How to Create a Cybersecurity Budget for Your Small Business

October 12, 2022

The need for cybersecurity is clear to most IT leaders. But for many small businesses, justifying a healthy budget can be an uphill battle. Afterall,  if your business hasn’t been attacked yet, doesn’t that imply that there is no need to add new tools or services?

In fact, there is nothing further from the truth. As cybercriminals and hackers become more advanced in their skills and techniques, the tools that stopped them yesterday may not be as effective today. And, unfortunately, any organization — no matter how small or obscure it may be — can be a target of a cyberattack. Many small organizations actually face an outsized risk because some attackers realize they can easily exploit companies with weak cyber defenses.

With that in mind, it’s important for organizations to understand that their cybersecurity strategy and toolset — and by extension their budget — needs to evolve over time to continue to protect the business.

How much money should be dedicated to your cybersecurity budget?

There is no clear-cut answer for how much money organizations should dedicate to their cybersecurity budget. This figure varies greatly because organizations face a different level of risk depending on their company size, industry, compliance and regulation needs, data being collected and stored, and requirements from clients and partners.

For example, a small medical practice that handles patient health data and must maintain compliance with government regulations like the Health Insurance Portability and Accountability Act (HIPPA) may find it wise to invest in robust tools and technologies. On the other hand, a small auto repair shop that conducts relatively little business online may not need more than a basic toolset to protect their email system and customer database.

Some experts suggest that a general rule of thumb is to invest between 5-20% of the total IT budget on cybersecurity. This money could be used to support a wide range of cybersecurity related activity, from software purchases or monitoring services, to IT staff upskilling and employee cybersecurity awareness training.

If that’s a new or increased expense for your business, here are four steps you can take to prepare for your conversation with leadership.

Learn More

Looking for tips and ideas to help you get additional funds to onboard new people, incorporate new tools, develop employee training programs, or even set funds aside in the event of a breach? IT leaders can learn helpful thought starters, considerations & tips to make the case for increasing their cybersecurity budget. Read: How to increase your SMB cybersecurity budget

How to Create a Cybersecurity Budget

Step 1: Review your current cybersecurity budget

The first step toward justifying an increase to your current cybersecurity budget would be to review the budget within the context of your organization’s needs and risks. As part of this process, IT leaders can:

  • Take inventory of existing security products and services and their associated costs.
  • Gather any data from these tools that show evidence of their performance, such as number of attacks blocked or threats detected.
  • Identify gaps within the existing toolset where security could be enhanced. This may include tools that automate important but routine activities, like updating or patching computers, training opportunities for IT staff or employees, or new regulations that the organization must comply with.

Ideally, the organization should conduct this audit on a regular basis, at a time that does not coincide with the renewal of any existing tools or software. This will help ensure the IT team and company leaders make the best decision for the business, as opposed to being influenced by an impending deadline.

Step 2: Optimize the existing toolset

After your team has completed its audit, revisit the existing toolset and determine if there are any adjustments that can be made to either strengthen existing coverage or address gaps with the current technologies. This could not only help your team reduce the need to spend money on new tools, but also lower complexity of the security toolset since new tools will need to be integrated within the existing architecture and also managed by staff.

Many trusted, reputable security vendors will meet with clients to periodically review their tools’ capabilities and functions to ensure they are getting the most out of the product features, as well as properly setting up and configuring those tools.

Step 3: Outline new requirements that need to be met, including compliance

After completing steps 1 and 2, if there are still gaps within the security strategy that need to be addressed, the IT leader should outline what those requirements are and the tools or processes that need to be implemented to address them.

Some gaps, like complying with government regulations regarding sensitive customer data, personal health information or banking details, simply must be adhered to — or the business will undoubtedly face significant legal and financial consequences.

For other issues, like improving cybersecurity awareness among employees through a new training course, the need may be less definitive or urgent. In these cases, the IT leader should document events or activity in the past that establish the need for such a program and justify its cost. Remember: In many cases, the cost of a security program will be far more economical than suffering a breach — not to mention less disruptive to the business.

Step 4: Conduct a risk assessment (could be based on size, industry, product)

For some organizations, it may make sense to conduct a risk assessment. A risk assessment is a full audit of the business that identifies anything that could be the target of a cyberattack, such as computers, mobile phones, customer data, IP or other assets. For IT teams with limited cybersecurity expertise, it may be helpful to partner with a cybersecurity vendor to conduct this assessment and pinpoint those areas that are most at risk.

While risk assessments may not be necessary for all small businesses, as breaches and cyberattacks become more common, some companies may find that large clients or partners will require such an audit as part of the contracting process. (This is because risks that affect a vendor or partner may also create risk for the client.) For that reason, companies should consider earmarking money within the budget should the need arise during the year.

Additional considerations:


As organizations reconsider their cybersecurity strategy, it may become clear that they need someone to help oversee these new requirements. In such a case, it can be helpful to engage your cybersecurity partner to help outline the responsibilities of that position, as well as the experience and skills such a person should possess.

It is important to keep in mind that cybersecurity talent is in short supply around the world. For that reason, it may be more cost-effective and practical for some companies to consider an outsourcing model, as opposed to building an in-house capability.


Since cybercriminals often use people as an initial point of entry during a cyberattack — especially when it comes to phishing — it is important to ensure that people understand the role they play in maintaining the organization’s cybersecurity.

If the company does not already have a cybersecurity awareness training course, the IT team may consider developing one to be completed by every employee, regardless of level, location or job scope. For larger organizations or those that face a higher level of risk, it may also be wise to tailor learning programs based on job type or level of experience, as well as location.

Business Priorities

At the end of the day, cybersecurity is an enabler of business growth. After all, a secure business is a healthy business.

To that end, the cybersecurity strategy should take into account new business initiatives and priorities that may fundamentally change security needs. For example, a business that is shifting to the cloud will need to deploy new cloud-specific security tools since traditional on-premises tools do not protect cloud-based assets. If the company is allowing employees to work remotely as a way to cut down on operational costs or provide a better work experience, the IT team must take steps to ensure that company computers and data remain protected on home networks.

Cyber Insurance

Cyber insurance, sometimes referred to as cyber liability insurance or cyber risk insurance, is a type of insurance that protects businesses in the event of a cyberattack. While not every small business will need to purchase a cyber insurance policy now, it is becoming a common requirement for doing business with some clients. Like the risk assessment, it may be wise to earmark funds for this activity in case a customer makes it a contractual requirement.

Take Your Security to the Next Level with CrowdStrike

Comprehensive, top-tier coverage is possible for small businesses. CrowdStrike Falcon® Go is  an easy-to-manage and affordable solution custom-built for small businesses that prevents ransomware, malware, and the latest cyber threats.

  • Protect your business with the industry-leading, next-generation antivirus solution proven to stop advanced attacks.
  • Leverage device control to help you monitor and govern USB devices that could put your network at risk.
  • Deploy one lightweight sensor and start protecting your business instantly, no matter where your devices are.

Ready to try CrowdStrike?

Start a free, 15-day trial of Falcon Pro and protect your business from ransomware, malware and sophisticated cyberattacks.

Get Started Free

Additional Resources: