"How much should we be spending on cybersecurity?"
It's one of the most common questions small business owners ask—and one of the hardest to answer with a single number. The right budget depends on your industry, the data you handle, your regulatory obligations, your risk tolerance, and the maturity of your current defenses.
But while there's no universal figure, there are benchmarks, frameworks, and practical realities that can help business leaders make informed decisions. And in 2026, with cybercrime losses reaching $16.6 billion in the United States alone according to the FBI's 2024 Internet Crime Report, the cost of underinvesting has never been clearer.
What Businesses Are Actually Spending
According to the 2025 IANS Research and Artico Search Security Budget Benchmark Report, companies spent an average of 0.69% of revenue on cybersecurity in 2024 and 2025—up from 0.50% in 2020. For a business generating $5 million in annual revenue, that translates to roughly $34,500 per year on security.
That figure, however, reflects averages across organizations of all sizes. Small businesses tend to spend differently—often less in absolute dollars but more as a percentage of revenue, because the foundational tools cost roughly the same whether you have 10 employees or 100.
According to Analysys Mason, global SMB spending on cybersecurity is projected to reach $109 billion by 2026, growing at a 10% compound annual growth rate. A 2025 study by MySecurityMarketplace found that 63% of small businesses increased their cybersecurity budgets year-over-year—a sign that awareness is rising, even if spending levels haven't caught up with the threat landscape.
The challenge is that 66% of SMBs still cite cost as the top obstacle to adopting stronger cybersecurity, according to CrowdStrike's 2025 survey. Many business owners look at cybersecurity as a cost center rather than a risk management investment—until an incident forces a different perspective.
The Cost of Not Investing
Before building a budget, it's worth understanding what you're budgeting against.
According to IBM's 2025 Cost of a Data Breach Report, small businesses can expect to pay between $120,000 and $1.24 million to respond to and resolve a security incident. That figure includes direct costs—forensic investigation, system remediation, legal counsel, regulatory notifications—as well as indirect costs like lost revenue during downtime and long-term customer attrition.
Some additional data points that help frame the conversation:
- Downtime costs add up fast. IBM's report found that organizations estimated the cost of lost business from a breach—including revenue from system downtime, lost customers, and reputation damage—at $1.38 million on average.
- Recovery takes longer than expected. Research indicates that 24% of breach costs materialize more than a year after the initial incident. Even businesses that survive often need 12 to 18 months to fully recover their revenue.
- Ransomware is a primary driver. According to the 2025 Verizon DBIR, ransomware appeared in 88% of breaches involving SMBs. The average cost of a ransomware incident reached $5.08 million in 2025, according to IBM.
- Small businesses are disproportionately affected. According to widely cited industry research, approximately 60% of small businesses that suffer a significant cyberattack cease operations within six months.
When a single incident can cost 3 to 4 times your annual cybersecurity budget, the economics of prevention become difficult to ignore.
What a Cybersecurity Budget Should Cover
For small businesses, cybersecurity spending generally falls into several categories. As we outlined in the small business cybersecurity checklist, these are the core areas that security professionals consider essential:
Endpoint Protection (EDR/MDR)
Modern endpoint detection and response protects every device—laptops, desktops, servers—from ransomware, malware, and zero-day threats. Industry pricing for EDR solutions with 24/7 SOC monitoring typically ranges from $15 to $25 per device per month, depending on the provider and scope of monitoring.
Email Security
Given that phishing remains the most common attack vector—with the FBI reporting a 274% increase in phishing losses in 2024—email security is a foundational investment. Advanced email protection for business email platforms typically costs $8 to $15 per mailbox per month.
Patching and Vulnerability Management
Automated OS and third-party application patching keeps known vulnerabilities closed. The 2025 Verizon DBIR found that 20% of breaches began with exploited vulnerabilities. Managed patching services generally range from $8 to $15 per device per month.
Security Awareness Training
With the human element involved in 60% of breaches according to Verizon, training employees to recognize threats is one of the highest-return security investments. Training platforms with simulated phishing typically cost $3 to $8 per user per month.
Backup and Disaster Recovery
Reliable backups are what separate a ransomware demand from a business catastrophe. Managed backup solutions with regular testing typically range from $10 to $50 per device per month depending on data volume and recovery requirements.
IT Support and Management
General IT management—helpdesk support, device management, cloud administration, employee onboarding and offboarding—is closely intertwined with security. Managed IT services in North America typically range from $100 to $250 per employee per month for comprehensive support, according to multiple industry pricing guides. Some providers offer hours-based pricing models rather than per-user models, which can be more cost-effective for smaller teams.
Security Assessments
Periodic security assessments help identify gaps before attackers do. One-time assessments for businesses under 100 employees typically range from $1,500 to $5,000, with many providers including assessments as part of ongoing managed service engagements.
