How much should businesses invest in cyber resilience? 

Ramsac network monitoring cybersecurity

A common error that organisations can make, is to think of cyber resilience as a one-time financial spend instead of a financial investment for their future.  Rather than an ad hoc  or one off spend, we recommend that organisations consider cyber resilience as a moving target, one that is constantly evolving. Building long-term resilience requires sustained investment and you should consider a separate budget line which demonstrates your commitment to continued protection for your business. Which elements of cyber resilience you invest in year after year may grow and change based on your industry standards, the size of the organisation or breaches you experience. Cyber resilience measures you may choose to invest in could include:  

  • Training for your staff. 
  • Phishing testing and awareness 
  • Cyber monitoring and response services 
  • Penetration testing. 
  • Incident response planning 
  • Cyber Resilience Certification. 
  • Software tools such as malware protection, password management or threat detection 
  • Device and application management tools and services 
  • Tools and processes to manage software and hardware patching and updates 
  • Cyber audits/risk assessments 
  • Cyber insurance 

If, as a board, you are asking yourselves what percentage of revenue should go on a cybersecurity budget, unfortunately there is no single recommended percentage of turnover that should be spent on cyber resilience. However, here are some general guidelines to help you best assess this for your organisation: 

  • Understanding risks is important. Conducting a cyber resilience  assessment will help you to understand your organisation’s specific cybersecurity risks and needs. This will help determine the appropriate investment level. 
  • Cyber resilience spending will vary significantly depending on the size, industry, and risk profile of the organisation. Larger organisations with more data and higher risks often need to spend more. 
  • According to various estimates, most organisations spend between  0.5-1.5% of overall revenue on cyber resilience 
  • For smaller businesses, spending 10% of the total IT budget on cybersecurity is often recommended. 
  • Highly regulated industries like finance and healthcare tend to spend more, sometimes up to 20% of the total IT budget. 
  • Focus spending on high impact areas like awareness training, access controls, data security, incident response plans, and system redundancies. 

If you are looking to justify the spend it is well worth remembering the cost of the alternative.  A data breach can cost an organisation in many ways including loss of revenue, fines from the ICO and reputational damage.  In July 2023, IBM Security released its annual ‘Cost of a Data Breach Report’ which revealed that UK organisations pay an average of £3.4m for data breach incidents.  In 2020, a data breach of broadband provider Virgin Media involving the personal data of 900,000 customers. Following the incident, Virgin Media reportedly faced a class-action lawsuit of nearly £4.5 billion. In March 2023 Capita suffered a cyber-attack which is currently estimated to be costing them £20 million. Investment in cyber resilience can save you money in the event of a cyber breach.  

Organisations who take cyber resilience seriously would benefit from investing in a cybersecurity monitoring service, which will meet a lot of their cyber resilience needs.  ramsac’s secure+ service can do just that.  secure+ is a ramsac managed service, run by our dedicated in-house Cybersecurity team that allows us to detect a breach the moment it happens and to take action to prevent damage from being done. Below are just some of the benefits of secure+: 

  • Each month you will get a comprehensive report of your secure+ service, where we call out significant events and recommendations to improve your security.  
  • We periodically run scans against your external facing infrastructure to look for vulnerabilities or gaps in your security.  
  • You will get priority status for emergency or critical patches that get announced.  
  • Every quarter we will run an audit of critical accounts, mailboxes and other services to check that privileges are as expected across your estate. 


If you are not sure where to start why not download our Cyber Resilience Whitepaper which outlines the 10 essential questions you should be asking about your Cyber Resilience such as, ‘How well do you train your staff on IT security?’ And ‘How much control do you have over your devices?’. 

Related Posts

  • Celebrating 20 Years of Cybersecurity Awareness Month

    Celebrating 20 Years of Cybersecurity Awareness Month


    October is Cybersecurity awareness month, follow us on LinkedIn or Twitter for daily tips on how you can protect your organisation against Cybercrime. [...]

    Read article

  • What is cyber resilience? A complete guide

    What is cyber resilience? A complete guide


    Firewalls and anti-virus software are just the first steps in protecting your organisation from cyber threats (this is cybersecurity). However, you need more than that and this is where [...]

    Read article

  • The cybersecurity risks of remote working

    The cybersecurity risks of remote working

    CybersecurityRemote working

    Remote workers are under increasing levels of threat from advanced cyber criminals. It is vital to protect your workforce from cyberattacks. Discover more here. [...]

    Read article

  • What is Mobile Application Management: streamlining app deployment and security

    What is Mobile Application Management: streamlining app deployment and security


    Mobile Application Management helps organisations to manage, secure, and distribute mobile applications within their environment. In this blog we explain what MAM is and the benefits of implementing it. [...]

    Read article

  • The importance of effective Supplier Data Security

    The importance of effective Supplier Data Security


    In this blog post, we will explore essential considerations and questions to ask your suppliers about the protocols they have in place that keep you, and any shared data, [...]

    Read article

  • What is Mobile Device Management?

    What is Mobile Device Management?


    Mobile Device Management is a type of software used by organisations to monitor, manage and secure employees’ mobile devices. In this blog we explain how to build a strong [...]

    Read article