How Much Should An SMB Budget for Cybersecurity?
When you’re a small business, one of the decisions you ultimately have to make is how much you’re willing to spend on cybersecurity. The unfortunate reality is that often small businesses don’t put enough of their budget towards it.
Then, when they do face an attack, which is nearly inevitable, it ends up costing them a lot more. The following are considerations for SMBs when it comes to their cybersecurity budget.
Importance of Budgeting for Cybersecurity
Cybersecurity affects businesses of all sizes. Around half of all cyberattacks go after small businesses. Sixty-eight percent of small businesses say they’ve experienced a cyberattack in the past 12 months.
As well as protecting you from potential disruption and high costs of a cyberattack, you need to budget for these programs for other reasons.
First, you have to budget for cybersecurity as part of an agreement in a contract with a third party. This could include vendors you work with or a client. You also have to remain compliant with regulations at the federal and state level.
To compete for specific contracts or projects, you may also have to show your cybersecurity protections.
Key Budget Areas
Cybersecurity is incredibly broad, but there are some general areas to consider as you’re planning a budget.
First is risk assessment, and within this category, consider incident response, business preparation, and continuity.
Another area to budget for is employee training. Your employees are your first line of defense and often your most important.
The third area of consideration is network vulnerability identification and management.
Cybersecurity insurance policies are often a worthwhile investment for businesses of all sizes and can help in recovery if a threat or event does occur.
Comparing Your Budget to the Cost of a Cyberattack
When deciding on a specific cybersecurity budget, part of your assessment should look at what an attack would cost. Studies show that the average cost of a data breach for a small business can be anywhere from $120,000 to $1.24 million. That’s only speaking to the SMB market.
If you go outside the filter of small businesses, an IBM report from 2019 found the average cost of a data breach was $3.92 million. Breaches cost smaller businesses more relative to their size than they cost larger organizations.
Additionally, we don’t always know the true cost of a data breach because the expenses tend to be long-term. It can take around a year for one-third of the costs to become apparent. There are also more ambiguous costs of data breaches.
Direct costs include system repair, regulatory and compliance fines, and an increase in insurance premiums.
Indirect costs can include disruption and downtime, loss of customers and loss of intellectual property. Another indirect cost to contend with is damage to your credibility and reputation.
Creating a Budget
Most cybersecurity budgeting falls into the larger category of IT budgeting. As a small business, aim to spend anywhere from 5% to 20% of your total IT budget on security.
Whether you fall on the lower or higher end of that depends on the size of your business, your industry, and requests from key stakeholders and customers.
You should also remember that not all cybersecurity solutions cost a lot—many of the best cost little to nothing. Using multi-factor authentication and having a policy for strong passwords, as well as educating your employees about phishing risks are all things you can do quickly and inexpensively, but they have a big impact.
You should start with the simplest things first if you aren’t already putting money toward cybersecurity. You don’t have to do everything at once either. It’s not all-or-nothing with cybersecurity. Instead, if your budget doesn’t allow you to do everything simultaneously, take an incremental approach. Prioritize with an understanding of what’s most relevant to your particular business.
Start with simple things like securing your cloud, and then you can begin to address complex threats.
Even the sophisticated and expensive cybersecurity systems and tools can’t protect you if your employees are making cybersecurity mistakes, for example. If your employees use public Wi-Fi to access networks or aren’t following email best practices, then your cybersecurity is compromised, yet you could fix these problems with very little money.
Regardless of your budget, the most significant thing SMBs should remember with cybersecurity is that it should be a priority. The costs of a breach will be much greater than initial investments in good practices.