employees should know how to recognise and report suspicious activity without fearing that they will be blamed for making a mistake.

Policies and compliance

This may include:

  • Cyber security policies
  • Acceptable-use policies
  • Incident-response plans
  • Business-continuity plans
  • Cyber Essentials
  • Supplier assessments
  • Data-protection support
  • Audit preparation

Policies should reflect what the business genuinely does.

A policy stating that every device is encrypted provides limited value when nobody has confirmed that encryption is enabled.

Incident response

The business may need to budget for:

  • Specialist cyber incident support
  • Forensic investigation
  • Legal advice
  • Emergency recovery
  • Public-relations support
  • Cyber insurance excesses
  • Temporary replacement equipment

Not every cost needs to be paid in advance.

However, the business should know who it would contact and how emergency assistance would be funded.

Budget for ongoing management

A common mistake is budgeting only for the initial purchase.

Cyber security requires ongoing work.

For example, purchasing a password manager may also require:

  • Initial configuration
  • Employee training
  • Importing credentials
  • Replacing weak passwords
  • Creating shared folders
  • Reviewing access
  • Removing former employees
  • Monitoring adoption

An endpoint-security platform may require:

  • Device onboarding
  • Policy configuration
  • Alert monitoring
  • Software exclusions
  • Investigation
  • Incident response
  • Regular reporting

The budget should therefore include:

  • Licences
  • Implementation
  • Management
  • Monitoring
  • Training
  • Review
  • Replacement

A product that is never configured or reviewed may provide far less protection than the business expects.

Avoid buying duplicate security products

Businesses frequently pay for overlapping products.

For example, they may have:

  • Antivirus included with Microsoft licensing
  • A separate antivirus product
  • Another endpoint monitoring platform
  • Email security from several suppliers
  • Multiple file-sharing applications
  • Several backup services
  • More than one password manager

Some overlap may be intentional and useful.

However, unnecessary duplication can increase cost and create confusion about which system is responsible for each task.

A licence review should identify:

  • Products already included
  • Features that are enabled
  • Features that remain unused
  • Applications that perform similar functions
  • Products that can be consolidated
  • Services that are no longer required

The objective should not be to cancel everything that appears similar.

It should be to understand why each product exists and whether it provides sufficient value.

Make better use of existing Microsoft licences

Many businesses already pay for Microsoft 365 but use only email, Word and Excel.

Depending on the subscription held, the organisation may also have access to security and management capabilities covering areas such as:

  • Device management
  • Identity protection
  • Endpoint security
  • Email protection
  • Data controls
  • Conditional Access

Before purchasing another platform, the business should review what is already included in its Microsoft licensing.

However, included does not mean automatically configured.

Security features may still need to be:

  • Enabled
  • Tested
  • Deployed
  • Monitored
  • Supported

The cost of professional configuration and management should be included in the budget.

Prioritise the security basics

Businesses do not always need to begin with the most advanced security technology.

A strong foundation should normally include:

  • Multifactor authentication
  • Supported operating systems
  • Prompt security updates
  • Managed antivirus or endpoint protection
  • Restricted administrator access
  • Secure backups
  • Device encryption
  • Email protection
  • Employee training
  • An incident-response plan

These controls can prevent or reduce the impact of many common attacks.

Advanced monitoring, data-loss prevention and privileged-access tools may then be added according to risk and business requirements.

There is limited value in purchasing an expensive artificial-intelligence security platform when:

  • Former employees still have active accounts
  • Backups have never been restored
  • Administrator passwords are shared
  • Computers are unsupported
  • Employees do not use MFA

Cyber security maturity should be built in a sensible order.

Use Cyber Essentials as a budget framework

Cyber Essentials can provide businesses with a practical baseline.

The scheme focuses on five areas:

  • Firewalls
  • Secure configuration
  • Security update management
  • User access control
  • Malware protection

Preparing for certification can help identify budget requirements such as:

  • Replacing unsupported computers
    Updating network equipment
    Removing administrator permissions
    Introducing device management
    Improving malware protection

Cyber Essentials does not cover every aspect of business security.

It does not replace backups, employee training, monitoring or incident response.

However, it can provide a structured starting point and help the organisation demonstrate that important basic controls are in place.

Consider the cost of doing nothing

Cyber security discussions often focus only on the cost of prevention.

The business should also consider the potential cost of an incident.

