The Budget Reality
The CrowdStrike 2025 Global Threat Report delivered a finding that should anchor every mid-market security budget conversation: only 7% of small and mid-sized businesses report having sufficient cybersecurity budget to address their risk landscape. Sixty-six percent identify cost as the single greatest obstacle to improving their security posture.
These are not abstract survey results. They describe a structural condition in which the vast majority of organisations below 1,000 employees are making security decisions under genuine resource constraints — and know it.
The Devolutions State of Cybersecurity in SMBs 2025 survey adds granularity to the picture. Twenty-nine percent of SMBs allocate less than 5% of their total IT budget to security. For context, mid-market organisations that benchmark favourably against their peers typically allocate between 7% and 10% of IT spend to security functions. Organisations below the 5% threshold are operating with a security investment that may not cover even baseline controls.
The data is not entirely discouraging. Sixty-three percent of SMBs reported increasing their cybersecurity budgets in 2025, according to the same Devolutions study. Seventy-one percent now have formal cybersecurity policies in place. The trajectory is directionally correct. The problem is pace — budgets are growing, but not at the rate required to match the threat environment these organisations actually face.
The fundamental tension is this: SMBs are allocating more to security than they did three years ago, but the threat landscape has evolved faster than their investment. The result is a widening gap between what organisations spend and what adequate protection actually costs.
The Threat Reality
The threat data explains why incremental budget growth is insufficient.
IBM's 2024 Cost of a Data Breach Report found that organisations with fewer than 500 employees face an average breach cost of USD 3.31 million. This figure is lower than the global average of USD 4.88 million, but it represents a fundamentally different financial impact for a company generating USD 20 million in revenue compared to one generating USD 2 billion. For the former, a single breach event can represent 15% or more of annual revenue.
Verizon's 2025 Data Breach Investigations Report documented that 88% of breaches affecting SMBs now involve ransomware. This concentration is not accidental. Ransomware operators have shifted their targeting toward organisations large enough to pay meaningful ransoms but small enough to lack the defensive infrastructure that makes attacks expensive to execute. Forty-six percent of all breaches in the DBIR dataset affected organisations with fewer than 1,000 employees.
The targeting logic is straightforward. SMBs represent 85% of ransomware targets because they offer the most favourable ratio of potential payout to attack difficulty. Enterprise organisations have invested heavily in detection, response, and resilience capabilities. Many SMBs have not — and threat actors have noticed.
Sophos's 2025 research found that the average ransomware recovery cost now reaches USD 1.53 million, with 49% of affected organisations experiencing data encryption before the attack was contained. Recovery costs include not only ransom payments (where they occur) but also operational downtime, forensic investigation, legal counsel, regulatory notification, and the reputational impact that follows public disclosure.
The implication for budget planning is direct: the cost of a single successful attack now exceeds what most SMBs spend on security over multiple years. Prevention does not need to be perfect to deliver positive ROI — it needs to be good enough to stop the attacks that would otherwise be catastrophic.
The Prioritisation Framework
When budgets are constrained, the allocation question matters more than the total number. Organisations that distribute limited security spend across every possible control achieve shallow coverage everywhere and adequate coverage nowhere. Framework-driven prioritisation produces measurably better outcomes than ad hoc spending.
The Center for Internet Security Controls version 8 provides the most directly applicable prioritisation model for resource-constrained organisations. CIS organises its controls into three Implementation Groups based on organisational size and risk profile. Implementation Group 1 — designed specifically for small and mid-sized organisations with limited cybersecurity expertise — contains 56 safeguards that CIS describes as providing "essential cyber hygiene."
These 56 safeguards are not a simplified version of security. They represent the controls that, according to CIS analysis, defend against the most common attack patterns observed in real-world breaches. An organisation that fully implements IG1 addresses the majority of the attack surface that threat actors exploit most frequently against the mid-market.
NIST Cybersecurity Framework 2.0 offers a complementary prioritisation lens. Its Govern function, added in the 2.0 revision, explicitly addresses the organisational and resource allocation decisions that determine whether technical controls receive adequate investment. For SMBs, the NIST CSF Tiers model provides a maturity benchmark: most organisations below 500 employees operate at Tier 1 (Partial) or Tier 2 (Risk Informed) and should focus investment on reaching Tier 2 consistently before pursuing Tier 3 capabilities.
The practical principle: choose one framework, implement it methodically, and measure progress against its defined milestones. Framework-aligned spending produces auditable evidence of security maturity — evidence that also supports insurance applications, client security assessments, and regulatory compliance demonstrations.
Five Controls That Deliver Outsized Protection
Within any framework-driven approach, certain controls deliver disproportionate risk reduction relative to their cost. For organisations that must prioritise ruthlessly, the following five areas consistently produce the strongest return on limited security investment.
Multi-Factor Authentication
Microsoft's security research has documented that MFA prevents over 99.2% of account compromise attacks. This single control addresses the attack vector responsible for the largest share of initial access across the SMB threat landscape. The implementation cost is modest — most identity providers include MFA in standard licensing — and the risk reduction is substantial.
The priority should be comprehensive coverage: every user account, every administrative system, every cloud application, and every remote access pathway. Partial MFA deployment leaves precisely the gaps that attackers seek. The most common failure mode is not a lack of MFA technology but incomplete rollout — protecting primary email while leaving VPN access, SaaS applications, or service accounts unprotected.
Endpoint Detection and Response
Traditional antivirus operates on signature-based detection — it identifies threats it has seen before. Modern endpoint detection and response platforms monitor behavioural patterns and can identify novel attack techniques, including the fileless malware and living-off-the-land techniques that now characterise the majority of ransomware intrusions.
The mid-market EDR landscape has matured to the point where capable solutions are available at per-endpoint pricing that fits SMB budgets. The critical differentiator is not the product but the monitoring model: an EDR platform that generates alerts no one reviews provides detection without response. Organisations without internal security operations capability should evaluate managed EDR offerings where the vendor provides 24/7 alert triage and escalation.
Email Security
Phishing remains the initial access vector in 44% of breaches documented in the Verizon DBIR. Advanced email security — beyond native platform filtering — addresses the highest-volume attack channel. Modern email security platforms incorporate URL sandboxing, attachment detonation, impersonation detection, and post-delivery remediation capabilities.
The investment case is straightforward: email is the primary entry point for the attacks most likely to affect an SMB, and the cost of dedicated email security is typically between USD 3 and USD 8 per user per month. For a 200-person organisation, that represents USD 7,200 to USD 19,200 annually — a fraction of the cost of a single successful phishing-initiated breach.
Backup and Recovery
Ransomware's business model depends on organisations being unable to restore their own data. A robust backup architecture directly undermines this model by providing a recovery path that does not require paying a ransom.
The 3-2-1-1 backup rule provides a sound architectural standard: three copies of data, on two different media types, with one copy offsite and one copy immutable (unable to be modified or deleted, even by an administrator). The immutability requirement is critical — ransomware operators now specifically target backup infrastructure, and backups that can be encrypted alongside production systems provide no recovery value.
Testing is non-negotiable. Backups that have never been tested in a restoration scenario are assumptions, not controls. Quarterly restoration testing against defined recovery time objectives converts backup from a theoretical safeguard into a verified capability.
Security Awareness Training
The human element remains the most frequently exploited vulnerability in SMB environments. Structured security awareness training — conducted regularly, not annually — measurably reduces the success rate of social engineering attacks.
Effective programmes move beyond compliance checkbox training to include simulated phishing campaigns with immediate coaching, role-specific threat briefings for finance and executive teams, and incident reporting mechanisms that encourage employees to flag suspicious activity without fear of reprimand. The cost is typically USD 15 to USD 30 per employee annually, making it one of the most cost-effective controls available.
When Regulation Forces the Conversation
For a growing number of mid-market organisations, security budget allocation is no longer entirely discretionary. Regulatory requirements are expanding to cover entities that previously fell below compliance thresholds.
The NIS2 Directive, which EU member states were required to transpose into national law by October 2024, significantly expanded the scope of organisations subject to cybersecurity obligations. Estimates place more than 160,000 entities across the EU within NIS2 scope — including many mid-sized organisations in sectors such as digital infrastructure, ICT service management, manufacturing, food production, and waste management that were not covered under the original NIS Directive.
For financial sector entities, DORA (the Digital Operational Resilience Act) imposes specific requirements for ICT risk management, incident reporting, resilience testing, and third-party risk oversight. These obligations apply to a broad range of financial entities, including many smaller firms and their critical ICT service providers.
The compliance economics are reshaping budget conversations. Organisations within regulatory scope face a binary choice: invest in the controls, processes, and governance structures that regulations require, or accept the consequences of non-compliance — which under NIS2 can include administrative fines of up to EUR 10 million or 2% of global annual turnover for essential entities.
ENISA's 2024 NIS Investments report found that 59% of SMEs within scope struggle to find qualified cybersecurity talent to meet their compliance obligations. This talent constraint compounds the budget constraint — organisations must not only fund compliance activities but compete for the limited pool of professionals qualified to implement them.
The practical implication: regulatory compliance spend is becoming a fixed cost for an expanding set of mid-market organisations. Budget planning that treats security as fully discretionary will increasingly conflict with legal obligations.
Build vs Buy vs Outsource
The allocation decision extends beyond which controls to fund. How those controls are delivered — through internal teams, purchased technology, or outsourced services — significantly affects both cost and effectiveness.
In-House Security Operations
Building an internal security operations centre requires a minimum investment of approximately USD 500,000 per year when accounting for personnel (at least two to three analysts for adequate shift coverage), tooling (SIEM, EDR, vulnerability management, ticketing), and ongoing training and certification costs.
This model makes sense for organisations with more than 500 employees, complex regulatory requirements demanding continuous internal oversight, or threat profiles that require dedicated institutional knowledge. Below that threshold, the fixed cost of in-house operations typically exceeds what the organisation's risk profile justifies.
Managed Security Service Providers
MSSPs offer outsourced monitoring, detection, and response capabilities at monthly costs ranging from USD 3,000 to USD 15,000 for SMB-scale engagements, depending on scope, endpoint count, and service level. This model provides access to 24/7 security operations without the fixed cost of building internal capability.
The MSSP model suits organisations between 50 and 500 employees that need monitoring and response capability but lack the scale to staff it internally. The critical evaluation criteria are detection efficacy, mean time to respond, escalation procedures, and transparency of reporting. Not all MSSPs deliver equivalent value — organisations should request documented metrics on detection rates and response times, not just service descriptions.
Fractional CISO
For strategic security leadership — as distinct from operational monitoring — the fractional CISO model provides executive-level guidance at monthly costs ranging from USD 2,000 to USD 11,600, depending on engagement scope and hours.
This model addresses the governance and strategy layer: risk assessment, policy development, framework implementation, board reporting, vendor risk management, and audit readiness. It complements rather than replaces operational security capabilities. An organisation might engage both an MSSP for operational monitoring and a fractional CISO for strategic direction — the combined cost remaining well below a single full-time CISO hire.
Decision Framework
| Factor | In-House SOC | MSSP | Fractional CISO |
|---|---|---|---|
| Typical monthly cost | 40,000+ | 3,000 - 15,000 | 2,000 - 11,600 |
| Best fit (employees) | 500+ | 50 - 500 | 50 - 200 |
| Primary value | Full operational control | 24/7 monitoring and response | Strategy, governance, compliance |
| Regulatory fit | Heavy regulation | Standard compliance | Compliance readiness and planning |
| Security maturity | Established programme | Building detection capability | Building programme from foundations |
The models are not mutually exclusive. The most effective approach for many mid-market organisations combines outsourced operational capability with strategic advisory — matching the delivery model to the function rather than forcing all security needs into a single engagement structure.
What Strategic Allocation Looks Like
The data points a consistent direction. Organisations that achieve meaningful security outcomes on constrained budgets share several characteristics:
They adopt a framework and implement it systematically rather than purchasing tools reactively. They concentrate investment on the controls that address their actual threat profile — which, for most SMBs, means prioritising email security, endpoint protection, MFA, backup resilience, and user awareness above more advanced capabilities. They choose delivery models that match their scale rather than attempting to replicate enterprise security architectures at a fraction of the budget.
The 7% of SMBs that report sufficient security budgets are not necessarily spending more in absolute terms. They are spending against a defined plan, measuring outcomes against that plan, and making allocation decisions based on risk data rather than vendor marketing.
For the remaining 93%, the path forward is not to wait for budgets to reach sufficiency. It is to ensure that every unit of current spend reduces the maximum possible risk. In a threat environment where 88% of SMB breaches involve ransomware and the average breach costs USD 3.31 million, even modest investments in the right controls produce substantial risk reduction.
The question is not whether SMBs can afford enterprise-grade security. They cannot. The question is whether they can afford to allocate strategically within their actual constraints. The evidence suggests that they can — and that the organisations that do so achieve protection that is disproportionate to their investment.
Sources
Budget and Spending Data
- CrowdStrike, 2025 Global Threat Report — 7% budget sufficiency, 66% cost as top obstacle
- Devolutions, State of Cybersecurity in SMBs 2025 — 63% increased budgets, 29% allocate less than 5% of IT spend, 71% have formal policies
Breach Cost Data
- IBM Security / Ponemon Institute, 2024 Cost of a Data Breach Report — USD 3.31M average for organisations under 500 employees, USD 4.88M global average
- Sophos, State of Ransomware 2025 — USD 1.53M average recovery cost, 49% encryption rate
Threat Data
- Verizon, 2025 Data Breach Investigations Report — 88% of SMB breaches involve ransomware, 46% of all breaches affect organisations under 1,000 employees
Framework References
- Center for Internet Security, CIS Controls v8 — Implementation Group 1, 56 safeguards
- NIST, Cybersecurity Framework 2.0 — Govern function, Tiers model
Control Effectiveness
- Microsoft Security, Digital Defense Report — MFA prevents over 99.2% of account compromise attacks
Regulatory Data
- ENISA, NIS Investments 2024 — 59% of SMEs struggle to find qualified cybersecurity talent
- European Commission — NIS2 scope estimates, 160,000+ entities
Workforce Data
- ISC2, 2024 Cybersecurity Workforce Study — 4.8 million global workforce gap