How to Decide Where to Spend Your Cybersecurity Money When You’re on a Limited Budget

Most organisations will agree that devoting a certain amount of financial resources to cybersecurity is important. After all, 58 per cent of businesses have already fallen prey to some sort of cyber attack.

Without an adequate cybersecurity framework in place, it’s only a matter of time before an issue arises.

Many SMBs are in a particularly precarious position because they only have so much to spend. Resources are often limited, and there’s very little wiggle room.

They obviously need to address key concerns and invest in “cybersecurity.” But that’s a wide umbrella.

How do you know how to prioritise your spending? And how do you know that your money is going to the right places and not being wasted?

Here’s some advice on deciding where to spend your cybersecurity money when you’re on a limited budget.

Average Cybersecurity Spend

To begin, it’s nice to know how much of the overall IT budget companies are spending on cybersecurity and risk management. According to late 2016 data from Gartner, it ranges from roughly 1 per cent to 13 per cent with the average being 5.6 per cent.

Those at the low end usually have minimal security controls where threats may go undetected for long stretches of time. On the other hand, those on the high end take security very seriously and are incredibly diligent about it.

They typically have dedicated staff (either in-house or outsourced) and implement cutting-edge technologies to continually stay ahead of cybercriminals.

So if you were wondering how your organisation compares, this is a good benchmark to look at.  

Top Threats at the Moment

Next, you’ll want to know which specific threats are most prevalent these days. A recent survey found that the biggest issues companies face in 2018 are:

    • Phishing – 55 per cent of participants say this is the biggest risk.
    • Ransomware – 45 per cent say this is the biggest risk.
    • The cloud – More than half of participants believe that cloud-based threats will become an increasing problem. If this environment isn’t properly secured, threats can easily work their way in.
  • Cryptocurrency jacking – 29 per cent of companies don’t feel confident in their ability to protect against hackers stealing cryptocurrency.

Besides that, malware (particularly mobile malware), password attacks and denial-of-service (DoS) attacks continue to be ongoing problems and will likely continue for the foreseeable future.

While there is a myriad of threats that you may encounter, these are some of the most common and definitely demand your attention.

Where Organisations are Spending the Most

Let’s also look at the areas in which other organisations are spending. We actually discussed this in a previous article where we went over how to get the absolute most from your cybersecurity budget.

Here’s a graph that breaks down IT security spending trends.


As you can see, the top three technologies are access and authentication, advanced malware protection and endpoint security. Not far behind are wireless security, data protection and continuous monitoring. After that, there’s a considerable drop-off.

In terms of how satisfied organisations are with their investments, these are the top 10 “big wins.”



This gives you a general idea of where companies are spending their cybersecurity money and which technologies have paid off the most. And that should hopefully give you a starting point where you have a basic understanding of which types of security are most important.

If it works for other organisations, it’s likely to work for you as well.

Identifying Your Needs

Now we know about some of the major threats that organisations are facing as well as where they’re investing their money. But let’s figure out exactly where to spend your cybersecurity money.

There are three main questions you’ll want to ask yourself here:

  • What is our budget?
  • Which specific outcomes do we want?
  • What will allow us to achieve those outcomes?

The best way to answer these questions is to assess your current situation and identify any critical vulnerabilities.

For example, you may have recently fallen victim to a phishing attack and are concerned that your employees are vastly unprepared to spot the difference between a legitimate email and a bogus one. In this case, one of your primary needs would be to invest in anti-phishing software to defend your company against advanced attacks.

On top of that, you may want to have your employees partake in phishing awareness training so that they’re better equipped to handle spoof emails.

The bottom line is that preventing phishing attacks would be one of your main points of emphasis.  

Repeat this process until you’ve pinpointed your most pressing needs. What you want to do is take an in-depth look at cybersecurity and determine which areas most demand your attention because that’s what you’ll want to focus on.  

This isn’t to say that other aspects of cybersecurity aren’t important, but these areas will be given preference. Remember that once you’ve got them under control and have allocated resources effectively, you can always go back and address other areas later on.  


Prioritising Your Spending

In all likelihood, your budget may be too small to get the exact outcome you’re looking for. So you’ll need to make the necessary adjustments to get as close as possible.

Or as the Prescient Solutions team puts it, “Evaluate your spending to make sure it offers the most impact. If your budget doesn’t support everything, you may need to weigh the impact of protecting the most vulnerable asset against protecting a greater number of other assets.”

In other words, you’ll probably need to make some budgetary changes so that your spending better aligns with your needs. Here’s an example.

Say that your top three areas of focus are:

  1. Preventing phishing attacks
  2. Properly securing your cloud environment
  3. Protecting against mobile malware

But let’s say that you’re currently spending on numerous other security technologies only to find that some aren’t having all that much of an impact. For instance, maybe you’ve invested big money into a robust analytics platform but have found it to be overkill and you’re not utilising all of the features.

In this case, it would probably make sense to downgrade your security analytics and funnel that money into beefing up phishing attack protection, securing your cloud environment, etc.

In other situations, you may be able to eliminate an inefficient technology entirely or opt for a free version software instead. As long as you’re protected and able to concentrate of your most critical threats, you should be in good shape.

This is a good example of how to switch up your budget so that your money goes to the most critical areas and doesn’t get wasted on things that are less important. It’s all about getting the most overall value.

However, it’s also important to maintain a sense of balance. You certainly don’t want to get so wrapped up in investing in a new technology that you completely ditch existing ones that are tried-and-true and provide a fundamental level of protection.

So keep this in mind whenever you decide to either stop or reduce spending in a particular area.

This brings us to our final point.

Avoiding Panic Spending

There’s one last thing to discuss, and that’s “panic spending.” Say that you recently encountered a particular threat that greatly compromised security and nearly led to a data breach.

This will naturally create a great deal of concern and anxiety where you’ll want to increase spending to ensure that it doesn’t happen again. That’s to be expected.

But one mistake that some organisations make is panic spending where all of a sudden they buy expensive products and services that they don’t truly need. And they do it to the point that they end up reducing spending for other types of security.

This is a double whammy because you end up overspending on products and services that aren’t delivering real value, while at the same time making yourself more vulnerable in other areas.

So it’s important to maintain a sense of objectivity and see the big picture when deciding how much to invest in a new technology. Ideally, there will be multiple decision-makers involved to keep it objective.

Spending Smarter

In a perfect world, you would have a limitless budget. You could devote hundreds of thousands if not millions of dollars to strengthening your cybersecurity until it’s impenetrable.

Unfortunately, this just isn’t realistic. While megalithic corporations may have deep pockets with teams that are solely dedicated to digital protection, this isn’t usually the case for most SMBs.

You likely have a limited budget and only so much money to devote to cybersecurity. So you need to make every dollar count.

Although spending more may not be an option, spending smarter definitely is. And that’s what you’re going for here — making the absolute most of your cybersecurity budget.

By carefully assessing key vulnerabilities, examining your needs and prioritising your spending, you can put your organisation in the best possible position so that you’re equipped to handle whatever cyber threats come your way.

Similar posts


Optus has been hit with a major cyber attack

In today’s world businesses around the world as well as in Australia, face increasingly sophisticated and innovative cybercriminals targeting what matters most to them; their money, data and reputation. Download our guide to learn everything you need to know about the Optus Data Breach, as well as the nine steps every business around the world and in Australia needs to take to avoid being next.