Back to Blog
2026-03-2412 min read
Strategy

How Much Should a Small Business Spend on Cybersecurity?

Practical cybersecurity budget benchmarks for small businesses, with frameworks by revenue size, industry, and priority spending areas to guide your investment.

Sean P. Conroy

One of the most common questions from CEOs of growing companies: "How much should we actually be spending on cybersecurity?"

The honest answer is that it depends. But that's not helpful on its own. What is helpful is a framework that gives you practical benchmarks based on your revenue, industry, and risk profile, so you can make informed decisions instead of guessing.

Too many small businesses either overspend on the wrong things (shiny tools they don't need) or underspend across the board (hoping they won't be targeted). Both approaches leave you exposed. The goal is right-sized investment: enough to manage your risk responsibly without draining resources from growth.

Key insight: Cybersecurity spending isn't about hitting a magic number. It's about aligning your investment with your actual risk exposure, regulatory requirements, and business objectives. The right budget protects your company without starving your growth.

The Benchmark: Percentage of Revenue

The most widely cited benchmark for cybersecurity spending is a percentage of annual revenue. While this varies by industry and maturity, here's what the data tells us:

1General Benchmark

Most industry analysts recommend that companies allocate 3% to 7% of their overall IT budget to cybersecurity, or approximately 0.5% to 1.5% of annual revenue. For small and mid-sized businesses, the lower end of this range is typical, but companies in regulated industries or those handling sensitive data should aim higher.

2IT Budget as a Baseline

If you know your total IT spending, cybersecurity should represent 10% to 20% of that IT budget for mature programs. Many small businesses spend closer to 5%, which typically means critical gaps exist. If your cybersecurity line item is zero or buried inside "general IT," that's a red flag.

3Regulated Industries Pay More

Healthcare, financial services, government contractors, and companies handling payment card data face regulatory requirements that drive higher security spending. These organizations often invest 1.5% to 3% of revenue in cybersecurity to meet compliance obligations and manage elevated risk.

4Growth Stage Matters

Companies building their security program from scratch should expect higher initial investment. The first year of serious security work often costs 1.5x to 2x what ongoing annual spending will be, as you're addressing a backlog of gaps while building foundational capabilities.

Data point: The average small business spends less than $500 per employee per year on cybersecurity. For companies with 50-250 employees, that often means a total security budget under $100,000, which may be insufficient for organizations handling sensitive data. -Deloitte & NASCIO Cybersecurity Study

Sample Budgets by Company Size

Here's what cybersecurity investment looks like at three different revenue levels, assuming a company that handles some sensitive data but is not in a heavily regulated industry.

$5 Million Revenue Company

Suggested annual cybersecurity budget: $50,000 to $75,000

At this size, you're focused on the essentials. Every dollar needs to count.

  • Endpoint protection and email security: $8,000 - $12,000/year
  • Multi-factor authentication (MFA): $2,000 - $5,000/year (often bundled with existing tools)
  • Password management: $1,500 - $3,000/year
  • Security awareness training and phishing simulations: $3,000 - $6,000/year
  • Backup and disaster recovery: $5,000 - $10,000/year
  • Cyber insurance: $5,000 - $15,000/year
  • Annual vulnerability assessment: $5,000 - $10,000
  • vCISO or security consulting (10 hours/month): $15,000 - $25,000/year

At $5 million in revenue, you likely don't need a full-time security hire or enterprise-grade tools. But you absolutely need coverage across these foundational areas.

$20 Million Revenue Company

Suggested annual cybersecurity budget: $150,000 to $300,000

At this level, you're likely pursuing enterprise clients, handling more complex data, and facing compliance requirements.

  • Managed detection and response (MDR): $30,000 - $60,000/year
  • Endpoint and email security: $15,000 - $25,000/year
  • Identity and access management (IAM/SSO): $10,000 - $20,000/year
  • Security awareness training: $5,000 - $10,000/year
  • Backup, DR, and business continuity: $10,000 - $20,000/year
  • Cyber insurance: $15,000 - $30,000/year
  • Penetration testing (annual): $15,000 - $30,000
  • Compliance program (SOC 2 or equivalent): $20,000 - $40,000/year
  • vCISO (20 hours/month): $40,000 - $80,000/year
  • Security tools and infrastructure: $10,000 - $25,000/year

$50 Million Revenue Company

Suggested annual cybersecurity budget: $400,000 to $750,000

At this scale, cybersecurity becomes a formal business function with dedicated resources.

