How to Determine Your Company's Cybersecurity Budget

Woman in server room Adobe

As more and more businesses are learning in recent years, being small no longer guarantees you any protection from cybercrime. In fact, recent figures released by Accenture suggest that small businesses are targeted in more than 43% of all cyberattacks, resulting in catastrophic losses.

As a result, business owners need to understand the importance of cybersecurity – and, in a more practical sense, how to budget for it. In most firms, the chief complaint of IT managers is the lack of adequate resources, yet allocating more money towards IT security is easier said than done, especially if you are a small business entity.

Cybersecurity also has many different sectors that need attention, such as network security, mobile security, email protection, data security, and access management. Focusing only on a few aspects might leave your business dangerously vulnerable in other areas.

In this situation, crafting a cybersecurity budget that adequately covers everything is not an easy task. But it is not impossible if you go about it the right way.

Determing Your Cybersecurity Budget

There is no one definitive solution when it comes to allocating your cybersecurity spending. Generally, there are too many variables involved, such as the size and nature of your business, the level of IT involvement in your business activities, and the type of hardware and software used.

However, there have been many surveys and studies on this topic in recent years. It is estimated that businesses spent more than $124bn on IT security in 2018 alone, with larger corporations happy to exceed billion-dollar budgets to protect their online assets.

Financial firms are the most vulnerable to online threats. According to Deloitte, a typical financial services firm usually spends around 10% of their IT budget on security. If you were to consider the big picture, that could be anywhere from 0.2% to 0.9% of their total annual revenues.

While not perfect, this should give you a good idea of where to start when allocating your own cybersecurity budget. For further context, the US federal government budget allocation for cybersecurity is estimated to be 0.3% of their overall budget, while in 2016, IT management firm Gartner recommended that organisations spend around 4-7% of their IT budget on cybersecurity.

Different Approaches to Cybersecurity Budgeting

Based on these recommendations, you should now have a ballpark figure in mind – but that doesn't tell you accurately how much you need for your business. To get a clearer picture, you can use one of these three methods for calculating your spend:

The Conventional Approach

Also called a "reactive" or "ad-hoc" approach, this budgeting technique will only work for a small percentage of companies. A single data breach can cost your business millions of dollars, so in cybersecurity, prevention is always better than cure.

For a "business as usual" approach to work in cybersecurity budgeting, you need certain preconditions, which are usually found in larger and older firms:

  • Your firm already has robust IT security in place
  • There are considerable cash reserves available

This second point is crucial, as unexpected expenses can arise when you take an ad-hoc approach to cybersecurity budgeting. If there are sudden changes in IT, like new compliance laws (GDPR is an excellent example), or an unexpected malware breach, you will need extra funds to cope.

This is a very conservative approach that can result in better economisation and savings. But for that to happen, things need to go according to plan, with no major cyberattacks or operational changes.

Most smaller businesses might fare better with a more proactive approach to cybersecurity, which brings us to the other two methods below.

The Benchmark Approach

If your business resides in a crowded segment with many competitors and similar sized enterprises, you can seek "safety in the crowd." This is a comparative approach; first, create a benchmark of how your existing systems are faring, and then compare that with other similar-sized businesses in your sector.

Looking at the level of cybersecurity investments in other organisations can tell if you are lagging, but this approach is not without its flaws. For instance, many surveys indicate that small businesses are not spending enough on cybersecurity, so you might not find a realistic benchmark.

As a result, reliance on this particular approach can mean that you end up retaining the same flaws and deficiencies as other organisations. A more balanced approach could include some comparison with your peers, but is most effective when combined with the next strategy, explained below.

The Risk-based Approach

Identification of potential risks to your business IT assets is the first step in preventing cyberattacks. Instead of trying to cover all avenues, you instead aim to identify those areas of your IT systems that are most in need of improved security measures.

Cybercriminals do not always attack businesses in the same way. Depending on your industry, the nature of the threats you face may vary. For example, in the financial services sector, attacks are usually targeted towards stealing data assets, such as customer information. For eCommerce businesses, the most common threat is Distributed Denial-of-Service (DDoS) attacks. For smaller firms, phishing and ransomware attacks may be the most significant risk.

Therefore, unless you have deep pockets, you cannot cover all your bases. Using a risk-based approach, you can better protect your firm against the most likely threats to your organisation.

Critical Areas to Cover in Your Cybersecurity Budget

Not all segments of a business' cybersecurity portfolio are created alike. Some are more critical than others in terms of keeping your business safe from attacks. These priorities can vary with each business, but here are some standard segments that require attention and should, therefore, be budgeted for:

Endpoint Protection - This involves securing all your IT hardware – computers, laptops, and servers – with antivirus software, firewalls, and other appropriate measures. This is a must-have for all organisations.

Network Security - This is almost the same as endpoint protection, with firewalls, anti-malware, and secure network hardware, with the addition of extra features such as online backups of essential data. With all businesses going online, this comparable with endpoint protection as a mandatory feature.

Access Management - In many instances, cyber-attacks occur when criminals gain access to your system through phishing or other means. By restricting high-level access to a few employees, and using access management and monitoring software, you can minimise this threat.

Data Storage and Security - Do you want to invest in on-site data storage, or depend on third-party cloud services such as Amazon? Regardless of your decision, given that consumer data is the new oil, securing it should be a high priority for your business.

Employee Training - This is a critical segment that should not be avoided in a small business setting. No amount of costly software or hardware can protect your business against human error or negligence. Investing in network security training for your employees can reduce this ever-present threat.


Was this article helpful? Let us know your thoughts in the comment section below.