Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

Where to spend, in what order

If you have £X a year for cyber, here's the order.

Most SMEs don't need a security strategy; they need a sequenced shopping list. Below are five budget bands. Each band assumes you've done everything in the previous one. Prices are UK SME indicative, last verified May 2026 — see Typical costs for the underlying numbers.

Running a business with 50+ staff and an IT team? You've almost certainly done the £0 and £1k bands already. Start reading at £3,000 or £10,000, and scan backwards for anything you may have missed. The earlier bands aren't for you to do — they're a checklist to verify your IT team or MSP has done them.

£0 / year

Free wins that block most of the real-world attacks

If you do nothing else, do these. Every one is free, owner-doable, and removes a real attack path. An afternoon's work.

  • Turn on MFA for every admin account in Microsoft 365 / Google Workspace. Five minutes.
  • Set Windows / macOS update to automatic on every laptop. Five minutes per device.
  • Run director email addresses through haveibeenpwned.com. Change anywhere those passwords were reused.
  • Audit your M365 / Google active users against payroll. Disable anyone who shouldn't be there.
  • Turn on Version History on shared folders. Restoring a wrongly-edited file becomes one click.
  • Roll out the free NCSC “Top Tips for Staff” training package.
  • Write the Incident Response one-pager. Print three copies, put them off-network (wallet, car, home).
  • Add calendar reminders for domain expiry, SSL expiry, IT contract end — with 90-day warnings.

These cover ~70% of preventable SME breaches.

£1,000 / year

First paid additions

Now add the basic tools that everyone in the business uses. You're probably already paying for some of these — the trick is using them properly.

  • Upgrade to Microsoft 365 Business Premium (from Standard) — +£5/user/month delta. For a 10-person company that's ~£600/yr. You get Defender for Business (EDR), Intune (MDM), conditional access. Cancel any standalone antivirus subscription.
  • Add a password manager (1Password Business, Bitwarden Teams, Dashlane). ~£3–£6/user/month. Get directors to migrate first.
  • Buy two FIDO security keys (YubiKey) for the two highest-risk admin accounts. ~£90 total.

Now MFA is real, devices are managed, passwords are out of the spreadsheet.

£3,000 / year

Backups, insurance, certification

This is where most SMEs should aim to be. The 70% becomes 90%.

  • Proper Microsoft 365 backup (Veeam / Acronis / AvePoint / Datto). ~£4–8/user/month. Essential — Microsoft does not back up your M365 data.
  • Cyber Essentials self-assessed certification. ~£300–£700 one-off, annual renewal. Achievable in 4–8 weeks. Increasingly required by larger customers.
  • Cyber insurance (for £1m turnover band). ~£500–£2,500/year. Most policies include an incident response retainer — that's the real value.

£10,000 / year

Maturing — training, supplier security, monitoring

At this level you have headroom for ongoing investment, not just compliance.

  • Phishing simulation training (KnowBe4 / Hoxhunt / Defender Attack Simulation). ~£1–3/user/month. Most useful when it's positioned as training, not gotcha.
  • Cyber Essentials Plus (external technical check). ~£1,500–£3,500/year. Often required for public-sector contracts.
  • Annual independent review by someone with no MSP allegiance. ~£2,000–£8,000 one-off. The outside view that catches what you and your MSP both miss.
  • Fractional / virtual CISO if you don't have a security person and won't hire one. ~£1k–£5k/month for a few hours' engagement.

£25,000 / year

Customer-facing scale

Typically: you sell to larger organisations, hold material customer data, or run customer-facing software.

  • Annual penetration test of customer-facing apps. ~£3,000–£10,000 per test, often more than once a year if you're shipping changes.
  • ISO 27001 path if customer contracts require it. ~£10,000–£40,000 year-one cost; ~£3,000–£10,000 thereafter.
  • Managed security monitoring — SIEM-as-a-service, often included in MSP package. ~£100–£400/month, more for larger estates.
  • Dedicated incident response retainer if not included in cyber insurance. ~£5k–£15k/year.

A note on order

Don't buy ISO 27001 before you have MFA. Don't buy a SIEM before you've tested a backup. Don't pay for cyber insurance before you can answer their questionnaire honestly — you'd be paying for cover the policy will then refuse to give you.

The bands above are stacked — each level assumes the previous one is done. If your annual budget is £3,000 but you don't yet have MFA on admin accounts: spend the first afternoon on £0 actions, not the first pound on cyber insurance.