Putting It Together: Budget Ranges by Company Size
Based on current industry pricing, here's what small businesses in Canada and the United States can generally expect to invest for comprehensive IT management and cybersecurity protection:
10-Employee Business
| Category | Estimated Monthly Cost |
|---|---|
| Managed IT Support | $775 – $1,500 |
| Endpoint Security (EDR/MDR) | $150 – $250 |
| Email Security | $80 – $150 |
| Patching | $80 – $150 |
| Security Training | $30 – $80 |
| Backup & Recovery | $100 – $500 |
| Total Range | $1,215 – $2,630/month |
25-Employee Business
| Category | Estimated Monthly Cost |
|---|---|
| Managed IT Support | $1,500 – $3,000 |
| Endpoint Security (EDR/MDR) | $375 – $625 |
| Email Security | $200 – $375 |
| Patching | $200 – $375 |
| Security Training | $75 – $200 |
| Backup & Recovery | $250 – $1,000 |
| Total Range | $2,600 – $5,575/month |
50-Employee Business
| Category | Estimated Monthly Cost |
|---|---|
| Managed IT Support | $3,000 – $5,500 |
| Endpoint Security (EDR/MDR) | $750 – $1,250 |
| Email Security | $400 – $750 |
| Patching | $400 – $750 |
| Security Training | $150 – $400 |
| Backup & Recovery | $500 – $2,000 |
| Total Range | $5,200 – $10,650/month |
These ranges assume comprehensive managed services including both IT support and cybersecurity. Organizations may find providers offering bundled pricing that reduces the total compared to purchasing each service separately.
It's worth noting that these figures compare favorably to the cost of equivalent in-house capabilities. As we explored in our managed IT vs. in-house cost comparison, a basic two-person internal IT department costs approximately $185,000 annually in salary alone—before accounting for tools, training, and the 24/7 coverage that managed providers include.
How to Get the Most From Your Budget
For businesses working within tight budgets, several strategies can help maximize protection per dollar:
Prioritize the Highest-Impact Protections First
Not all security investments carry equal weight. If you're building from scratch, the highest-return investments tend to be:
- Multi-factor authentication — often free or low-cost, blocks the majority of credential-based attacks
- Endpoint detection and response — the single most impactful paid security tool
- Email security — protects against the most common attack vector
- Automated patching — closes the vulnerabilities attackers most commonly exploit
These four categories address the attack vectors responsible for the vast majority of breaches.
Look for Integrated Providers
Working with separate vendors for IT support, email security, endpoint protection, and security training creates complexity and potential gaps. As we discussed in our guide on how to evaluate and choose a managed IT and cybersecurity provider, integrated providers that bundle IT management and security under one roof often deliver better protection at a lower total cost than assembling point solutions from multiple vendors.
Take Advantage of Bundled Pricing
Many providers offer bundled packages that reduce per-service costs when multiple security tools are purchased together. A bundle that includes endpoint protection, email security, patching, and training will typically cost less than purchasing each individually.
Consider Annual vs. Monthly Billing
Some providers offer discounts of 10-20% for annual commitments on security services. For businesses confident in their provider relationship, this can represent meaningful savings—though it's worth ensuring the provider offers the flexibility to adjust services as needs change.
Don't Overlook the Canadian Context
For Canadian businesses, cybersecurity spending carries additional considerations. PIPEDA and provincial privacy legislation create compliance obligations that may influence which tools and services are necessary. The Canadian Centre for Cyber Security offers free resources and guidance specifically designed for small and medium organizations, including the Baseline Cyber Security Controls framework.
According to Statista, the Canadian cybersecurity market is projected to reach $4.23 billion in 2025, with security services accounting for more than half of that spending. Canadian SMBs face the same threats as their American counterparts but may have access to different funding programs and compliance frameworks.
The Budget Conversation Your Business Needs to Have
Cybersecurity budgeting isn't a one-time exercise. It's an ongoing conversation that should evolve as your business grows, as the threat landscape changes, and as your understanding of your own risk profile deepens.
A few principles worth keeping in mind:
- Frame security as risk management, not IT overhead. The question isn't "how much does this cost?" but "what risk does this reduce, and what would that risk cost if it materialized?"
- Start with an assessment. Before allocating budget, understand where your gaps are. A security assessment provides a prioritized view of your vulnerabilities—helping you direct spending where it matters most rather than guessing.
- Budget for the ongoing, not just the one-time. Cybersecurity isn't a project with a finish line. It requires sustained investment in monitoring, updates, training, and adaptation. Build recurring costs into your operating budget rather than treating them as capital expenditures.
- Revisit annually at minimum. The threat landscape is evolving faster than annual budget cycles. What was adequate last year may not be adequate today—particularly as AI-powered attacks become more sophisticated and accessible.
The businesses that navigate cybersecurity spending most effectively tend to be those that view it not as an expense to minimize but as an investment in business continuity. In a landscape where a single incident can cost 3 to 4 times your annual security budget—and potentially threaten the survival of the business itself—the return on prevention is difficult to overstate.
This article is intended for informational purposes only and does not constitute professional financial, security, legal, or compliance advice. Pricing ranges cited reflect general industry benchmarks and may vary by region, provider, and scope of services. Organizations should consult with qualified professionals to assess their specific needs and develop appropriate budgets.