How much should businesses invest in cyber resilience? 

Ramsac network monitoring cybersecurity

A common error that organisations can make, is to think of cyber resilience as a one-time financial spend instead of a financial investment for their future.  Rather than an ad hoc  or one off spend, we recommend that organisations consider cyber resilience as a moving target, one that is constantly evolving. Building long-term resilience requires sustained investment and you should consider a separate budget line which demonstrates your commitment to continued protection for your business. Which elements of cyber resilience you invest in year after year may grow and change based on your industry standards, the size of the organisation or breaches you experience. Cyber resilience measures you may choose to invest in could include:  

  • Training for your staff. 
  • Phishing testing and awareness 
  • Cyber monitoring and response services 
  • Penetration testing. 
  • Incident response planning 
  • Cyber Resilience Certification. 
  • Software tools such as malware protection, password management or threat detection 
  • Device and application management tools and services 
  • Tools and processes to manage software and hardware patching and updates 
  • Cyber audits/risk assessments 
  • Cyber insurance 

If, as a board, you are asking yourselves what percentage of revenue should go on a cybersecurity budget, unfortunately there is no single recommended percentage of turnover that should be spent on cyber resilience. However, here are some general guidelines to help you best assess this for your organisation: 

  • Understanding risks is important. Conducting a cyber resilience  assessment will help you to understand your organisation’s specific cybersecurity risks and needs. This will help determine the appropriate investment level. 
  • Cyber resilience spending will vary significantly depending on the size, industry, and risk profile of the organisation. Larger organisations with more data and higher risks often need to spend more. 
  • According to various estimates, most organisations spend between  0.5-1.5% of overall revenue on cyber resilience 
  • For smaller businesses, spending 10% of the total IT budget on cybersecurity is often recommended. 
  • Highly regulated industries like finance and healthcare tend to spend more, sometimes up to 20% of the total IT budget. 
  • Focus spending on high impact areas like awareness training, access controls, data security, incident response plans, and system redundancies. 

If you are looking to justify the spend it is well worth remembering the cost of the alternative.  A data breach can cost an organisation in many ways including loss of revenue, fines from the ICO and reputational damage.  In July 2023, IBM Security released its annual ‘Cost of a Data Breach Report’ which revealed that UK organisations pay an average of £3.4m for data breach incidents.  In 2020, a data breach of broadband provider Virgin Media involving the personal data of 900,000 customers. Following the incident, Virgin Media reportedly faced a class-action lawsuit of nearly £4.5 billion. In March 2023 Capita suffered a cyber-attack which is currently estimated to be costing them £20 million. Investment in cyber resilience can save you money in the event of a cyber breach.  

Organisations who take cyber resilience seriously would benefit from investing in a cybersecurity monitoring service, which will meet a lot of their cyber resilience needs.  ramsac’s secure+ service can do just that.  secure+ is a ramsac managed service, run by our dedicated in-house Cybersecurity team that allows us to detect a breach the moment it happens and to take action to prevent damage from being done. Below are just some of the benefits of secure+: 

  • Each month you will get a comprehensive report of your secure+ service, where we call out significant events and recommendations to improve your security.  
  • We periodically run scans against your external facing infrastructure to look for vulnerabilities or gaps in your security.  
  • You will get priority status for emergency or critical patches that get announced.  
  • Every quarter we will run an audit of critical accounts, mailboxes and other services to check that privileges are as expected across your estate. 


If you are not sure where to start why not download our Cyber Resilience Whitepaper which outlines the 10 essential questions you should be asking about your Cyber Resilience such as, ‘How well do you train your staff on IT security?’ And ‘How much control do you have over your devices?’. 

Related Posts

  • Inherent risk vs residual risk: What’s the difference?

    Inherent risk vs residual risk: What’s the difference?


    Inherent risk and residual risk are key elements of any effective risk management process designed to strengthen cybersecurity defences and protect your company’s data. Read on. [...]

    Read article

  • What is cybersecurity monitoring? How important is it in 2024?

    What is cybersecurity monitoring? How important is it in 2024?


    Cybersecurity monitoring is the continuous surveillance of digital systems to detect and respond to security threats and data breaches in real-time. Discover how cybersecurity monitoring software can protect your [...]

    Read article

  • Examples of sensitive data in your organisation

    Examples of sensitive data in your organisation


    Any confidential information that’s stored, processed, or managed by an organisation or individual is classified as sensitive data. Read our sensitive data examples today. [...]

    Read article

  • How to set up a secure password policy in Microsoft 365

    How to set up a secure password policy in Microsoft 365


    Discover the essentials of a robust password policy for cybersecurity in Microsoft 365. Learn what to include and what to avoid. Read the blog today. [...]

    Read article

  • A guide to sensitivity labels and how to apply them

    A guide to sensitivity labels and how to apply them


    Sensitivity labels allow you to manage, organise, and protect sensitive emails, files, and documents as part of the Microsoft 365 suite. Read on. [...]

    Read article

  • MFA vs 2FA: What’s the Difference?

    MFA vs 2FA: What’s the Difference?


    Features like user facial recognition that are difficult to replicate means multi-factor authentication offers more cybersecurity layers than two-factor authentication. Find out more. [...]

    Read article

Quiz yourself

Are you more cyber savvy than an 11 year old?

11-14 year olds get asked these questions in school. Could you get these right?