Cybersecurity Budgeting for SMEs in 2024

As small and medium-sized enterprises (SMEs) plan for 2024, cybersecurity continues to rise as a budget priority. High-profile ransomware cases, increased regulatory pressure, and growing client expectations are pushing organisations to revisit how they allocate funds to defend their digital assets. But budgeting effectively for cybersecurity isn't about spending more—it's about spending smarter.

📊 Why Traditional Budgeting Falls Short

Many SMEs still rely on static IT budgets based on prior-year costs. This approach misses dynamic shifts in threat landscapes, new compliance requirements, or changes in business models (like hybrid work or cloud-first strategies). Without a clear security roadmap, it's easy to over-invest in tools and under-invest in strategy or training.

💰 How Much Should You Allocate?

Globally, SMBs are now spending between 7–12% of their total IT budget on cybersecurity. In New Zealand, we’ve seen budgets range widely—from 5% for traditional sectors to over 15% for regulated or tech-forward SMEs. The right number depends on risk profile, digital maturity, and exposure level.

🎯 Align Spending to Business Risk

Rather than starting with tools, start with business risk. Ask:

• What data would cause the most damage if lost or leaked?
• What downtime is tolerable for our systems?
• What obligations do we have (clients, regulators, insurers)?

From this, identify the controls that mitigate your highest-impact risks—this is where your spend must focus.

🔐 Budgeting for Layers: A Balanced Approach

Cybersecurity budgeting in 2024 should cover multiple layers, including:

• 🔍 Risk Assessments and Audits (annual minimum)
• 🛡️ Endpoint Protection + EDR
• 🌐 Secure Cloud & SaaS Configurations
• 🔑 Identity & Access Management (MFA, SSO)
• 📦 Backup and Recovery (immutable, tested)
• 👨‍🏫 Awareness Training & Simulations
• 📄 Policy Reviews & Incident Playbooks

📈 Don't Forget Operational Security

Ongoing costs such as patch management, monitoring, security subscriptions, and incident response retainers often go unplanned. These are not optional—budget for them as essential recurring items.

📣 Communicate ROI and Risk Avoidance

Leadership buy-in improves when security investments are framed in business terms—client trust, uptime, legal exposure, and business continuity. Translate tech spend into outcomes: “This $3,000 spent on backup strategy avoids $300,000 in potential ransomware impact.”

💡 Use a Living Budget

Threats evolve, and so must your budget. Revisit allocations quarterly. Use emerging insights from audits or near-miss incidents to re-prioritise. A flexible budget is more valuable than a big one.

Eduardo Wnorowski is a Technologist and Director at Virtus Group Ltd.
With over 29 years of experience in IT and consulting, he brings deep expertise in networking, security, infrastructure, and transformation.
Eduardo helps New Zealand businesses navigate change with clarity, security, and trust.
🔗 Connect on LinkedIn