Planning Your Cybersecurity Budget

A Bern-based SME with 35 employees saved on their cybersecurity budget and invested only CHF 8,000 per year. After a ransomware attack, the costs amounted to CHF 340,000. Swiss SMEs with 20 to 50 employees should budget CHF 30,000 to CHF 100,000 annually for cybersecurity.

Industry experts recommend allocating 4-7% of the IT budget for cybersecurity — in high-risk industries up to 15% (cf. Gartner). Many Swiss SMEs invest significantly below the recommended level.

The Risk-Based Approach: Starting Point for Budget Planning

Blanket percentages of the IT budget are a rough guideline but not a strategic basis. A risk-based approach begins with the following questions:

Which assets are business-critical? Identify data, systems, and processes whose failure or compromise would cause the greatest damage. These could be customer databases, production systems, email servers, or intellectual property.

What would a security incident cost? Calculate the potential costs of a cyberattack: direct costs (recovery, forensics, ransom), business interruption (revenue loss), reputation damage, legal consequences, and possible fines under the revised Data Protection Act (up to CHF 250,000 for individuals in leadership positions).

An example: A Swiss wholesaler with 30 employees and CHF 8 million annual revenue calculated that a failure of its inventory management and ordering systems would mean about CHF 30,000 revenue loss per day. With an average recovery time of 5-7 days after a ransomware attack, this results in CHF 150,000 to CHF 210,000 damage, plus recovery costs and other consequential costs.

How likely is an attack? The probability of occurrence depends on various factors: industry, company size, exposure, existing protection measures, and current threat landscape. The National Cyber Security Centre (NCSC) reports that 43% of Swiss SMEs have already been victims of a cyberattack, the actual number is likely higher.

Risk calculation: The classic risk formula is: Risk = Probability of occurrence × potential damage. If the probability of a serious incident in the next three years is 30% and the potential damage is CHF 200,000, this corresponds to an expected loss of CHF 60,000. Investments in cybersecurity that fall below this amount and significantly reduce risk are economically sensible.

Cost Factors: What Does Cybersecurity Budget Cover?

A full cybersecurity budget covers several areas:

1. Technology and Tools (typically 40-50% of budget)

Endpoint Protection: Modern EDR solutions (Endpoint Detection and Response) cost about CHF 50-150 per device per year for SMEs. For a company with 30 workstations, this amounts to CHF 1,500 to CHF 4,500 annually.

Network Security: Firewalls, Intrusion Detection/Prevention Systems, and secure VPN solutions. A Next-Generation Firewall for an SME costs CHF 5,000 to CHF 15,000 one-time, plus annual licence costs of CHF 1,500 to CHF 4,000.

Email Security: Advanced Threat Protection for email costs about CHF 3-8 per user per month, or CHF 1,000 to CHF 3,000 annually for 30 employees.

Identity and Access Management: Multi-factor authentication and Single Sign-On solutions cost about CHF 3-10 per user per month.

Security Information and Event Management (SIEM): For smaller SMEs often as a cloud service, costs from CHF 5,000 per year.

Backup and Disaster Recovery: Professional backup solutions with cloud or offsite storage cost CHF 3,000 to CHF 10,000 annually, depending on data volume.

Vulnerability Scanning and Patch Management: Automated tools cost CHF 2,000 to CHF 8,000 per year.

2. Managed Services (typically 30-40% of budget)

Many SMEs outsource parts of cybersecurity to Managed Security Service Providers (MSSPs). Find the pros and cons of this approach here.

Security Monitoring (24/7 SOC): CHF 1,500 to CHF 5,000 per month, or CHF 18,000 to CHF 60,000 annually, depending on service scope.

Managed Endpoint Protection: CHF 40-100 per endpoint per month.

Penetration Testing: Annual security tests by external experts cost CHF 8,000 to CHF 25,000, depending on scope. For red team engagements that simulate realistic attack scenarios, budget CHF 30,000 to CHF 60,000. Providers like RedTeam Partners can help scope an engagement that matches both your risk profile and budget.

Security Consulting: Strategic consulting for 5-10 days per year, CHF 10,000 to CHF 25,000.

3. Personnel and Training (typically 15-25% of budget)

Internal Resources: If an IT employee spends 30% of their time on cybersecurity, calculate accordingly. With a full-time equivalent of CHF 100,000, that’s CHF 30,000.