This may include:

  • Employee downtime
  • Lost sales
  • Emergency IT support
  • Data recovery
  • Legal advice
  • Customer notification
  • Regulatory investigation
  • Replacing equipment
  • Increased insurance costs
  • Reputation damage
  • Lost contracts

A security investment should not need to prevent an enormous theoretical loss to be worthwhile.

Even repeated smaller incidents can create significant costs.

For example, compromised employee accounts may cause:

  • Fraudulent invoice requests
  • Password resets
  • Account investigations
  • Customer warnings
  • Several hours of lost work

Reducing the frequency and impact of these incidents can provide measurable value.

Calculate the value of employee time

Security tools can sometimes improve productivity as well as reduce risk.

A password manager may reduce time spent:

  • Searching for credentials
  • Resetting passwords
  • Sharing access
  • Recovering accounts

Central device management can reduce time spent manually configuring computers.

Automated update management can reduce emergency support caused by outdated software.

The business should consider both:

  • Security improvement
  • Time saved

A solution that reduces risk and removes repetitive work may provide greater value than its licence price initially suggests.

Include hardware replacement

Cyber security budgets often focus only on software.

However, unsupported or unreliable hardware can create security risks.

The organisation may need to replace:

  • Old laptops
  • Unsupported servers
  • Firewalls
  • Network switches
  • Wireless access points
  • Backup equipment
  • Mobile devices

A device lifecycle plan can spread these costs across several years.

The plan should record:

  • Device age
  • Warranty
  • Operating-system support
  • Security capability
  • Replacement date
  • Estimated cost

This reduces the likelihood of discovering that a large number of computers must be replaced at the same time.

Budget for cyber insurance requirements

Cyber insurers may require evidence that certain controls are in place.

These may include:

  • Multifactor authentication
  • Endpoint protection
  • Security updates
  • Protected backups
  • Administrator controls
  • Employee training
  • Incident-response procedures

Businesses should review insurance questions carefully and provide accurate answers.

A control should not be described as fully implemented when it covers only part of the organisation.

For example, stating that MFA is enabled may be misleading when it protects ordinary users but not important administrator accounts.

The cost of meeting insurance requirements should be considered before renewal rather than discovered during the application.

Regulated businesses may need a larger budget

Organisations operating within regulated sectors may require additional controls and evidence.

This can include:

  • Stronger access management
  • Detailed audit logs
  • Data-loss prevention
  • Security testing
  • Business-continuity exercises
  • Supplier reviews
  • Documented risk assessments
  • Longer log retention
  • Specialist monitoring
  • Compliance reporting

Regulated businesses may also need to demonstrate that controls are consistently maintained.

This can increase both technology and management costs.

The budget should reflect the organisation’s obligations rather than using a generic small-business security package without considering the sector.

Do not ignore third-party suppliers

Businesses may provide external suppliers with access to:

  • Microsoft 365
  • Servers
  • Networks
  • Applications
  • Customer information
  • Backup systems

The cyber security budget may need to include tools or services that control this access.

This could involve:

  • Named supplier accounts
  • Multifactor authentication
  • Time-limited permissions
  • Privileged-access management
  • Session monitoring
  • Access reviews
  • Supplier security assessments

A supplier should not receive permanent administrator access simply because it occasionally needs to maintain one application.

How should an SME prioritise its cyber security spending?

A practical priority order may be:

Priority 1: Remove immediate risks

Examples include:

  • Unsupported systems
  • Missing MFA
  • Shared administrator accounts
  • Exposed Remote Desktop
  • Failed backups
  • Former employee access
  • Unpatched firewalls


Priority 2: Protect identities and devices

Introduce or improve:

  • Multifactor authentication
  • Conditional Access
  • Endpoint security
  • Device management
  • Encryption
  • Password management


Priority 3: Protect email and information

Review:

  • Phishing protection
  • External sharing
  • Email authentication
  • Data access
  • Retention
  • Microsoft 365 backup


Priority 4: Improve monitoring and response

Define:

  • Who monitors alerts
  • Which events require escalation
  • What actions can be taken
  • Who will be contacted
  • How incidents will be recorded


Priority 5: Improve resilience

Test:

  • Backups
  • Disaster recovery
  • Internet failover
  • Alternative working arrangements
  • Incident-response plans


Priority 6: Maintain and improve

Complete:

  • Regular security reviews
  • Employee training
  • Access reviews
  • Vulnerability management
  • Technology-roadmap updates
  • Create a 12-to-24-month plan

Not every security improvement needs to be completed immediately.

A roadmap can spread costs and reduce disruption.

For example:

  • First three months
  • Enable MFA
  • Remove unused accounts
  • Review backups
  • Identify unsupported systems
  • Restrict administrator access
  • Three to six months
  • Introduce device management
  • Deploy endpoint detection and response
  • Improve email security
  • Create an incident-response plan
  • Begin employee training
  • Six to twelve months
  • Replace unsupported devices
  • Complete Cyber Essentials
  • Test disaster recovery
  • Review supplier access
  • Improve security monitoring
  • Twelve to twenty-four months
  • Introduce advanced access controls
  • Improve data-loss prevention
  • Complete a wider security assessment
  • Review cyber insurance
  • Run an incident-response exercise

The exact order should reflect the organisation’s greatest risks.

Track whether the budget is producing results

The business should measure whether its security investment is improving protection.

Useful measures may include:

  • Percentage of accounts protected by MFA
  • Percentage of devices encrypted
  • Number of unsupported devices
  • Number of devices missing updates
  • Time taken to remove former employees
  • Backup success and recovery-test results
  • Security incidents detected
  • Time taken to investigate alerts
  • Phishing-reporting rates
  • Number of privileged accounts
  • Cyber Essentials status

Metrics should support better decisions rather than become a paperwork exercise.

For example, a report showing 99% update compliance should also identify the important server included in the missing 1%.

Review the budget after business changes

Cyber security requirements change when the organisation:

  • Recruits employees
  • Opens a new office
  • Acquires another business
  • Introduces remote working
  • Moves systems to the cloud
  • Changes software
  • Begins handling new types of information
  • Wins a regulated contract
  • Changes IT providers

A security budget created several years ago may no longer reflect the current business.

It should be reviewed at least annually and after significant changes.

Common cyber security budgeting mistakes

Businesses should avoid:

  • Buying products without an assessment
  • Focusing only on antivirus
  • Ignoring implementation costs
  • Assuming licences configure themselves
  • Paying for duplicate services
  • Forgetting employee training
  • Ignoring servers and mobile devices
  • Failing to budget for hardware replacement
  • Purchasing monitoring without a response service
  • Treating backups as a one-off setup
  • Spending everything after an incident
  • Choosing the cheapest provider without reviewing coverage

A low-cost service may become expensive when important protections are excluded or incidents are not investigated.

Questions to ask before approving security spending

Before approving a product or service, ask:

  • Which risk does it reduce?
  • What would happen without it?
  • Do we already own a similar capability?
  • Is it included in an existing licence?
  • Who will configure it?
  • Who will monitor it?
  • What happens when it generates an alert?
  • How will employees be trained?
  • Does it cover every relevant device?
  • How will success be measured?
  • What is the exit plan?
  • Are there ongoing management costs?

Clear answers can help prevent rushed or unnecessary purchases.

Is cyber security an expense or an investment?

Cyber security does not normally produce revenue directly.

However, it protects the systems, information and services that allow the business to operate.

It may also help the organisation:

  • Win customer contracts
  • Complete supplier questionnaires
  • Obtain cyber insurance
  • Meet regulatory obligations
  • Reduce downtime
  • Protect its reputation
  • Improve employee productivity
  • Demonstrate Cyber Essentials certification

Security spending should therefore be treated as an investment in resilience and business continuity.

How can Hamilton Group help?

At Hamilton Group, we help businesses create practical cyber security budgets based on risk rather than fear.

We can assist with:

  • Cyber security assessments
  • Microsoft 365 security reviews
  • Microsoft Defender
  • Microsoft Intune
  • Conditional Access
  • Multifactor authentication
  • Password management
  • Email security
  • Security-update management
  • Backup and disaster recovery
  • 24/7 cyber security monitoring
  • Managed detection and response
  • Cyber Essentials
  • Incident-response planning
  • Employee training
  • Technology roadmaps
  • Licence and cost reviews

We can review your current systems and help answer important questions such as:

  • Which security risks should we address first?
  • Are we paying for duplicate products?
  • Are existing Microsoft licences being used properly?
  • Are all devices protected and managed?
  • Who monitors security alerts?
  • Are backups protected and tested?
  • Which hardware needs replacing?
  • What security improvements should be budgeted over the next two years?
  • Are we meeting customer, insurance or regulatory requirements?

A good cyber security budget should be realistic, prioritised and linked to the actual needs of the business.

The objective is not to spend the most money.

It is to make sure the right controls are implemented, maintained and monitored.

Contact Hamilton Group to arrange a cyber security review and create a practical security roadmap for your organisation.

Call us on 0330 043 0069 or book an appointment with one of our experts.