How much should a small business spend on cybersecurity?

The most common cybersecurity budgeting question is "what percent of IT spend should go to security," and it is the wrong question.

The percent-of-IT rule of thumb (you will hear anywhere from 5% to 15%) tells you nothing useful. A company with terrible controls and a fat IT budget hits the target while staying wide open. A lean firm with good hygiene misses it while being genuinely safer. The percentage measures input, and input is not the thing you care about. You care about risk removed per dollar spent, and that is a completely different calculation.

Budget against risk, not against IT spend

Here is the approach that actually holds up. Estimate your expected annual loss first: for each incident type that can hurt you (ransomware, data breach, downtime, business email compromise, regulatory) work out the cost if it happens and the probability per year, and add them up. That total is what you are defending against. Now every control you might buy has a measurable job: how much does it lower that expected loss, and what does it cost per year.

Sort your options by reduction per dollar and buy down the list. Keep going until the next control costs more than the risk it removes. That point is your budget. Not a percentage. A number derived from your actual exposure.

The reason this matters is that the order is wildly uneven. The first few controls remove enormous risk for almost nothing. The later ones remove a little risk for a lot. Spending the same money in the wrong order leaves you both poorer and less safe, which is the default state of a lot of SME security programs that bought a fancy tool before turning on MFA.

The controls that actually earn their place

The leverage is concentrated in a handful of unglamorous things.

Multi-factor authentication is the highest return in security, full stop. Microsoft's data has it blocking the overwhelming majority of automated account-compromise attacks, and stolen credentials are the entry point in a large share of breaches. It is cheap, often free with what you already pay for, and it knocks down the frequency of ransomware, data breach and BEC at once. If you do one thing, this is the one. Use phishing-resistant factors where money moves.

Tested offline or immutable backups are what make ransomware survivable. They barely change how often you get hit, but they gut the severity, because you restore instead of paying and you are down for days instead of weeks. The word tested is doing real work there. An untested backup is a hope, not a control.

An out-of-band verification rule for payments and bank-detail changes costs nothing and stops the BEC wire fraud that is statistically the loss most SMEs will actually face. It is a process, not a product, which is exactly why people skip it.

Endpoint detection and response catches and contains intrusions earlier, lowering both how often an incident becomes serious and how bad it gets when it does. It costs real money but for most SMEs it is justified once you are past the free stuff.

A written, rehearsed incident-response plan is one of the largest cost reducers in IBM's breach data, and it is mostly an afternoon of thinking plus a phone list. Knowing who to call and what to do in the first hour is the difference between a contained event and a sprawling one.

Notice what is not on this list: the expensive, heavily-marketed platforms that vendors lead with. They have their place, much later, after the basics. Buying them first is the classic mistake.

Where to stop, and what to do with the rest

Spending more does not monotonically buy more safety. Past a point the controls cost more than the risk they remove, and a rational budget stops there rather than chasing a zero-risk state that does not exist. The residual risk that is left, the low-probability high-cost tail you cannot economically engineer away, is what you transfer to a cyber insurer. Controls handle the frequent stuff. Insurance handles the rare catastrophe. Trying to make controls do the insurer's job is how you overspend.

One caveat worth stating plainly: the expected-loss math is built on averages, and a small firm can still be wrecked by a single unlikely event. So size the controls budget against expected loss, but use the worst-case to decide how much insurance to carry on top. Different tools for different parts of the distribution.

Get a number you can defend

The point of all this is to walk into a budget conversation with a figure that comes from your own risk, not from a benchmark someone published. The calculator runs the expected-loss model for your sector, size, revenue and current controls, and shows you what each control does to the total, which is exactly the reduction-per-dollar view you need to prioritize. The methodology sources every number so you can argue with it.

Stop asking what percentage to spend. Work out what you stand to lose, then buy the cheapest risk reduction first and stop when it stops paying.