Awareness Training: Annual training for all employees costs about CHF 100-300 per person, for 30 employees therefore CHF 3,000 to CHF 9,000.

Specialized Further Education: Certifications and courses for IT managers, CHF 5,000 to CHF 15,000 per year.

4. Governance, Compliance, and Insurance (typically 5-15% of budget)

Compliance Costs: If ISO 27001 certification is pursued, expect significant costs.

Cyber Insurance: Premiums vary greatly by industry and security measures, typically CHF 2,000 to CHF 10,000 per year for SMEs.

Audit and Assessment: Annual security audits, CHF 5,000 to CHF 15,000.

Budget Examples by Company Size

Micro-Enterprise (5-10 employees)

Minimum Budget: CHF 8,000 - CHF 15,000 per year

  • Endpoint Protection: CHF 1,000
  • Business Email Security: CHF 500
  • Backup Solution: CHF 1,500
  • MFA Solution: CHF 400
  • Awareness Training: CHF 1,500
  • Basic Consulting: CHF 3,000

Recommended Budget: CHF 20,000 - CHF 35,000 per year

Additionally: Professional firewall, external monitoring services (basic), annual penetration testing, cyber insurance.

Small SME (20-50 employees)

Minimum Budget: CHF 30,000 - CHF 50,000 per year

  • Endpoint Protection: CHF 4,000
  • Network Security (Firewall, Licenses): CHF 5,000
  • Email Security: CHF 2,500
  • Backup and DR: CHF 5,000
  • IAM Solution: CHF 2,000
  • Awareness Training: CHF 6,000
  • Basic Managed Services: CHF 10,000
  • Insurance: CHF 3,000

Recommended Budget: CHF 60,000 - CHF 100,000 per year

Additionally: 24/7 SOC monitoring, SIEM solution, regular penetration tests, dedicated portion of internal IT resources, advanced training.

Medium SME (50-100 employees)

Minimum Budget: CHF 80,000 - CHF 120,000 per year

Recommended Budget: CHF 150,000 - CHF 250,000 per year

At this size, full managed services, own security resources (at least part-time), advanced tools like SIEM and SOAR, regular external assessments, and possibly ISO 27001 certification should be budgeted.

Budget Distribution by Maturity Levels

Your cybersecurity maturity determines where you should invest:

Level 1: Basic Protection (first year)

Focus on fundamental controls:

  • Endpoint Protection (20%)
  • Patch Management (15%)
  • Backup and Recovery (20%)
  • Email Security (15%)
  • MFA Implementation (10%)
  • Basic Awareness (10%)
  • External Assessment for baseline (10%)

Level 2: Advanced Controls (years 2-3)

  • Monitoring and Detection (25%)
  • Network Segmentation (15%)
  • Advanced Email and Web Security (15%)
  • Identity Governance (15%)
  • Regular Penetration Tests (15%)
  • Advanced Training (10%)
  • Incident Response Planning (5%)

Level 3: Mature Security Organisation (year 3+)

  • Threat Intelligence (15%)
  • Advanced Analytics (20%)
  • Automation and Orchestration (15%)
  • Red Team Exercises (10%)
  • Continuous Monitoring (20%)
  • Security Governance (10%)
  • Supply Chain Security (10%)

Prioritization: Where to Start with Limited Budget?

If your budget is tight, prioritise by greatest risk:

Must-have (critical):

  1. Regular, tested backups with offline copy
  2. Multi-factor authentication for all critical systems
  3. Automatic patch management
  4. Business-grade endpoint protection
  5. Email security against phishing
  6. Basic awareness training for all employees

Should-have (important): 7. Next-Generation Firewall 8. Security monitoring (at least during business hours) 9. Incident Response Plan 10. Regular security assessments 11. Encryption of sensitive data 12. Privileged Access Management

Nice-to-have (desirable): 13. 24/7 SOC monitoring 14. SIEM solution 15. Advanced Threat Intelligence 16. ISO 27001 certification 17. Bug Bounty programs 18. Advanced Security Automation

Return on Investment: How to Justify the Budget

Justifying cybersecurity investments is challenging, as ROI is hard to measure. How do you value prevented attacks?

Quantifiable Arguments:

  • Risk Reduction: Calculate expected loss before and after planned measures. If investments of CHF 50,000 reduce risk by 60% and expected loss is CHF 150,000, you save expected costs of CHF 90,000.

