Most small businesses can relate to creating a financial budget each year. The process of organizing a roadmap that will help guide your business in deciding how to assign resources, evaluate performance, and plan over a specific period of time based on an estimation of future revenue and expenses.

Today, when planning for the future of your small business, companies must all consider a new kind of investment that will play a critical role in their success—I am referring to Cybersecurity.

While your annual budget acts as a roadmap for your company’s growth, cyber attacks can be considered potholes on the road, waiting to “pop a tire” and bring their victims' business operations to a screeching halt. When a company has properly budgeted for the protection of their business, they are able to cruise forward without fear of disaster.

And yet, many small businesses still neglect the importance of investing in cybersecurity.

The Problem

The most common issue that small businesses run into with budgeting for cybersecurity is underestimating the severity of risk that cyber threats pose to their business. As a result of this, cybersecurity investments are typically given less consideration and receive limited space in the budget.

In fact, 60% of small businesses (businesses with 500 employees or less) do not believe they are a likely target for cyber crime. It gets worse, 43% of small businesses lack any kind of cybersecurity defense plan, bringing to light that far too many companies are not prepared for or properly protected from cyber threats.

Cybercrime has been steadily on the rise each year and you might be surprised to learn that nearly half of all cyber attacks are impacting small businesses.

Unfortunately, even a single cyber incident can have a devastating impact—especially when you understand the costs. On average, small businesses are forced to pay between $120,000 to $1.24 million in the aftermath of a data breach, a cost that is rarely manageable.

These statistics, while obviously eye-opening, do not provide a complete picture of the expenses associated with a breach or how its impact can have lasting effects over time. After further investigation, you will find that the expenses of a breach include both direct and indirect costs.

Direct costs are costs that occur directly after a cyber attack and commonly include remediation, system repairs, loss of data, monetary theft, legal fees, fines for non-compliance, notification of impacted parties, and increased insurance premiums.

Indirect costs on the other hand, occur more sporadically and at varying intensities. These kinds of intangible costs can include downtime, damaged reputation, weakened customer loyalty, loss of intellectual property, and in severe cases, loss of business.

By understanding the full scope of damages incurred during a cyber attack, your business will be able to develop a more comprehensive strategy and budget for cybersecurity.

Cybersecurity and ROI

While it’s evident that the risk of cyber crime is not only reserved to large organizations, small businesses still question the importance of investing in cybersecurity protections. You see, most companies are forced to operate within a limited budget, making it tempting to only invest in resources that will provide a return on investment. As a business owner, you enjoy seeing tangible results, or in other words, knowing that your money is being put to beneficial use. Cybersecurity investments simply do not function this way.

Cybersecurity investments do not play by the same rules as more traditional funding that can be found in Advertising or Human Resources. Internationally renowned security technologist, Bruce Schneier, summarized this perfectly by saying, “ROI as used in a security context is inaccurate. Security is not an investment that provides a return, like a new factory or a financial instrument. It's an expense that, hopefully, pays for itself in cost savings. Security is about loss prevention, not about earnings. The term just doesn't make sense in this context.”

Schneier explains further that while you won’t see earnings for cybersecurity, a business should only implement security prevention measures that impact its bottom-line positivity. This means that you are only spending the amount that a potential security problem is worth—nothing more and nothing less. Business owners are advised to approach budgeting for cybersecurity through a process called costs versus benefits.


“CISOs should always align with the business when evaluating how to spend. Security spend should be calculated based on the risk associated with assuring continuity with important business processes.”

Larry Friedman, Carbonite CISO


Budgeting for Cybersecurity

So, how much should you spend towards cybersecurity?

There isn’t a “one size fits all” approach to developing a budget for cybersecurity and will often vary greatly from business to business, even for companies within the same industry. The actual dollar amount that a business allocates toward cybersecurity is linked to their total IT budget. Commonly, this will consist of up to 20% of a company’s total IT spend, averaging about $1,300 to $3,000 spent per full-time employee as reported by Deloitte and the Financial Services Information Sharing and Analysis Center. These statistics only apply assuming you have properly budgeted for your IT needs—another conversation for another day..

Further, some businesses use the annualized loss expectancy (ALE) method to help gauge how much they should budget for cybersecurity—(a good example of this method can be found here). The ALE method helps companies get an idea of how much should be spent by multiplying the total expenses of a potential cyber incident by the chances of it occurring in a single year. To be clear, this method will only provide an estimate and may not accurately account for catastrophic cyber incidents.

As you begin planning for your own cybersecurity budget, use the numbers above as a benchmark for what the average business spends on cybersecurity.


A few things to consider when budgeting for Cybersecurity...

Identify the strengths and weaknesses of your current cybersecurity strategy.

What has worked well in your cybersecurity strategy previously? Are there any obvious vulnerabilities in your network’s infrastructure? Is your business growing and in need of extra support? By analyzing your technological environment, you will make more effective decisions on which areas need additional attention. 

Determine if your business is following both industry and state compliance regulations.

Following state and industry compliance regulations is critical to the survival of your business in the case of the breach. Be sure to confirm that your business is compliant, especially with any cyber liability insurance policies.

Invest in tools that are required for your protection.

The tools your team needs will vary depending on the size of your IT team and which projects are priority for the year. However, to name a few, all businesses should have a ransomware resilient back-up, antivirus solution, 24/7 system monitoring, and password best practices in place.

Ensure your most sensitive and costly data is secured.

Just as you would lock up your valuables in a safe before leaving your hotel room, be sure your business’ most important data is properly secured first.

Include training and education for all employees.

Your greatest defense against cybercriminals is your employees. Regular training on best practices and the latest cybercriminal tactics will keep them sharp when identifying and avoiding cyber risks.


There are a variety of factors to consider when budgeting for cybersecurity, making this a challenging endeavor for any business. The process is still relatively new to many companies and the need is ever increasing, especially with the popularity of remote work gaining traction and introducing new vulnerabilities.

This is why I like to recommend partnering with a cybersecurity firm to help evaluate your company’s cybersecurity posture and develop a cybersecurity budget that fits your company’s needs. An IT firm like One Step Secure IT will provide you with an extensive review of your technological environment, analyzing your risk score and making recommendations to strengthen your infrastructure. Working alongside experienced cybersecurity professionals, using a customized roadmap as your guide, your company will implement proven best practices and security measures to help drastically reduce your risk of a breach.

Regardless of how you choose to approach cybersecurity investments, understanding that it is essential to your company’s success in today’s business world—and therefore budget—is the first stop on the road to securing your business from cyber attacks. Cybersecurity carries a small price compared to the peace of mind it provides for your business. With the appropriate resources, tools, and training in place, your business will be better prepared to defend against harmful cyber threats.

Free Download: The Cybersecurity Crisis Report

Do not underestimate the severity and likelihood of cyber attacks on small businesses.

Download our FREE Cybersecurity Crisis Report to find out about the urgent and critical protections every business must have in place NOW to protect their financial accounts, customer data, private information, and reputation from the tsunami of cyber crime targeting small businesses.


Topic: How to Protect Your Business from Ransomware