How much should businesses invest in cyber resilience? 

Ramsac network monitoring cybersecurity

A common error that organisations can make, is to think of cyber resilience as a one-time financial spend instead of a financial investment for their future.  Rather than an ad hoc  or one off spend, we recommend that organisations consider cyber resilience as a moving target, one that is constantly evolving. Building long-term resilience requires sustained investment and you should consider a separate budget line which demonstrates your commitment to continued protection for your business. Which elements of cyber resilience you invest in year after year may grow and change based on your industry standards, the size of the organisation or breaches you experience. Cyber resilience measures you may choose to invest in could include:  

  • Training for your staff. 
  • Phishing testing and awareness 
  • Cyber monitoring and response services 
  • Penetration testing. 
  • Incident response planning 
  • Cyber Resilience Certification. 
  • Software tools such as malware protection, password management or threat detection 
  • Device and application management tools and services 
  • Tools and processes to manage software and hardware patching and updates 
  • Cyber audits/risk assessments 
  • Cyber insurance 

If, as a board, you are asking yourselves what percentage of revenue should go on a cybersecurity budget, unfortunately there is no single recommended percentage of turnover that should be spent on cyber resilience. However, here are some general guidelines to help you best assess this for your organisation: 

  • Understanding risks is important. Conducting a cyber resilience  assessment will help you to understand your organisation’s specific cybersecurity risks and needs. This will help determine the appropriate investment level. 
  • Cyber resilience spending will vary significantly depending on the size, industry, and risk profile of the organisation. Larger organisations with more data and higher risks often need to spend more. 
  • According to various estimates, most organisations spend between  0.5-1.5% of overall revenue on cyber resilience 
  • For smaller businesses, spending 10% of the total IT budget on cybersecurity is often recommended. 
  • Highly regulated industries like finance and healthcare tend to spend more, sometimes up to 20% of the total IT budget. 
  • Focus spending on high impact areas like awareness training, access controls, data security, incident response plans, and system redundancies. 

If you are looking to justify the spend it is well worth remembering the cost of the alternative.  A data breach can cost an organisation in many ways including loss of revenue, fines from the ICO and reputational damage.  In July 2023, IBM Security released its annual ‘Cost of a Data Breach Report’ which revealed that UK organisations pay an average of £3.4m for data breach incidents.  In 2020, a data breach of broadband provider Virgin Media involving the personal data of 900,000 customers. Following the incident, Virgin Media reportedly faced a class-action lawsuit of nearly £4.5 billion. In March 2023 Capita suffered a cyber-attack which is currently estimated to be costing them £20 million. Investment in cyber resilience can save you money in the event of a cyber breach.  

Organisations who take cyber resilience seriously would benefit from investing in a cybersecurity monitoring service, which will meet a lot of their cyber resilience needs.  ramsac’s secure+ service can do just that.  secure+ is a ramsac managed service, run by our dedicated in-house Cybersecurity team that allows us to detect a breach the moment it happens and to take action to prevent damage from being done. Below are just some of the benefits of secure+: 

  • Each month you will get a comprehensive report of your secure+ service, where we call out significant events and recommendations to improve your security.  
  • We periodically run scans against your external facing infrastructure to look for vulnerabilities or gaps in your security.  
  • You will get priority status for emergency or critical patches that get announced.  
  • Every quarter we will run an audit of critical accounts, mailboxes and other services to check that privileges are as expected across your estate. 


If you are not sure where to start why not download our Cyber Resilience Whitepaper which outlines the 10 essential questions you should be asking about your Cyber Resilience such as, ‘How well do you train your staff on IT security?’ And ‘How much control do you have over your devices?’. 

Related Posts

  • Happy Birthday secure+: How our cybersecurity solution has detected over 8000 cybersecurity alerts in one year

    Happy Birthday secure+: How our cybersecurity solution has detected over 8000 cybersecurity alerts in one year


    secure+ has detected and responded to over 8000 security alerts in its first year [...]

    Read article

  • MFA Fatigue: Multi-Factor Authentication (MFA) is best practice, but it’s not risk free.

    MFA Fatigue: Multi-Factor Authentication (MFA) is best practice, but it’s not risk free.


    MFA Fatigue is a problem organisations need to be aware of, in this blog we break down why and what organisations can do to combat it. [...]

    Read article

  • Data Protection Day – Protecting your information on social media.

    Data Protection Day – Protecting your information on social media.


    The 28th of January is Data Protection day, to mark this day we have created a blog with tips on how people can keep their personal data safe on [...]

    Read article

  • Cybersecurity – The importance of Testing & Training

    Cybersecurity – The importance of Testing & Training


    Many organisations offer cybersecurity training to their staff, but training and testing as a combined strategy provides a much stronger defence against cybercrime. [...]

    Read article

  • Man-in-the-Middle (MITM) attack – Cyber secure series

    Man-in-the-Middle (MITM) attack – Cyber secure series


    Man-in-the-middle attacks mean an attacker has intercepted communications between two people and has altered them in some way. Learn more today. [...]

    Read article

  • Data Protection and Innovation: The Role of the ICO Regulatory Sandbox in the UK

    Data Protection and Innovation: The Role of the ICO Regulatory Sandbox in the UK


    In this blog, we'll explore the concept of the ICO Regulatory Sandbox and its objectives in the data protection landscape in the UK [...]

    Read article