How much of your IT budget should you spend on security?

IT budget

It looks like IT budgets will continue to grow this year despite the threat of a recession. 51% of organisations plan to increase their IT budget, with just 6% reporting they’d cut back on tech spending. 

At face value, this is good news. But with rising inflation, the real value of these budgets is less than last year. Because IT budgets need to stretch into every corner of businesses, there’s likely to be some pressure around spending. And the amount of IT budget spent on security could end up being less compared to last year. 

That could leave organisations more vulnerable to cyber threats, but cutting security costs doesn’t have to mean adopting a less robust security solution. Protecting your business from the most common and deadly attacks doesn’t have to break the bank.

How much should IT security cost?

It’s far too common to hear “how long is a piece of string?” when asking this question. 

For companies with 500 or more employees, it’s hard to define how much IT security should cost because their size, reach, and security needs are too variable and complex to assign a fixed number to. For example, last summer Google announced they’ll invest 10 billion dollars in cybersecurity over the next five years. 

But for smaller businesses, it doesn’t have to be complicated. 

  • If you work alone, a good level of cover should cost you £1,000–£3,000 a year
  • If you run a small business with 40 employees, a good level of cover should cost you £2,000–£5,000 a year
  • If you have 250–499 employees, a good level of cover should cost you £8,000–£12,000 a year

Worried about rising IT costs? Check out our guide to protecting your business on a budget.

How does that compare to the cost of a breach?

Let’s look at the amount of IT budget spent on security compared to the amount of IT budget spent because of security breaches. 

The UK Government’s Cyber Security Cyber Breaches Survey 2022 revealed that 39% of UK businesses identified a cyberattack in the 12 months before the survey. Where those businesses reported a material outcome, the average estimated cost was £4,200. For medium and large businesses, the average cost was £19,400. In another report, 73% of victims revealed they’d experienced more than one attack in a year, so the costs can quickly add up. Some costs are harder to calculate, such as damage to brand reputation and customer retention. 

What should you look for in a security solution?

Broadly speaking, you can break this up into two sections:

1. Supplier

Choose a cybersecurity supplier who can provide a good level of support, e.g. unlimited guidance. This is especially helpful if you’re a smaller or new business that’s just getting started with cybersecurity, as it’ll give you extra peace of mind. Look into the level of flexibility the supplier gives you, too. If budget and payment terms are a concern, a subscription-based service that offers monthly payments is more affordable than paying the whole year upfront.

2. Functionality

Look for a solution with buildable components so your security coverage can grow as you do.

Here are some key things to look for:


Accreditations like the UK Cyber Essentials scheme outline the security procedures you should have in place to secure your data. It’s recommended for SMEs because it helps you to protect your business against 98.5% of the most common types of cybercrime, like phishing and malicious software. 

Privacy support

Your business must manage data safely, securely, and in compliance with data protection laws. Some providers will help you to field subject access requests, write data protection policies, and keep on top of your data protection obligations by providing tools and templates to streamline your processes.

24/7 monitoring and employee training

For complete peace of mind, look for providers that offer 24/7 monitoring of all devices connected to company data. They’ll check for the most common threats and vulnerabilities, helping you to manage risk and alerting you in the event of a breach.

To support this, look for solutions that include employee training alongside 24/7 device monitoring. More than three-quarters (77%) of senior IT leaders agree that internal security and governance risks are as high as external ones. So, it’s a good idea to keep your employees up-to-date with engaging and informative training sessions.


Cyber insurance can support your business if you suffer a malicious attack or data breach. It can cover first-party (your assets) and third-party (customer data) so that in the event of an incident, you can recoup lost earnings due to operational downtime or reputational damage. 

What if you’re struggling to find the budget to pay for security?

Lots of companies will be trying to find ways to cut costs or reallocate money to cover non-negotiable expenses. If you’re struggling with the rising cost of living and balancing your budgets, these might help you to trim the fat a little.

  • Can you reduce any old/redundant tech? This might help you to save money on subscriptions or hardware you don’t need
  • Can you cut any non-essential spending? E.g., travel or office upgrades
  • Could you re-evaluate partners and suppliers? Are they giving you the best deal or relying on your loyalty and pushing up prices? 

Recession-proof security

If you’re ready to take control of your business security, now’s a great time to start. It’s always better value for money to pay for security cover than suffer the cost of an attack and its repercussions. Be proactive, and make every penny count with the right solution for your business size.

Want to know more? Discover how to protect your business on a budget in our cost of living crisis guide.

Cost of living crisis