Author: Johnty Mongan


As technology continues to advance, the threat of cyber-attacks becomes increasingly prevalent. Investing in robust cyber defence measures can help organisations protect their sensitive data and systems — but what proportion of the IT budget should be set aside?

In this article, we will explore the factors that influence an organisation’s annual cyber defence spend and why it is crucial to allocate sufficient resources to this area.

How much should an organisation spend on cybersecurity?
As a general rule of thumb, allocating 5%-20% of your IT budget is considered appropriate1.

Factors to Consider When Allocating Cyber Defence Spend

Industry sector and risk profile

Certain sectors, such as finance, healthcare, and government, are more prone to cyber-attacks due to the valuable data they possess. These industries often face stringent regulatory requirements, which necessitate higher investments in cybersecurity. Additionally, organisations with a high-risk profile, such as those with a history of cyber incidents or those operating in politically sensitive regions, may need to allocate more resources to their cyber defence.

Existing IT infrastructure

The size and complexity of an organisation’s IT infrastructure also play a significant role in determining its cyber defence spend. Larger organisations with extensive networks, multiple locations, and numerous endpoints require more comprehensive security measures. The complexity of the infrastructure increases the potential attack surface, making it crucial to invest in advanced security solutions, such as firewalls, intrusion detection systems, and endpoint protection tools.

A constantly moving threat landscape

The evolving cyber threat landscape is another critical factor in determining an organisation’s cyber defence spend. Cybercriminals are constantly developing new techniques and exploiting vulnerabilities, making it essential for organisations to stay ahead of the curve. Investing in threat intelligence services, security assessments, and regular penetration testing helps identify potential weaknesses and enables proactive defence measures.

Compliance with data protection laws

Compliance with industry-specific regulations and legal requirements is also a driver for cyber defence spend. Organisations must adhere to various data protection laws, such as the General Data Protection Regulation (GDPR) in the European Union or the Health Insurance Portability and Accountability Act (HIPAA) in the healthcare sector. Failure to comply with these regulations can result in severe financial penalties and reputational damage. Therefore, organisations must allocate resources to ensure they meet the necessary security standards and maintain compliance.

Investment in Cybersecurity Measures is Increasing Overall

According to the government’s Cyber Security Breaches Survey 2024, many organisations have continued to invest either the same amount or more in cybersecurity over the last 12 months , despite the challenging economic conditions. Among the reasons for this is the perceived uptick in the number of cyber-attacks and their increasing sophistication.

The deployment of cybersecurity controls, procedures and risk management is showing an upward trend among organisations in the last 12 months:

83% use up-to-date malware protection (up from 76%)

75% use network firewalls (up from 67%)

17% carry out cybersecurity vulnerability audits (up from 15%)

31% have business continuity plans that cover cybersecurity (up from 27%)

43% are insured against cyber risks in some way (up from 37%)

Source: Cyber security breaches survey 2024 GOV.UK2

How Should Organisations Prioritise Their Spending?

While every organisation is operating largely in the same threat landscape, their specific vulnerabilities may differ, largely due to the different influences on spend mentioned above. Therefore, it is important to conduct a thorough risk assessment to identify these vulnerabilities and prioritise cybersecurity investments accordingly.

Once your organisation’s key risks are identified, it will inform your decisions around how to strengthen your cyber defences as well as where investment may be required in your response to a cyber-attack. For example, if gaps are identified in your digital armour, sufficient budget should be allocated to cybersecurity measures such as vulnerability scanning, penetration testing, and endpoint protection tools.

Similarly, if your incident response and recovery capabilities no longer reflect today’s cyber landscape and the potential fallout from an attack or data breach, you may need to direct much of your investment to your response planning. This can involve allocating funds for incident response training, incident management systems, and data recovery solutions to minimise downtime and ensure business continuity.

Separating Your IT Budget and Cybersecurity Budget

When developing your cyber defence strategy, it may be beneficial to secure a separate budget for the organisation’s cybersecurity and cyber risk management. This can protect the budget and help to ensure the appropriate level of investment in cybersecurity.

Regardless of how you choose to budget for your cyber defence spending, it should not be seen as a one-time investment, or even a once-a-year tick box. It is vital to continuously update your defences to stay ahead and treat cyber risk management as an ongoing commitment, requiring year-round consideration and resources.

Gallagher offers cyber risk management strategies for every size of business and every budget, from multinational corporations to SMEs. We recognise that every organisation is unique, and we will work with you to determine the most appropriate services for your cyber risk.

Find out more about Gallagher’s Cyber Defence Centre or connect with our Cyber Risk Management team.

Author Information


1 What Should Your Cybersecurity Budget Look Like? Reclamere (28 September 2023).
2 Cyber Security Breaches Survey 2024. GOV.UK (09 April 2024).



The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein.