Most small businesses underspend on cybersecurity by a wide margin — and then overspend in a panic after something goes wrong. Neither is strategy. This guide gives you a budget framework that's defensible to leadership, anchored in industry benchmarks, and broken down by company size so you can place yourself on the curve.
The Headline Benchmark
For general SMBs, cybersecurity spend tracks at 1–3% of revenue. For regulated industries (healthcare, financial services, defence supply chain, insurance, automotive financing), expect 4–8% of revenue. A few useful reference points:
- Gartner reports global cybersecurity spend approaching 12% of total IT spend, up from 5% a decade ago.
- IBM's Cost of a Data Breach report puts the average SMB breach at roughly $3.3M when you include downtime and indirect costs; the FBI's IC3 puts the median direct loss at closer to $200k.
- Cyber insurance carriers increasingly require documented controls — without them, premiums rise 30–80% or coverage is refused outright.
Budget by Revenue
The cleanest mental model is "percentage of revenue". Here are realistic ranges:
| Annual Revenue | General SMB | Regulated Industry |
|---|---|---|
| Under $1M | $3k–$10k / year | $10k–$25k / year |
| $1M–$3M | $10k–$30k / year | $25k–$75k / year |
| $3M–$10M | $30k–$80k / year | $75k–$200k / year |
| $10M–$25M | $80k–$200k / year | $200k–$500k / year |
| $25M+ | $200k+ / year | Custom — engage a vCISO |
Budget by Headcount
Headcount is the second useful lens — particularly because most managed-security pricing is per-user or per-endpoint:
How to Allocate the Budget
Once you have a total number, the next question is where it goes. The allocation shifts with risk profile, but for a typical SMB:
- Endpoint protection (EDR)15–20%
- Email & identity security15–20%
- Backup & recovery10–15%
- Monitoring & response (SOC)20–25%
- Awareness training & phishing simulations5–10%
- Vulnerability management & health checks5–10%
- Compliance & vCISO / strategy10–15%
- Incident response retainer5–10%
Worth noting: if you outsource to an MSSP, this allocation gets bundled into one line item. The MSSP handles the internal distribution between EDR, SIEM, SOC labour, etc. That's usually cheaper than buying and operating each piece separately at SMB scale. See our MSSP pricing guide for a deeper breakdown of those bundled tiers.
Where Most SMBs Waste Money
Before adding budget, look at what you're already spending. Most SMBs find 10–25% slack hiding in their current IT line. Common culprits:
- Paying for both Microsoft Defender and a third-party antivirus on the same endpoints
- Three different backup tools across M365, file servers, and laptops — when one would cover all
- Annual security audit fees that don't translate into ongoing operations
- Cyber insurance with a low limit and no documented controls (the policy won't pay out)
- Compliance consultant fees that produce a binder but no operational change
- Per-incident IR billing with no retainer — surprise $20k bills on the worst day
Cutting these often funds a meaningful security program without adding to the total IT bill.
What "Minimum Viable Security" Looks Like
If you genuinely have $0 budget for security right now, here's the floor of what every business should have in place anyway, much of it free or near-free:
- MFA on every account — free with M365, Google Workspace, most SaaS
- Password manager for the team — $3–$5 per user per month
- Microsoft Defender or equivalent endpoint protection — included with M365 Business Premium
- Automated backup of M365 / Workspace data — $3–$6 per user per month
- Quarterly phishing-simulation campaign — many platforms have free tiers
- A written incident response plan — free (use our first 24 hours guide as a starting template)
That gets you maybe 60% of the protective value at minimal cost. What it doesn't buy you is detection or response — that's the work that only shows up when you pay for managed operations.
When to Upgrade Your Budget
Six triggers should push your cybersecurity spend up to the next tier:
- Cyber insurance renewal asks for MFA, EDR, backups, training, IR plan
- A customer or partner audit asks for SOC 2 or similar attestation
- You enter or expand into a regulated industry (healthcare, finance, defence, automotive financing)
- Your business grew past 25 employees
- You had a near miss — phishing that nearly worked, ransomware in a peer business
- You started handling PCI cardholder data, PHI, or NPI
The Expected-Loss Sanity Check
Budgets feel arbitrary until you anchor them to expected loss. Here's the math any leadership team can follow:
- Average serious SMB cyber incident: ~$200,000 (direct cost) plus downtime
- Baseline annual probability of a serious incident for an unmanaged SMB: roughly 10–15%
- Expected annual loss without controls: $20,000–$30,000
- Managed security at $18,000/year reduces probability to 3–5%
- Expected annual loss with controls: $6,000–$10,000
- Net benefit: $10,000–$20,000 per year, plus the variance protection
The numbers are illustrative — real probabilities vary by industry and posture. But the structure of the argument is robust: managed security is almost always a positive-expected-value investment for businesses past the very-small-and-low-risk end of the spectrum.
The Bottom Line
A defensible cybersecurity budget for an SMB sits between 1% and 3% of revenue for general businesses, and 4–8% for regulated ones. By headcount, expect $300–$4,000 per month depending on size. Most SMBs underspend versus this benchmark — and the gap usually closes only after an incident, an insurance renewal, or a customer audit forces the conversation.
The cheapest hour of cybersecurity work you'll ever buy is the one you do before you need it. Build the budget proactively, audit it annually, and increase the spend when one of the six trigger events hits. Your future self — or your future incident-response retainer — will thank you.
Frequently Asked Questions
What percentage of revenue should a small business spend on cybersecurity?
A reasonable benchmark is 1–3% of revenue for SMBs, climbing to 4–8% for regulated industries (healthcare, finance, defence supply chain). For a $3M-revenue business, that's $30,000–$90,000 annually for general SMBs and up to $240,000 for heavily regulated ones.
What's the minimum I should spend?
The realistic floor for credible managed security at a 5-10 person business is around $400–$600 per month — about $5,000–$7,000 per year. Below that, you can do DIY basics (MFA, backups, training) but you're not buying meaningful threat detection or response.
How do I budget for cybersecurity when I've never spent on it before?
Start with this rule: cyber should cost less than your IT spend but more than your office cleaning budget. Most SMBs underspend by 60–80% versus where they should be. Begin with 1.5% of revenue as a starting target and adjust based on industry risk.
How do I justify the cost to my leadership team?
Frame it against expected loss. The average SMB breach costs around $200,000. If $20,000/year in security cuts your breach probability by 30 points across 5 years, the expected value math is decisive. Cyber insurance premiums also drop materially when controls are documented.
What should I cut to make room in the budget?
Look at duplicate tools (e.g., paying for both Microsoft Defender and a third-party antivirus), unused SaaS licenses, and IT projects with marginal ROI. Most SMBs find 10–20% slack in their existing IT spend that can fund a meaningful security program.
Want a Budget Recommendation for Your Business?
Book a free 30-minute assessment. We'll model a realistic cybersecurity budget against your size, industry, and current spend — even if you don't end up working with us.
Get Free Assessment