Cybersecurity budgets increased by about 4 percent in 2025 — half the 8 percent budget growth in 2024. Cyber threats continue to escalate, but organizations aren’t dedicating enough of their IT budgets to addressing that risk.
Meanwhile, AI is taking more and more of the IT budget pie. One survey found that more than 60 percent of small to midsize enterprises (SMEs) planned to increase their AI spending in 2025. Only 40 percent said the same about cybersecurity.
It’s easy to understand why. AI is the sexy new technology that promises huge productivity gains, greater operational efficiency, improved decision-making and personalized customer experiences. SME leaders see AI as an investment in the future that will help them grow the business and gain competitive advantages.
By contrast, almost half of SMEs rated cybersecurity as an area of “moderate importance,” and just 28 percent considered cyber threats their greatest concern. Overall, cybersecurity ranked fifth, well below inflation and tariffs.
Why Many Organizations Don’t Spend More
There are a number of reasons why SMEs don’t spend more on cybersecurity. One of the biggest is a false sense of security, that “it won’t happen to us.” Many SME leaders believe that their organizations are too small to be targeted. However, almost half of cyberattacks specifically target SMEs because they often have weaker defenses.
Many leaders also think they’re doing enough. After all, they have antivirus protection in place and perhaps a firewall. They simply don’t understand that cybersecurity requires advanced security tools, security awareness training, and ongoing monitoring and threat response. In many cases, they only recognize the need for more robust security after a cyberattack has occurred.
SME leaders may also consider it a “nice to have” rather than a business necessity. They may not view a cyberattack as an existential threat that could put them out of business. They look at the cost of cybersecurity without recognizing that recovering from a cyberattack would be much more expensive.
The Case for Greater Cybersecurity Spending
Many SMEs spend less than $5,000 a year on cybersecurity, which is inadequate to cover even basic protections. As a rule of thumb, SMEs should allocate at least 7 percent to 10 percent of their IT budget to cybersecurity. Organizations in highly regulated industries should generally spend more to meet their compliance requirements.
What’s more, cybersecurity spending should increase every year. The threat landscape is constantly expanding, and attacks are becoming more advanced. Cyber criminals are using AI to create phishing campaigns that are virtually impossible to detect. Ransomware attacks are on the rise, and attackers are exfiltrating data before they encrypt it to increase the odds that the victim will pay the ransom.
Government and industry regulations are becoming stricter. While compliance frameworks have some flexibility in terms of implementation, regulators are cracking down on organizations that don’t meet the basic requirements.
Cyber insurance providers are also requiring more security controls before they issue a policy. Organizations need to invest in multifactor authentication, endpoint detection and response, and other security measures to obtain coverage.
How Much Should Organizations Spend?
Budgets are, of course, finite. SMEs only have so much money to spend on keeping their operations running. The key is to make cybersecurity a priority and develop a strategic plan that focuses investment on the areas of greatest risk.
A managed security services provider can be a valuable ally in this process. Verteks, for example, can assess your environment, identify gaps and risks, and help you define a strategy and set a realistic budget. Our managed security services also offer a cost-efficient way to gain access to advanced security tools and expertise.
Our next post will delve deeper into why cybersecurity budgets should increase and offer suggestions as to where to invest limited budget dollars. In the meantime, we invite you to contact Verteks to schedule a confidential consultation to discuss your security concerns.
