Cybersecurity budget conversations for small businesses are usually one of two extremes: either spend nothing and hope for the best, or get scared into buying a stack of tools you do not understand. Neither works. Here is a grounded framework for budgeting cybersecurity as a BC SMB in 2026.
The Benchmark: 7-12% of IT Spend
Industry benchmarks from Gartner and others suggest that mature organisations allocate 7 to 12 percent of total IT spend to security. For a 20-person BC business spending $3,000 per month on IT (helpdesk, cloud, licensing), that is $210 to $360 per month on security-specific controls. That is a meaningful number that buys real protection if spent correctly.
The benchmark is a starting point, not a target. A construction company with no client data online has a different risk profile than a professional services firm that emails sensitive client information daily. Match your spend to your risk.
The Non-Negotiable Layer
Every BC SMB needs at minimum: MFA on all accounts (often included in M365), endpoint detection and response (EDR) rather than legacy antivirus, DNS filtering, email security (SPF, DKIM, DMARC configured), and a documented backup strategy with tested restores. These controls, well-implemented, stop the majority of commodity attacks.
If you are on a managed IT plan with North Star, most of these are included in the base tier. If you are managing IT yourself, plan on $15 to $30 per user per month for the security layer alone.
Where SMBs Over-Spend
The most common over-spend is buying tools before fixing process. A $500/month SIEM tool does nothing if no one monitors it. A next-generation firewall is useless if remote workers bypass it over personal networks. Spend on process and monitoring before buying advanced tooling.
Cyber insurance is often mis-categorised as a security spend. It is a risk transfer mechanism, not a control. Budget it separately under risk management. Do not let insurance premiums crowd out the controls that keep you from needing to file a claim.
Where SMBs Under-Spend
Security awareness training is chronically under-resourced. Phishing simulation and training platforms cost $3 to $8 per user per month and reduce click rates on phishing emails dramatically over 12 months. This is one of the highest-ROI security investments available to an SMB.
Incident response planning also tends to be free in terms of tooling but requires time investment. A documented runbook - who calls whom, what gets shut down, who contacts clients - is worth more in a real incident than any tool.
Building the Budget Line by Line
A practical budget for a 15-person BC SMB: EDR $225/month, DNS filtering $45/month, email security (M365 Defender) $75/month, security awareness training $75/month, backup and DR $150/month. Total: approximately $570/month, or about $38 per user. That is defensible, auditable, and will satisfy most cyber insurance questionnaires.
Add a quarterly review with a trusted advisor to tune these controls and respond to emerging threats. The advisory time is as important as the tooling.