KC
Kapacyber
Threat Alert6 min read

What's the Cheapest Way to Protect a Small Business from Ransomware?

A budget-by-budget guide. From $0 baseline DIY to $2,000/month full managed defence — what each tier actually covers, ranked by ROI on the dollar spent.

Kapacyber

Security Research Team

Ransomware protection follows a steep diminishing-returns curve. The first $0 you spend (free controls) buys you roughly 60% of practical protection. The next $300/month buys you another 15. The next $500/month buys another 15. After about $1,500/month, you're paying for specialisation, scale, or industry-specific compliance — not raw risk reduction.

Here's what each budget tier actually covers, what gaps remain, and how to think about where to land.

The Four Realistic Tiers

DIY Baseline

$0 (Free Tier)

Coverage: ~60% of attack paths

Controls

  • MFA on every account (M365 / Workspace native)
  • Microsoft Defender or Google Safe Browsing on endpoints
  • Native M365 / Workspace backup retention (30–90 days)
  • Free phishing training resources (CISA, Google Phishing Quiz)
  • Documented incident response plan (write your own)
  • Patch management (turn on auto-update everywhere)

Gap

No 24/7 monitoring, no behavioural threat detection, short backup retention, no human response when something fires.

Software + Self-Managed

$100–$300 / month

Coverage: ~75% of attack paths

Controls

  • All of the free tier, plus:
  • Password manager for the team ($3–5/user/month)
  • M365 Business Premium (Defender Plan 1 + Intune)
  • Third-party M365 backup (Veeam SaaS or similar, $3–6/user/month)
  • Phishing training platform ($2–5/user/month)
  • Cloud-based vulnerability scanning ($30–100/month)

Gap

Tools exist, but no one operates them. Alerts go to your inbox; if you don't watch them, no one will.

Managed Essential

$400–$800 / month

Coverage: ~90% of attack paths

Controls

  • All of the tools tier, plus:
  • Managed EDR with 24/7 SOC monitoring
  • Email security with active alert response
  • Phishing simulations + training run for you
  • Monthly executive report
  • Light incident response support

Gap

Light coverage on response time, no dedicated vCISO, often business-hours only for non-critical events.

Full Managed Defence

$1,000–$2,000 / month

Coverage: ~98% of attack paths

Controls

  • Everything above, plus:
  • True 24/7 incident response retainer with named team
  • Quarterly tabletop exercises
  • Vulnerability management with active remediation
  • Compliance program support (HIPAA, NAIC, FTC, PCI, etc.)
  • Fractional vCISO time
  • Insurance renewal pack and broker liaison

Gap

Diminishing returns. Above this tier you're paying for industry specialisation or enterprise scale.

The ROI-Ranked Control List

If you can only do a few things, do them in this order:

  1. MFA everywhere. Free, takes a few hours, blocks 99% of automated attacks. No other control matches it.
  2. Tested offsite backups. Ransomware is recoverable from clean backups — but only if they exist, are offsite, immutable, and tested.
  3. Modern EDR on every device. Behavioural detection catches encryption activity in seconds; antivirus alone misses it.
  4. Phishing training. Quarterly cadence cuts click rates from 30%+ to under 5% within a year.
  5. Documented IR plan. Free to write, invaluable when needed. Names, phone numbers, insurance carrier, runbook.
  6. 24/7 monitoring with response. The biggest cost step, but it's the difference between "contained in 5 minutes" and "encrypted by morning".
  7. Compliance documentation. Last because it doesn't directly stop attacks — but it's required by insurers and regulators.

The Honest Math

The average SMB ransomware incident costs roughly $200,000 in direct costs (recovery, IR, downtime) plus additional indirect costs. The cheapest credible managed defence runs around $5,000–$8,000 per year for a 5–10 person business.

Even pricing in only the base direct cost of one incident and a 10% annual probability of being hit unmanaged, expected loss is $20,000/year. Managed defence at $6,000/year cuts that probability to 3–5%, yielding expected loss of $6,000–$10,000/year. The $6,000 spend prevents roughly $10,000–$14,000 in expected loss annually — before variance protection.

You don't need to be a CFO to read that. It's a positive expected-value investment for almost any business that meaningfully relies on its systems to operate.

The Bottom Line

The genuine cheapest ransomware defence is the free tier executed well — MFA, patches, native AV, native backups, free training, a written IR plan. It costs nothing in dollars and a weekend in labour, and it eliminates roughly 60% of the practical attack surface.

The cheapest crediblemanaged defence — with someone watching alerts when you're asleep — starts around $400–$600 per month for a small business. That's usually the right stopping point for SMBs without specific compliance needs.

Related reading: why SMBs are the #1 ransomware target, the 3-2-1 backup rule, and how much should an SMB spend on cybersecurity.

Frequently Asked Questions

Can I protect against ransomware for free?

Mostly. The highest-ROI ransomware controls — MFA on every account, fully patched systems, Microsoft Defender, M365 backup retention, employee phishing training, and an incident response plan — can be set up with zero hard-dollar spend. The cost is labour to configure and run them properly. For a small business under 10 staff, this gets you maybe 60% of full protection.

What's the single most cost-effective control?

MFA. It's free, takes a few hours to roll out, and blocks 99% of automated credential-based attacks — which is how most ransomware gets in. No other control matches that ROI.

Does cyber insurance protect against ransomware?

It reimburses some losses (recovery cost, IR fees, business interruption) — but only if you have documented controls. Insurance is a financial backstop, not a defence. Modern policies also explicitly exclude ransom payment in many cases or cap it heavily.

Should I pay the ransom if hit?

Ideally never. Payment funds the criminal ecosystem and only ~60% of payments result in working decryption. The right preparation — offsite immutable backups, tested recovery, IR retainer — makes payment unnecessary. Make that preparation cheaper than the ransom you'd otherwise pay.

What does the cheapest credible managed defence cost?

For a 5–10 person business, real managed ransomware defence (EDR + monitoring + backups + IR retainer) typically starts around $400–$600 per month. Anything dramatically cheaper than that is software-only with no human response — which is what ransomware operators count on.

Get a Ransomware Readiness Check — Free

30-minute free assessment. We'll map your current controls against the 7-step ROI list and tell you exactly where the gaps sit.

Get Free Assessment
← Back to Security Insights