Where to spend, in what order
If you have £X a year for cyber, here's the order.
Most SMEs don't need a security strategy; they need a sequenced shopping list. Below are five budget bands. Each band assumes you've done everything in the previous one. Prices are UK SME indicative, last verified May 2026 — see Typical costs for the underlying numbers.
Running a business with 50+ staff and an IT team? You've almost certainly done the £0 and £1k bands already. Start reading at £3,000 or £10,000, and scan backwards for anything you may have missed. The earlier bands aren't for you to do — they're a checklist to verify your IT team or MSP has done them.
£0 / year
Free wins that block most of the real-world attacks
If you do nothing else, do these. Every one is free, owner-doable, and removes a real attack path. An afternoon's work.
- ✓Turn on MFA for every admin account in Microsoft 365 / Google Workspace. Five minutes.
- ✓Set Windows / macOS update to automatic on every laptop. Five minutes per device.
- ✓Run director email addresses through haveibeenpwned.com. Change anywhere those passwords were reused.
- ✓Audit your M365 / Google active users against payroll. Disable anyone who shouldn't be there.
- ✓Turn on Version History on shared folders. Restoring a wrongly-edited file becomes one click.
- ✓Roll out the free NCSC “Top Tips for Staff” training package.
- ✓Write the Incident Response one-pager. Print three copies, put them off-network (wallet, car, home).
- ✓Add calendar reminders for domain expiry, SSL expiry, IT contract end — with 90-day warnings.
These cover ~70% of preventable SME breaches.
£1,000 / year
First paid additions
Now add the basic tools that everyone in the business uses. You're probably already paying for some of these — the trick is using them properly.
- ✓Upgrade to Microsoft 365 Business Premium (from Standard) — +£5/user/month delta. For a 10-person company that's ~£600/yr. You get Defender for Business (EDR), Intune (MDM), conditional access. Cancel any standalone antivirus subscription.
- ✓Add a password manager (1Password Business, Bitwarden Teams, Dashlane). ~£3–£6/user/month. Get directors to migrate first.
- ✓Buy two FIDO security keys (YubiKey) for the two highest-risk admin accounts. ~£90 total.
Now MFA is real, devices are managed, passwords are out of the spreadsheet.
£3,000 / year
Backups, insurance, certification
This is where most SMEs should aim to be. The 70% becomes 90%.
- ✓Proper Microsoft 365 backup (Veeam / Acronis / AvePoint / Datto). ~£4–8/user/month. Essential — Microsoft does not back up your M365 data.
- ✓Cyber Essentials self-assessed certification. ~£300–£700 one-off, annual renewal. Achievable in 4–8 weeks. Increasingly required by larger customers.
- ✓Cyber insurance (for £1m turnover band). ~£500–£2,500/year. Most policies include an incident response retainer — that's the real value.
£10,000 / year
Maturing — training, supplier security, monitoring
At this level you have headroom for ongoing investment, not just compliance.
- ✓Phishing simulation training (KnowBe4 / Hoxhunt / Defender Attack Simulation). ~£1–3/user/month. Most useful when it's positioned as training, not gotcha.
- ✓Cyber Essentials Plus (external technical check). ~£1,500–£3,500/year. Often required for public-sector contracts.
- ✓Annual independent review by someone with no MSP allegiance. ~£2,000–£8,000 one-off. The outside view that catches what you and your MSP both miss.
- ✓Fractional / virtual CISO if you don't have a security person and won't hire one. ~£1k–£5k/month for a few hours' engagement.
£25,000 / year
Customer-facing scale
Typically: you sell to larger organisations, hold material customer data, or run customer-facing software.
- ✓Annual penetration test of customer-facing apps. ~£3,000–£10,000 per test, often more than once a year if you're shipping changes.
- ✓ISO 27001 path if customer contracts require it. ~£10,000–£40,000 year-one cost; ~£3,000–£10,000 thereafter.
- ✓Managed security monitoring — SIEM-as-a-service, often included in MSP package. ~£100–£400/month, more for larger estates.
- ✓Dedicated incident response retainer if not included in cyber insurance. ~£5k–£15k/year.
A note on order
Don't buy ISO 27001 before you have MFA. Don't buy a SIEM before you've tested a backup. Don't pay for cyber insurance before you can answer their questionnaire honestly — you'd be paying for cover the policy will then refuse to give you.
The bands above are stacked — each level assumes the previous one is done. If your annual budget is £3,000 but you don't yet have MFA on admin accounts: spend the first afternoon on £0 actions, not the first pound on cyber insurance.