Cybersecurity for Small Businesses: Spending Trends

cybersecurity for small businesses in dallas tx


Small businesses with less than 100 employees make up over 90% of companies in the United States. As more business functions move online, these small companies face growing cybersecurity threats. However, many small businesses lack the budget and expertise to implement robust cyber defenses.

Key questions arise around how much small companies currently invest in cybersecurity measures and how this compares to the risks they face. With limited resources, what are the top priorities and recommendations to improve small business cyber protection? This article will analyze available data to detail current spending levels, breakdowns by category, drivers, and expert guidance to strengthen cybersecurity for small enterprises.

Cyber Attacks Targeting Small Businesses

Small businesses are becoming prime targets for cybercriminals. According to research, over 60% of small businesses have experienced a cyber attack. The frequency and severity of attacks are increasing every year as hackers develop more sophisticated methods.

Some of the most common threats targeting small businesses include phishing, ransomware, malware, and DDoS attacks. Phishing attempts to steal login credentials through fraudulent emails, websites, or SMS messages. Ransomware encrypts data and systems until a ransom is paid. Malware is malicious software designed to infiltrate networks and steal data. DDoS attacks overwhelm sites and servers by flooding them with traffic.

These attacks can have devastating consequences for small businesses. A successful breach can lead to loss of customer data, financial theft, and interruption of business operations. According to studies, 60% of small companies go out of business within 6 months after a cyber attack. The average cost of a data breach for small businesses is estimated to be over $200,000. The financial impact goes beyond just immediate costs, as attacks damage customer trust and company reputation.

With small businesses holding sensitive consumer data and financial information, they have become low-hanging fruit for hackers looking for quick profits through extortion and theft. Unfortunately, many small businesses lack resources and expertise to defend themselves from rapidly evolving cyber threats. This growing cybersecurity risk threatens the survival and success of small businesses everywhere.

Lack of Cybersecurity Investment

Many surveys have shown that small businesses significantly lag behind large enterprises when it comes to cybersecurity investment. For example, a 2019 survey by Keeper Security found that 43% of small businesses didn’t allocate any budget at all to cybersecurity.

There are several key reasons small businesses tend to underinvest in cybersecurity:

  • Cost – Many cybersecurity solutions like firewalls, endpoint detection and response, and managed security services require significant upfront investment and ongoing maintenance costs. This can be challenging for small companies working with limited IT budgets.
  • Lack of resources and expertise – Smaller companies often don’t have dedicated IT security staff with the expertise to effectively evaluate, deploy and manage cybersecurity tools and strategies. They may lack understanding of the latest cyber threats.
  • Other priorities – With limited resources, small businesses often prioritize other perceived needs like new hardware/software, website development, marketing, etc. Cybersecurity is often viewed as more of an afterthought.

The consequences of cybersecurity underinvestment can be severe for small companies. Since cyber criminals see small businesses as “easy prey”, attacks are rampant. According to Verizon’s 2020 Data Breach Investigations Report, 43% of breaches targeted small businesses – the most of any industry. The average cost of a breach for small businesses is around $200,000. Without adequate security, a single ransomware attack or data breach can bankrupt a small business. Lawsuits, fines, and loss of customer trust can also result from cyber attacks.

Average Cybersecurity Spending

Cybersecurity spending varies greatly across small businesses based on factors like revenue, industry, and risk exposure. According to industry research, the average small business (under 100 employees) spends around $400-500 per employee per year on cybersecurity.

When segmented by revenue, cyber spending differences become more apparent:

  • Under $1 million: Less than $500 per employee
  • $1-10 million: Around $1,500 per employee
  • $10-50 million: Approximately $2,500 per employee
  • $50-100 million: Over $3,000 per employee

Over the past 5 years, small business cybersecurity spending has steadily increased by 10-15% annually as threats have grown. However, most experts agree that small companies continue to underinvest given increasing cyber risks. The average small business spends only 3-5% of its IT budget on security, whereas large enterprises spend 15% or more.

While cyber spending has increased recently, small businesses have significant room for improvement when it comes to investing in cybersecurity protections and preparedness. With limited budgets, setting the right priorities and getting the most value is critical.

Breakdown by Category

Small businesses allocate cybersecurity spending across various categories, with the distribution differing based on company size.

  • Software: This includes endpoint security, firewalls, data encryption, email security, web filtering, antivirus, and other software tools. Small companies with under 20 employees spend around 30% of their cybersecurity budget on software. For those with 20-100 employees, software accounts for 25% of spending.
  • Services: Smaller companies rely more heavily on managed security services, incident response, and IT consulting. Those with under 20 employees allocate 40% of their cybersecurity spending to services. For slightly larger companies the figure is 35%.
  • Staff: Larger small businesses are more likely to have dedicated IT security staff. Companies with 20-100 employees spend 30% of their cybersecurity budget on staffing, compared to just 20% for those with under 20 employees.
  • Hardware: This includes servers, firewall appliances, routers, and other hardware. Across all small business sizes, hardware averages around 10% of cybersecurity spending.
  • Other: The remaining cybersecurity budget goes toward compliance audits, security awareness training, data backups, and other expenses. This accounts for 15-20% for most small companies.

The distribution illustrates how small businesses rely more on outside services and software tools to bolster security, while larger companies are more able to invest in in-house staff and expertise. But all sizes face the challenge of efficiently allocating limited resources across these categories.

As a Percentage of Revenue

Small businesses typically spend a much smaller percentage of revenue on cybersecurity compared to large enterprises. Industry research indicates that large companies allocate 3-4% of their overall IT budget to security, which can equate to 0.5-1% of total revenue. In contrast, small businesses only spend around 0.04% of total revenue on cybersecurity.

