As technology continues to evolve, and cybercriminals become more sophisticated in their attacks, organisations will need to focus more attention on protecting themselves from cyber risk.

So, how much should companies be investing in their cybersecurity, and how do they decide how their investment is used?

Cybersecurity is becoming more expensive. This is hardly surprising when you consider today’s threat landscape, and how quickly it can change. Across all business sectors, we are more reliant on technology, which, for cybercriminals, means more opportunities to steal data, hold systems to ransom, and generally leave a trail of destruction for companies they attack.

Despite the increasing risk of cyber incidents, many companies are not investing enough in their cyber defences. Results from the Cyber Security Breaches Survey 2022 showed some worrying statistics when it came to the effort being made by organisations in identifying and protecting against cyber-attacks and data breaches.

17% of organisations have done an audit of their cybersecurity vulnerabilities in the last 12 months.

17% have had cybersecurity training for employees in last 12 months.

34% have business continuity plans that cover cybersecurity.

Source: Cyber Security Breaches Survey 2022 - GOV.UK (

So, is throwing money at the issue the answer? Well, yes and no. Yes, organisations should take the issue seriously and ensure they are allocating sufficient budget to invest in their cybersecurity. But, on the other hand, it’s not just about the amount of money, it’s how and where it is invested to do the most good. Understanding your organisation’s cyber vulnerabilities is key to using your budget most effectively.

IT spending as a percentage of revenue

A popular formula to use in calculating overall IT spending is as a percentage of the company’s revenue, largely because financial executives use this formula for many other business functions, such as marketing expense and accounting costs. It tends to vary by industry (for example financial services companies tend to allocate a higher percentage than manufacturing companies), and also by organisation size, with larger companies typically spending more on IT as a percentage of revenue than smaller companies.

So, how should an organisation decide what percentage this spend should be? And, does it matter what sector they are in, or how large or small the company is?

To answer the first question, as a guide, it is recommended that 4% of your revenue should be spent on your company’s IT. To answer the second question—no sector or company, no matter its size, is immune from a cyber-attack or data breach, or the financial consequences that a cyber event can bring. While there is no set price for complete peace of mind, if you are spending less than 4% of your revenue, this may not be enough to provide adequate cybersecurity for your business.

How do you know what to spend your budget on?

To build cyber resilience across your organisation, you need to make informed decisions. To do this you need to understand what your cyber vulnerabilities are, and what is required to deal with these vulnerabilities and strengthen your defences. Without proper diligence, you may risk spending too much on the wrong ‘solutions’ just to spend your budget. Only after a careful assessment of your organisation’s current—and future—needs and capabilities can you determine the appropriate spending on cybersecurity.

It is worth mentioning at this point that the majority of breaches are caused by failures on the part of people and processes. So it is just as much about training and awareness, as it is about the latest technical solutions. Cybersecurity is not simply an ‘add-on’ for your business, it needs to run through your operations, and be embedded in your processes and culture.

Questions for the board of directors to ask:

  • What are our most critical assets to protect in terms of data, systems and processes?
  • What are our existing cybersecurity capabilities?
  • Are there any unused features among our current tools?
  • How many new investments will be integrated into existing processes?
  • Could we decommission a tool if a new one overlaps and offers better protection?
  • Will the capabilities we purchase be effectively deployed and managed by existing staff? Or do we need to make new hires?
  • Should we be investing more in cybersecurity training for employees?
  • What threats should we prioritise, and what budget should we allocate accordingly?
  • How do we ensure our cybersecurity resources are deployed where they are most needed?
  • How much risk is the company prepared to accept?

The gap between risks and capabilities is where investment must be targeted. However, targeting and fixing gaps is just the initial step—you should also ensure you are spending in ways that will sustain your existing capabilities as the threat landscape evolves. Otherwise, you may find that you are simply creating new gaps and leaving your company exposed.

Once you have a clear picture of the assets you need to protect, you will be able to define how your security resources should be deployed. This will help you understand how to direct your spending decisions. In addition, as far as is possible, you should assess the potential financial impact of the cyber-attacks you may face, in order to determine how much you invest to mitigating them.

Gallagher offers risk management strategies for every size of business and every budget, from multi-national corporations to SMEs. We recognise that every organisation is unique, and we will work with you to determine the most appropriate services for your cyber risk.

For more information, please contact:

Author Information


The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.