Cybersecurity budget conversations at small businesses tend toward two extremes: spend nothing and hope for the best, or get spooked into buying a stack of tools nobody manages. Neither works. Here is a grounded framework for deciding how much to spend, what to spend it on, and what to cut when the budget is tight.
The Industry Benchmark: 7 - 12% of IT Spend
Industry benchmarks consistently suggest that mature organisations allocate 7 - 12% of total IT spend to security-specific controls. For a 20-person BC business spending $3,000 per month on IT (helpdesk, cloud infrastructure, software licensing), that is $210 - $360 per month on security.
That's a meaningful number that buys real protection if spent on the right things. It is also a starting point, not a hard target. A construction company that keeps no client data online has a different risk profile than a law firm emailing sensitive client information daily. Match your spend to your risk profile and your obligations, not to a benchmark.
The Non-Negotiable Layer
Every BC SMB needs minimum security controls regardless of size or industry. These are the controls that stop the vast majority of commodity attacks:
| Control | What it does | Typical cost if not bundled |
|---|---|---|
| MFA on all accounts | Stops credential-based account compromise | Included in M365 Business Premium |
| EDR on every device | Detects and contains threats legacy AV misses | $6 - $12/device/month |
| DNS filtering | Blocks malicious sites before connection | $3 - $5/user/month |
| Email security (SPF/DKIM/DMARC) | Prevents domain spoofing and phishing delivery | One-time configuration; included in M365 |
| Tested backup with immutable copy | Recoverable data after ransomware or hardware failure | $5 - $15/user/month depending on retention |
If you are on a managed IT plan with Northstar, most of these are bundled into the base tier. If you manage IT internally, plan on $15 - $30 per user per month for the security layer alone.
Where SMBs Over-Spend
The most common security over-spend is buying tools before fixing process. A security information and event management (SIEM) system that nobody monitors does not improve security, it creates noise and cost. A vulnerability scanner that generates reports nobody acts on is decoration.
Over-spending also appears in redundant tools. Businesses sometimes purchase standalone antivirus alongside their EDR (they conflict), or buy a third-party email security gateway that duplicates what Defender for Office 365 already does in their M365 plan.
Before adding a tool, ask: does something we already have do this? Who will monitor and act on the output? What does "success" look like for this control?
Where SMBs Under-Spend
Security awareness training. The majority of security incidents start with a human clicking something they shouldn't. A few hundred dollars a year per user for a quality phishing simulation and training platform is among the highest-return security investments available.
Incident response planning. Writing a one-page IR plan is free. Having it when you need it is invaluable. The cost comes from an hour of your IT team's time. Most SMBs don't have one.
Backup verification. Backups are often purchased but not tested. The restore is what matters. Quarterly restore tests add minimal cost if backups already exist.
Building the Budget Line by Line
For a 20-person BC SMB in 2026, a realistic monthly security budget might look like:
| Item | Monthly estimate |
|---|---|
| M365 Business Premium (includes Defender, Intune, MFA) | $28 - $32/user = $560 - $640 |
| EDR (if not included in M365 plan tier) | $10/device × 25 devices = $250 |
| DNS filtering | $4/user × 20 = $80 |
| Cloud backup with immutable retention | $150 - $300 depending on data volume |
| Security awareness training platform | $3 - $5/user = $60 - $100 |
| Total | ~$1,100 - $1,370/month |
As a share of a $3,000/month IT budget, that's 37 - 46%, higher than the 7 - 12% benchmark. The reason is that for a 20-person business, the minimum viable security layer represents a larger percentage of a smaller budget. The benchmark applies more accurately at larger scale.
Talk to a Prince George-based IT team about a line-by-line security budget review, call 672-983-1174 or book a free assessment at northstarit.ca.
Want a line-by-line security budget review?
North Star reviews your current tool stack, identifies gaps, and builds a prioritised security roadmap. No obligation, no sales pitch. Book a free assessment.
Get a Free Assessment Read more Insights