  • Insurance Premiums: Good cybersecurity can lower insurance premiums by 20-40%.

  • Avoiding Compliance Costs: Fines for data protection violations can reach CHF 250,000. Appropriate security measures minimise this risk.

  • Efficiency Gains: Modern security tools can also increase productivity through Single Sign-On, automated patch management, and reduced downtime.

Qualitative Arguments:

  • Competitive Advantage: Customers and partners increasingly value secure business relationships. ISO 27001 or other certifications can open doors.

  • Reputation: A security incident can cause irreparable reputation damage. Investments in security protect trust built over years.

  • Business Continuity: The ability to quickly become productive again after an incident secures revenues and customer relationships.

  • Regulatory Requirements: In many industries, cybersecurity standards are increasingly mandatory.

Avoiding Common Budget Traps

Trap 1: Only Investing in Technology The best tools are of little use if employees aren’t trained or processes are missing. Balance between technology, people, and processes is crucial.

Trap 2: One-Time Projects Instead of Continuous Programs Cybersecurity is not a project with an end date. Plan for recurring costs for licenses, maintenance, training, and updates.

Trap 3: Ignoring Hidden Costs Internal personnel costs for administration and management of security tools are often underestimated. Opportunity costs when IT employees spend time on security instead of productive projects should also be considered.

Trap 4: No Reserve for Incident Response When an incident occurs, significant unplanned costs often arise. A reserve of 10-20% of the annual budget for emergencies makes sense.

Trap 5: Cheap Solutions That Become Expensive Extremely cheap security solutions often don’t fulfill their purpose and later cause additional costs through incidents or necessary replacement investments.

Budget Planning in Practice: A Case Study

A Swiss trading company with 40 employees, CHF 12 million annual revenue, and an IT budget of CHF 150,000 plans its cybersecurity budget:

Starting Position:

  • Previously CHF 8,000 annually for basic antivirus and firewall
  • No dedicated security monitoring
  • Annual awareness training by IT manager
  • No regular security assessments

Risk Analysis:

  • Main risks: Ransomware, Business Email Compromise, data loss
  • Estimated damage from serious incident: CHF 180,000
  • Probability of occurrence in 3 years: 40%
  • Expected loss: CHF 72,000

New Budget: CHF 45,000 annually (30% of IT budget)

Distribution:

  • Endpoint Protection (EDR): CHF 5,000
  • Email Security (Advanced Threat Protection): CHF 3,000
  • Next-Gen Firewall (Amortization + Licenses): CHF 4,000
  • Backup and DR: CHF 5,000
  • MFA and IAM: CHF 2,000
  • Basic SOC Monitoring (Business Hours): CHF 12,000
  • Annual Penetration Testing: CHF 6,000
  • Awareness Training: CHF 4,000
  • Security Consulting (5 days): CHF 6,000
  • Cyber Insurance: CHF 3,000

Expected Risk Reduction: 65%

  • New expected loss: CHF 25,200
  • Risk reduction: CHF 46,800
  • Costs: CHF 45,000
  • Net benefit: CHF 1,800 (plus qualitative benefits)

Budget Conversation with Management

When presenting your cybersecurity budget to management:

Speak in business language, not tech jargon: Instead of “We need a SIEM with SOAR integration,” say “We need the ability to detect attacks early and respond automatically to minimise damage.”

Focus on risks and business impact: Quantify potential damages in francs and business interruption in days.

Show alternative scenarios: What happens with minimum, recommended, and optimal budget? What are the risk acceptances for each scenario?

Benchmark: “Companies of our size and industry invest an average of X% of their IT budget in cybersecurity. We are currently at Y%.”

Phase if necessary: If the full budget is not immediately approved, prioritise and plan multi-year.

Monitoring and Adjustment

Cybersecurity budget is not static. Review at least annually:

  • Threat Landscape: Have new risks developed?
  • Business Development: Growth, new business areas, or markets require adapted security.
  • Technology Changes: Cloud migration, new systems, or digitalization projects have security implications.
  • Regulatory Developments: New laws or standards may require additional investments.
  • Incidents and Lessons Learned: Own or others’ incidents reveal weaknesses.

A structured cybersecurity budget is not just a cost factor but a strategic investment in business continuity, competitiveness, and long-term growth. Swiss SMEs that plan systematically and risk-based achieve optimal security at reasonable costs.

Back to the Cybersecurity Complete Guide