Let’s discuss this question (How much to spend?) on cybersecurity… with a conversation of Jimmy and Jane who are small business owners and have certain viewpoints:
Jimmy (Sales-Focused Owner): Hey Jane, I’ve been thinking about that cybersecurity gadget you mentioned—the one that’s supposed to beef up our defenses against ransomware. It’s like $5,000 upfront, right? Look, sales are picking up, but we’re a small operation. Where’s the ROI here? It’s not like this thing is going to bring in new clients or boost revenue. Feels like throwing money at a “what if” scenario.Jane
(Risk Management-Focused Owner): I get it, Jimmy—sales drive the business, and every dollar counts toward growth. But think about it this way: ransomware isn’t just a buzzword. Last year, small businesses like ours were hit hard, with average recovery costs over $100K, not to mention downtime that kills momentum. This gadget—it’s an advanced endpoint detection tool—could spot and block threats before they encrypt our files. No direct ROI in sales terms, sure, but the value is in avoiding a total wipeout. We’ve got customer data, invoices, everything on those servers. One breach, and we’re not just out money; we’re out trust and potentially the whole business.
Jimmy: Yeah, I hear you on the horror stories, but honestly, we’ve been fine so far without it. We’ve got basic antivirus and firewalls— isn’t that enough? I mean, the odds of us getting hit seem low. We’re not some big corporation hackers target. Spending on this feels like buying insurance for a meteor strike. Psychologically, it’s tough to justify when I could put that cash toward marketing or hiring a part-timer to chase leads. What if nothing happens? We’ve just burned budget on fear.
Jane: That’s exactly the psychology trap in security, Jimmy—it’s called normalcy bias. We assume because it hasn’t happened yet, it won’t. But stats show small businesses are prime targets because we’re seen as easy marks with weaker defenses. Remember that local bakery down the street? They got ransomware last month, paid up, and still lost weeks of operations. This gadget isn’t about fear-mongering; it’s proactive risk reduction. It automates threat hunting, so we don’t have to babysit it. Sure, no flashy returns, but preventing a $200K disaster? That’s invisible ROI that keeps us selling at all. Let’s at least demo it—better safe than scrambling in crisis mode.Jimmy: Alright, you make a solid point on the bias thing; I do tend to focus on the upside. Downtime would crush our sales pipeline, no doubt. But can we negotiate the price or find a cheaper alternative? If it’s truly about long-term stability, I’m open to it—as long as it doesn’t derail our growth plans.
Jane: Absolutely, let’s shop around and crunch the numbers on potential savings from avoided incidents. This could be the smart play that lets us focus on sales without looking over our shoulders. Deal?
Jimmy (Sales-Focused Owner): Deal, Jane. But hold on—this gadget is just one thing. What about scanning for vulnerabilities? I’ve heard that’s another layer we might need, like regular checks on our systems for weak spots. Where does it end? We add this, then that, and suddenly we’re bleeding cash on endless security stuff. How much should we really spend on all this risk reduction without tanking our budget?Jane
(Risk Management-Focused Owner): Fair question, Jimmy. Vulnerability scanning is a smart next step—it’s basically automated tools that probe our networks and apps for known weaknesses, like outdated software or misconfigurations that hackers could exploit. It helps catch issues before they turn into breaches. But you’re right; we can’t chase every shiny security tool. The key is balancing it against our overall IT spend. Experts say small businesses like ours should aim for about 5% to 20% of our total IT budget on cybersecurity— that’s roughly $5,000 to $50,000 a year depending on our size.
For us, with our modest setup, maybe 7-10% makes sense to start, focusing on high-impact areas.Jimmy: 5% to 20%? That’s a huge range! Our IT budget is what, around $50,000 a year? So we’re talking $2,500 to $10,000 just on security? And vulnerability scanning—how much does that even cost? If it’s another few grand, plus the gadget, we’re pushing $10K easy. I get the risk, but at what point do we say enough? We could use that for ad campaigns that actually drive revenue.Jane: Totally get the hesitation—it’s easy to feel like it’s a black hole. But think of it as insurance: the average breach for small businesses costs $120,000 to $1.24 million in recovery, downtime, and lost business.
Vulnerability scanning isn’t extravagant; basic automated scans for SMBs run $1,000 to $5,000 one-time or $200/month for ongoing tools.
We could start with a free or low-cost open-source option like OpenVAS to test the waters, then upgrade if needed. The goal isn’t to buy everything; it’s to prioritize based on our risks—protect customer data and our sales pipeline first. If we cap it at 10% of IT spend, that’s our line in the sand. Anything beyond needs to prove massive value.Jimmy: Alright, capping at 10% sounds reasonable—keeps us from going overboard. But let’s audit what we already have; maybe our current antivirus covers some scanning. If we do add it, I want to see how it ties back to keeping sales humming, not just more “what ifs.”Jane: Perfect plan. We’ll review our setup, get quotes for affordable scanning, and calculate the ROI in avoided disasters. This way, we’re protected without derailing growth.
So the consensus on the Internet search is 5% TO 20%, probably more reasonable 10% max of IT budget.
I think the real issue is one has to do something to derisk because if nothing is done then the risk is higher…
Contact and discuss with me – we can set up a policy for you. Or visit my fixvirus.com website to learn more of what I do.