This massive gap highlights the lack of investment from small companies. Experts recommend small businesses should target spending at least 8-10% of their IT budget on cybersecurity. For a company earning $10 million in annual revenue, this would equate to $80,000-100,000 annually. While this may seem high, it is necessary to properly protect against modern cyber threats.

Benchmarking studies reveal the most cyber-mature small businesses spend up to 15% of their IT budget on security. Small companies need to view cybersecurity spending not as a cost center, but an investment that pays dividends. With the increasing frequency and sophistication of cyber attacks, the question for small businesses is no longer whether they can afford proper cybersecurity, but whether they can afford not to.

Key Drivers and Priorities

Small businesses are motivated to invest in cybersecurity for several key reasons. The top drivers include:

  • Increasing cyber threats – Small companies are being targeted more frequently by cybercriminals using phishing, malware, and ransomware attacks. As threats rise, so does the need for protection.
  • Compliance – Regulations like HIPAA and PCI require minimum security standards for companies that handle sensitive data. Failing to comply can lead to fines and reputational damage.
  • Customer expectations – Consumers expect their data to be protected when doing business. Lacking security can hurt customer trust and retention.
  • Business disruption – Successful breaches can shut down operations for days or weeks, resulting in major financial and productivity losses.
  • Liability concerns – Lawsuits, damages, and notification costs quickly add up following a breach. Proper security reduces potential legal exposure.

In terms of priorities, small businesses tend to focus first on essentials like:

  • Anti-virus and anti-malware tools to block known threats
  • Firewalls to control network access
  • Secure remote access for employees and third parties
  • Data encryption, access controls, and activity monitoring
  • Staff training on security best practices and threat avoidance
  • Backup and recovery systems to restore operations after an attack

With cyber risks continuing to grow, small companies must prioritize threat protection, compliance, and business continuity. Carefully chosen security solutions deliver an excellent ROI compared to the crippling costs of an eventual breach.

Expert Recommendations

Cybersecurity experts emphasize that small businesses should make cybersecurity a priority in their budget. While it may seem expensive, the potential costs of a cyber attack are far greater. Experts recommend the following for small business cybersecurity spending:

  • Conduct a risk assessment to identify your most critical assets and vulnerabilities. This will help prioritize spending on the highest risks.
  • Invest in endpoint security, such as antivirus software and firewalls, on all devices. This provides essential protection against malware and unauthorized access.
  • Implement multi-factor authentication for logins to critical systems. This adds an extra layer of protection beyond just passwords.
  • Back up data regularly and keep backups offline and encrypted. This enables recovery if data is lost or corrupted.
  • Provide cybersecurity training to employees. Careless or unaware employees are a major security risk.
  • Work with a managed security services provider if lacking in-house IT expertise. They can manage solutions tailored for small businesses.
  • Budget at least 8-10% of your overall IT spending for security. Some experts recommend even 15%.
  • View cybersecurity spending as an investment, not just a cost. The upfront costs are far less than the potential business disruption.
  • Develop an incident response plan so you can act quickly in case of a breach.

By following expert guidance, small businesses can make smart, efficient investments in cybersecurity that reduce their risk substantially.

Increasing Future Investment

Cybersecurity spending by small businesses is projected to increase substantially in the coming years. According to research firm Gartner, worldwide information security and risk management spending will reach $170.4 billion in 2022, a 12.4% increase from 2021. While large enterprises make up the bulk of this spending, small businesses are also allocating more of their budgets to cybersecurity.

There are several reasons small business cybersecurity spending is expected to rise:

  • Threat landscape is intensifying – Small businesses are facing more sophisticated cyber attacks like ransomware, phishing, and malware. As threats increase, so does the need for security tools and services.
  • Regulatory requirements – Data protection regulations like GDPR require businesses of all sizes to implement cybersecurity safeguards. Non-compliance can lead to hefty fines.
  • Remote work expands attack surfaces – With more employees working remotely, small businesses need to secure additional devices, networks, cloud apps and other digital assets.
  • Insurance incentives – Cyber insurance providers may require basic security measures or offer more favorable premiums for good cyber hygiene. This motivates increased spending.
  • Reputational damage concerns – A breach can seriously harm an organization’s reputation and customer trust. Proactive spending helps mitigate risks.

While small businesses have traditionally lagged in cybersecurity investment compared to large enterprises, experts recommend dedicating at least 8-15% of IT budgets to security. With breaches growing in frequency and cost, ongoing investment in skilled staff, tools and services is essential for managing risk. Though challenging, allocating sufficient resources to cybersecurity is imperative for small business survival in today’s threat landscape.


Small businesses often underestimate their risk of cyber attacks and data breaches. However, they remain a prime target for hackers due to weaker security infrastructure. This results in many SMBs allocating insufficient funds toward cybersecurity.

Statistics show that small companies spend an average of $5,400 to $36,000 annually on cybersecurity. This represents less than 1-3% of their total revenue. The majority of funds go toward endpoint and mobile security, followed by compliance, network security, and threat intelligence.

While cybersecurity investment has increased in recent years, experts recommend SMBs dedicate at least 8-10% of their IT budget for adequate protection. With the rise in ransomware, phishing, and malware, ongoing security training for employees is also critical.

In conclusion, small businesses cannot afford to neglect cybersecurity. As digital operations expand, companies must prioritize securing customer and company data. With thoughtful preparation and allocation of resources, SMBs can implement cybersecurity best practices to safeguard their business.

Not sure where to start? Contact Cyber Wise Guy today for a free consultation, and let us get you started on the right path!