An SME guide for investing in cybersecurity

A finger pressing a padlock icon
(Image credit: Shutterstock)

Determining when, how much and what to invest in cybersecurity is no easy feat. Even large enterprises struggle despite their superior in-house resources and expertise. 

About the author

Ben Koppelman is Research & Innovation Lead at CyberSmart.

Yet as the economy’s digital backbone, it is crucial that small and medium-sized enterprises (SMEs) make the right kinds of security investments, too. So what should these SMEs take into consideration?

Cybersecurity as a business enabler

The first step is recognizing the value of investing in cybersecurity. For an SME, acquiring new customers and improving revenue growth are likely to be the top priorities. In contrast, allocating portions of an already tight budget towards password managers, antivirus software and firewalls can seem almost counterproductive to achieving long-term objectives. Unfortunately, this mindset could be holding many businesses back.

In order for any organization to succeed, they must show that they can be trusted by providing assurance that their products and/or services are secure. For example, through credible certification, such as Cyber Essentials - a popular government-endorsed scheme. Investing in cybersecurity in this way would allow SMEs to demonstrate that they can be trusted by existing customers, as well as enable them to win more tenders and attract new customers.

Fostering a cybersecurity culture

Investing in cybersecurity involves much more than just technology. Understanding people's behavior is crucial so that they are no longer seen as the source of cybersecurity problems but as part of their solutions. This requires good security behavior to be a core aspect of organizational culture from the boardroom to the factory floor. All employees - including senior executives and people outside of IT teams - have responsibilities and roles to play. Raising awareness through effective communication, education and training are vital to empowering employees so that they know what actions to take while also equipping them with usable tools so that they can take these actions easily and confidently. It may also be useful to appoint specific employees to be ambassadors for cybersecurity so that they can help other employees who are unsure about what to do or where to go for advice.

Conducting cost-benefit analysis

To persuade the boardroom to make these investments, cybersecurity should be presented in familiar ways, in which other business risks are assessed and managed. Just as they do for other investments, SMEs could carry out cost-benefit analyses that consider not just the cost of a particular technology or behavioral intervention but also the costs of not investing, such as the possible impacts of an attack or breach. These could be direct costs, such as lost or damaged data and assets, downtime, or staff being unable to work; or indirect costs, including a loss in investments, and damage to reputation.

The role of insurance

While these investments could help to assess security risks and manage them to acceptable levels, SMEs should also consider investing in insurance to transfer residual risks that remain. Insurance can also provide access to services to respond to any breaches or attacks should they occur.

Insurers could offer financial incentives for organizations to adopt better risk management. For example, insurers could assess organizational practices against security standards; if security controls are implemented to meet these standards, then the costs of premiums could be reduced, better terms could be provided or coverage increased. However, this would need some challenges to be tackled. For example, insurance policies are currently not written to standardized security requirements and so insurers need to collectively agree on a set of minimum security requirements for SMEs based on the controls under Cyber Essentials and other risk frameworks.

It would also be helpful to ensure that SMEs can properly assess the quality of insurers and understand the coverage and limits of a policy. For example, if insurance products could be certified that they are based on security best practices.


Investing in cybersecurity would allow SMEs to demonstrate that they are secure and that their products and services can be trusted. This can provide a competitive advantage and win new customers. Carrying out suitable cost-benefit analyses would help make the case for investing in cybersecurity - whether technology, behavior-based interventions or insurance. Nonetheless, cybersecurity has to be embedded in organizational culture so that all employees understand what they need to do and are empowered to do it.

At TechRadar Pro, we've featured the best business VPN.

Ben Koppelman is Research & Innovation Lead at CyberSmart.