How Much Should Cybersecurity Cost Your Business?

By Dr. Jerry Craig | August 2, 2022
Jerry is Ntiva’s Sr. Director of Security and CISO, offering more than 20 years in the IT and cybersecurity industry. Certified CISO, CISSP and CCSP, Jerry also serves part-time as Adjunct Professor in the University of Maryland Global Campus.

When organizations are looking for ways to save money, cybersecurity sometimes ends up on the chopping block. For those companies fortunate enough to never have gone through a critical security breach, these services can seem extraneous. Why pay for something that’s not being used?

Unfortunately, the answer to this question becomes crystal clear once a breach happens.

Just last year, a report published by IBM Security found that the cost of data breaches had reached a 17-year high, to say nothing of the damage done to intangibles like customer trust. Companies unwilling to invest in cybersecurity all too often still pay a high price.

The good news is that solid cybersecurity protection won’t break the bank. And by taking common-sense steps today to protect your organization, you can avoid the kinds of breaches that lead to big fines and lost revenue.


How Much Should You Spend on Cybersecurity?

Determining how much to budget for cybersecurity is trickier than it might seem at first glance. Part of the answer will depend on your industry, along with your clients’ expectations. The number of employees within your organization is also a factor.

Take the financial industry, for example. This sector spends more on IT as a percentage of its revenue than does any other, from 4.4% to 11.4% according to one source, or about 7% according to another.

This shouldn’t be surprising when you consider that this single industry accounts for about 13% of cyberattacks. Additionally, consumer expectation of cybersecurity within that industry is sky-high.

As a general rule of thumb, though, most industries spend an average of 3%-4% of their revenue on IT. Out of that overall IT budget, you should plan to spend at least 10% on security.

cybersecurity budgets


To get a little less abstract about it, imagine you’re with ABC Inc., a fictitious 100-person company with annual revenue of $10 million.

Following the above rule of thumb, ABC will have an overall IT budget of $400,000, with $40,000 earmarked annually for cybersecurity, or about $3,300 per month.

So, how should you spend it?

How to Use Your Cybersecurity Budget

Managed security services are one of the more effective ways to use your cybersecurity budget. For a recurring monthly fee, a third party will completely manage your cybersecurity protection, whether you have an IT team or not.

Before considering providers, know this: At an absolute minimum, there are three elements of cybersecurity your managed security services provider must put in place. That’s not just our opinion – without them, you won’t even be able to qualify for cyber insurance.

Here’s what basic business cybersecurity requires, and what it will cost:

You’ll note that the cost of all three of these services is on a per-user basis. That isn’t the case for all cybersecurity measures. Intrusion detection and response (SIEM and SOC), for instance, will cost a flat fee for your organization (though this fee will be based on your particular requirements – below, we use $2,100 as an estimated figure).

Here’s a look at how cybersecurity might be implemented by ABC Inc., with the $3,300 budget we outlined above, and how it would look for an identical company to budget just half of that:

Cybersecurity Services Budget:

Multifactor Authentication

100 users @ $3/user 100 users @ $3/user
Endpoint Detection & Response 100 users @ $5.50/user

100 users @ $5.50/user

Monthly Managed Phishing Prevention Training

100 users @ $3/user

100 users @ $3/user

Intrusion Detection & Response

Flat fee: $2,100 (N/A)
Microsoft Office 365 Advanced Threat Protection (N/A) 100 users @ $2/user
Total Cost:   $3,250 $1,350


As you can see in these examples, both organizations make sure to account for those three essential services. Beyond that, each takes a different approach to what additional levels of protection they select.

Cybersecurity protection


With a larger budget, you may opt for a more robust service like intrusion detection and response (IDR), which offers 24x7 security operations center (SIEM and SOC) monitoring your infrastructure for signs of attack.

IT security investments

But even with a smaller budget, you can take steps like adding Microsoft Office 365 Advanced Threat Protection to enhance your email security.

Even if you have to start small, taking steps to build out your cybersecurity will go a long way toward protecting your business.


Cybersecurity Saves You Money in the Long Run

All too often, small- to mid-sized businesses (SMBs) wait to invest in cybersecurity until after they’ve had a significant incident.

Unfortunately, for many people, it isn’t until they’ve experienced the loss of data, productivity and tens of thousands of dollars that they see the value of cybersecurity. 

But in what other part of your life do you buy insurance after the bad thing happens? Home insurance isn’t cheap, but you don’t wait until after you have a fire to start insuring your house.

Cyber insurance is a good thing to have after the fact, but investing in proper cybersecurity protection can prevent the disaster from occurring at all.

Time to get your priorities in order.

We’ve written before how SMBs are increasingly a target for ransomware. We see attacks with compromised users’ credentials just about every week.

They can and will happen to your business. But the good news is that you can be prepared when it does. Take a look at our full cybersecurity checklist, or contact us to talk to an Ntiva cybersecurity expert.


Security Consultation CTA

Want to learn more about Cybersecurity Services for your business? See Ntiva’s Cybersecurity Services.

Managed Cybersecurity Services and Solutions

Dark Web Monitoring for Businesses

Managed Endpoint Detection & Response Services

Intrusion Detection & Prevention System Services

Multi Factor Authentication Services and Management

Phishing Prevention Training Services & Solutions

Cybersecurity Risk Assessment Services

Virtual CISO Services & Solutions

Vulnerability Testing & Assessment Services


Tags: Cybersecurity