BI & DataFebruary 19, 20266 min readBy AferStudio

How Much Should UK SMEs Actually Spend on Cyber Security

UK SMEs should allocate 10-15% of their IT budget to cybersecurity, yet most spend under £100 annually. With 93% of businesses hit by cyber incidents and average recovery costs at £21,000, here's what smart spending looks like.

UK SMEs face a stark reality: 93% of British businesses reported a critical cyber incident in the last 12 months, yet 38% invest less than £100 annually in cybersecurity. This massive gap between risk and investment is costing the UK economy billions while leaving small businesses dangerously exposed.

The average cost to remedy a cyber attack is now £21,000, while UK SMEs are incurring annual losses of £3.4 billion due to inadequate cybersecurity measures. For businesses already operating on tight margins, this represents an existential threat that many are simply not prepared for.

How Much Are UK SMEs Actually Spending on Cyber Security?

Companies spent an average of 0.69% of revenue on cybersecurity in 2024 and 2025—up from 0.50% in 2020. However, this figure varies dramatically by business size and industry.

Only 32% of UK SMEs have any cybersecurity protections in place, despite facing the same threats as large enterprises.

Small businesses typically allocate 4-10% of their total IT budget to security, with most of this going toward external consultants and basic protection tools. For many SMEs, this translates to:

  • Micro businesses (1-10 employees): £500-£2,000 annually
  • Small businesses (11-50 employees): £2,000-£8,000 annually
  • Medium businesses (51-250 employees): £8,000-£25,000 annually
38%
UK SMEs spend under £100 annually on cybersecurity
£21k
Average cost to remedy a cyber attack
35%
UK SMEs hit by cyber incidents in 2024
10-15%
Recommended IT budget allocation

What Should UK SMEs Be Spending on Cyber Security?

Industry experts recommend shifting spend toward security to 20-25% of IT budgets for high-risk environments, while most mid-market cybersecurity budgets fall between 10-12% of IT spend, with 15-18% common in regulated industries like finance or healthcare.

A practical 2026 cybersecurity budget range is £1,200-£2,500 per employee per year. This covers MDR pricing, endpoint and cloud security, compliance audits, and training without Fortune 500 overspending.

Budget Breakdown by Business Size

For a £1M revenue business (10 employees):

  • Recommended annual budget: £7,000-£15,000
  • Per employee: £700-£1,500
  • Key investments: Email security, endpoint protection, backup solutions

For a £5M revenue business (25 employees):

  • Recommended annual budget: £30,000-£62,500
  • Per employee: £1,200-£2,500
  • Key investments: 24/7 monitoring, compliance tools, staff training

For a £10M revenue business (50 employees):

  • Recommended annual budget: £60,000-£125,000
  • Per employee: £1,200-£2,500
  • Key investments: Advanced threat detection, incident response, full security stack

Why Most UK SMEs Are Dangerously Underspending

66% of SMBs cite 'cost' as their top obstacle to adopting stronger cybersecurity. This creates a dangerous cycle where businesses delay investment until after an incident occurs—when costs are exponentially higher.

28% of UK SMEs say that a single attack could put them out of business, yet the same businesses often spend more on coffee than cybersecurity.

The maths is stark: spending £5,000 annually on prevention costs less than one day of downtime from a successful attack.

The Hidden Costs of Underinvestment

The average cost of a cyber-attack to a medium UK business was £10,830, but this figure only captures direct costs. Hidden expenses include:

  • Lost productivity during recovery (average 3-5 days)
  • Customer confidence and reputation damage
  • Regulatory fines and legal costs
  • Increased insurance premiums
  • Long-term business impact

Where Should UK SMEs Spend Their Cyber Security Budget?

Software now commands approximately 40% of enterprise security budgets, reflecting the shift toward cloud-delivered services and integrated platforms.

1

Essential Protection Layer (40-50% of budget)

Endpoint detection and response, email security, and automated patch management form your security foundation.

2

24/7 Monitoring (25-30% of budget)

Managed detection and response services provide round-the-clock threat hunting and incident response.

3

Backup and Recovery (15-20% of budget)

Immutable backups and tested recovery procedures protect against ransomware and system failures.

4

Training and Awareness (10-15% of budget)

Regular staff training addresses the human element—still the weakest link in most attacks.

How Cyber Security Spending Will Change in 2026

UK organisations are significantly increasing their cybersecurity budgets, with an average predicted rise of 31% in the next 12 months—more than double the 15% analysts had forecast.

Key 2026 budget drivers include AI-powered attacks, multi-cloud and SaaS sprawl, tightening regulations like DORA, NIS2, and PCI DSS 5.0, and shifting cyber insurance requirements.

New Investment Priorities for 2026

Budget allocation needs to shift toward security (20-25%), AI (10-15%), and data analytics (10-15%) as traditional spending patterns no longer match current risk profiles.

Emerging budget categories include:

  • AI threat detection and response tools
  • Cloud security posture management
  • Zero trust network access solutions
  • Compliance automation platforms
  • Cyber insurance premium increases

Many UK SMEs can access government funding through schemes like Made Smarter, which provides up to 50% match-funding for digital security projects.

Frequently Asked Questions

How much should a UK SME spend on cybersecurity as percentage of revenue?

Industry benchmarks suggest 0.69% of revenue on cybersecurity, though this varies significantly by industry and risk profile. High-risk sectors like finance and healthcare often spend 1-2% of revenue.

What's the minimum viable cybersecurity budget for a small UK business?

A practical minimum is £1,200 per employee per year, covering basic endpoint protection, email security, and backup solutions. Businesses spending less than this are likely underprotected.

Should UK SMEs hire internal security staff or outsource?

74% of SMB owners self-manage cybersecurity or rely on untrained family members, while only 15% use professional services. For most SMEs under 100 employees, outsourcing to managed security providers offers better value and expertise.

How do cyber insurance requirements affect SME security budgets?

There was a 17% increase in UK business cyber insurance policies in 2024, with insurers increasingly requiring specific security controls before providing coverage. This drives additional spending on compliance tools and documentation.

What government support is available for UK SME cybersecurity spending?

The government offers various schemes including Cyber Essentials certification support, Made Smarter funding for manufacturers, and sector-specific grants. Many provide 50% match-funding for qualifying security projects.

The reality for UK SMEs is stark: cybersecurity is no longer optional. From corner shops to FTSE 100 companies, every organisation operating in the UK is at risk. The question isn't whether you can afford to invest in security—it's whether you can afford not to.

Smart SMEs are treating cybersecurity as business insurance, not an IT expense. With average attack costs at £21,000 and rising, even a modest annual investment of £5,000-£10,000 provides significant protection and peace of mind.

The businesses that survive and thrive will be those that act now, before they become another statistic in next year's breach reports.

■ GET IN TOUCH ■

Let's Build Something Great.

5
Max Clients
24H
Response Time
EMAILhello@aferstudio.com
ADDRESS
71-75 Shelton StreetCovent GardenLondon, WC2H 9JQUnited Kingdom
Ø1START A PROJECT
We'll respond within 24 hours