  • Full-time security hire or senior vCISO: $120,000 - $200,000/year
  • Security operations (MDR/SOC): $60,000 - $120,000/year
  • Advanced endpoint, email, and network security: $30,000 - $50,000/year
  • IAM/SSO/privileged access management: $20,000 - $40,000/year
  • Security awareness and culture program: $10,000 - $20,000/year
  • Backup, DR, and resilience: $20,000 - $40,000/year
  • Cyber insurance: $30,000 - $60,000/year
  • Penetration testing and red team exercises: $30,000 - $60,000/year
  • GRC and compliance program: $30,000 - $60,000/year
  • Third-party risk management: $10,000 - $25,000/year
  • Incident response retainer: $15,000 - $30,000/year
  • Security tools and infrastructure: $25,000 - $45,000/year

Where to Spend First: Priority Framework

If you're building a cybersecurity budget from scratch or need to prioritize limited resources, here's a practical ordering:

Tier 1: Non-Negotiable (Deploy Immediately)

  • Multi-factor authentication on all accounts
  • Endpoint protection on all devices
  • Tested backup and recovery capabilities
  • Cyber insurance with adequate coverage

Tier 2: Essential (Deploy Within 90 Days)

  • Security awareness training and phishing simulations
  • Password management solution
  • Email security and anti-phishing tools
  • Basic incident response plan (documented and tested)

Tier 3: Important (Deploy Within 6 Months)

  • vCISO or security leadership engagement
  • Vulnerability assessments and penetration testing
  • Identity and access management / SSO
  • Vendor risk management process

Tier 4: Strategic (Deploy Within 12 Months)

  • Managed detection and response (MDR) or security monitoring
  • Compliance certification (SOC 2, ISO 27001, etc.)
  • Business continuity planning
  • Advanced threat protection and analytics

The Biggest Budget Mistake

Buying expensive security tools without the people or process to use them effectively. A $50,000 SIEM that nobody monitors is a waste of money. A $100,000 penetration test whose findings are never remediated is a waste of money. Before you invest in tools, make sure you have the capacity to operate, monitor, and act on what those tools tell you.

How to Justify Your Budget to the Board

Knowing how much to spend is only half the battle. You also need to explain why. Here's how to frame cybersecurity investment in terms your board and leadership team will understand:

Frame it as risk management, not cost. Don't say "we need $200,000 for cybersecurity." Say "a $200,000 investment reduces our estimated breach exposure from $3 million to under $500,000." That's a conversation every business leader can engage with.

Compare to the cost of a breach. The average data breach costs small and mid-sized businesses between $120,000 and $1.24 million. When your annual security budget is a fraction of what a single breach would cost, the math speaks for itself.

Benchmark against peers. If your competitors are spending 1% of revenue on cybersecurity and you're spending 0.2%, you're not saving money. You're accumulating risk that they're managing.

Connect to revenue. Enterprise clients increasingly require security certifications, questionnaires, and compliance attestations. If SOC 2 certification helps you win a $500,000 contract, the $40,000 you spent on compliance paid for itself twelve times over.

Data point: 43% of cyberattacks target small businesses, yet only 14% are prepared to defend themselves. The cost of prevention is consistently a fraction of the cost of recovery. -Accenture Cost of Cybercrime Study

Common Questions About Cybersecurity Budgets

Should cybersecurity be a separate budget line from IT? Yes. When cybersecurity is buried within the general IT budget, it's the first thing cut when IT needs to absorb other costs. A separate line item creates visibility and accountability.

What if we can't afford the recommended benchmarks? Start with Tier 1 and work your way through the priority framework. Something is always better than nothing. Even $20,000 spent on MFA, endpoint protection, and basic training dramatically reduces your risk.

Should we budget differently after an incident? Yes. Post-incident spending typically spikes as you address the gaps that led to the breach, invest in forensics and remediation, and implement preventive controls. Plan for this by maintaining a reserve or contingency fund.

How often should we review our cybersecurity budget? Annually, at minimum. But you should also reassess after significant changes to your business: acquisitions, new product launches, entering regulated markets, or major vendor changes.

Key Takeaways

  • Target 0.5% to 1.5% of revenue, or 10-20% of your IT budget as a starting benchmark for cybersecurity investment
  • Right-size by risk, not by revenue alone, Regulated industries and data-intensive businesses need to invest more
  • Prioritize ruthlessly, MFA, endpoint protection, backups, and insurance come first; advanced tools come later
  • Separate cybersecurity from IT budgets, Visibility creates accountability and prevents security from being silently cut
  • Frame spending as risk reduction, Connect every investment to a specific risk, outcome, or business objective

Build Your Budget With Confidence

Cybersecurity budgeting doesn't have to be a guessing game. With the right framework and benchmarks, you can build a budget that protects your business, satisfies your board, and scales with your growth.

For a comprehensive guide to cybersecurity investment and governance for business leaders, see Cybersecurity for CEOs.

Ready to Take Cybersecurity Leadership to the Next Level?

Get exclusive access to the first chapter of Cybersecurity for CEOs — plus monthly insights on protecting your business delivered straight to your inbox.

Newsletter subscribers get:

  • Free download of Chapter 1: “Why Cybersecurity Is Now a CEO Problem”
  • Monthly cybersecurity insights written for business leaders (not IT teams)
  • Exclusive discounts on the full book and future resources
  • Quick-win security tips you can implement immediately
Download Free ChapterLearn About the Book

No spam, ever. Unsubscribe anytime. We respect your privacy.