Cybersecurity is one priority that is on just about everyone’s radar in some way. While national news regularly features stories of ransomware and cyber incidents to businesses of larger sizes, small businesses are starting to take note for themselves.

As with many core business functions, cybersecurity often requires a monetary investment and therefore needs dedicated space in your budget. The need for cybersecurity isn’t going away any time soon, it’s actually becoming more and more relevant for small businesses. That’s why it’s important to consider cybersecurity as a business, financial and practical priority. Here are three key questions to ask as you plan and budget for cybersecurity.

Why budget for cybersecurity?

As with any key business decisions, it’s important to have a reason for investment. Cybersecurity is an area that affects businesses of all sizes, including small businesses. In fact, about half of all cyberattacks target small businesses and 68% of small businesses have experienced a cyberattack in the last 12 months.

Cybersecurity is a broad field, so defining specific goals and improvements can be helpful as you build your budget. We see small businesses investing in a few key cyber specific areas:

  • Risk assessment to identify security gaps and prepare to implement change.
  • Employee awareness training to reduce the danger of phishing emails and other social engineering attempts.
  • Network vulnerability identification and management
  • Regular scanning and testing, including dark web scanning to detect early threats in the environment.
How much does a data breach cost?

While the costs vary per incident, recent studies have shown that the average cost of a data breach to small business can range from $120,000 to $1.24 million.

It’s important to keep in mind that the true cost of a data breach isn’t always what it appears. Expenses can be spread out over time, with about a third of expenses coming after the first year following the breach. There are a wide variety of costs associated with a data breach, some of which are obvious and repairable, others of which are more ambiguous.

Indirect costs may include:

  • Business disruption and downtime
  • Loss of business or customers
  • Loss of intellectual property (IP)
  • Damage to company credibility, brand, and reputation
How much should you spend on cybersecurity?

As with any component of business, there are a lot of factors that influence how you build a cybersecurity budget. A few to consider are:

  • Your industry and company size
  • Compliance and regulation mandates affecting your operations
  • The sensitivity of the data you collect, use, and share
  • Requests from company stakeholders or customers

The actual amount companies spend on cybersecurity is often tied to their IT budget, which helps account for company size and IT infrastructure. Estimates of what companies currently pay vary, ranging from an additional 5.6% to up to 20% of the company’s total IT spend. For example, say a 40-person company pays $3,000 per month to an IT managed service provider to cover their IT needs. Their cybersecurity budget would come in somewhere between $168 and $600 per month – a significant, but not unattainable amount – and well worth it given the potential cost of a cyberattack.

Nice Need to Have

Cybersecurity is no longer a “nice to have” – it’s a “need to have” for small businesses. However, it’s important to note that cybersecurity protection isn’t purely a money investment. A comprehensive and effective cybersecurity program requires prioritization and commitment from leadership, IT and employees. Incorporating a SecurityFirst culture into your environment will compliment your monetary investment.

Unfortunately, no matter dedicated to strengthening cyber security, there’s no such way to guarantee a 100% cyber risk free environment. But the organizations who are most effective at responding to cybersecurity threats were prepared to do so.