cybersecurity costs and budgeting for business

Managed IT Services – What do they cost? Part Two [CyberSecurity]

The context

Welcome to part 2 of our series!  To recap, the intent of this topic is to outline the considerations for businesses assessing their IT spending.  Rather than asking about specific costs, we will focus more on a series of questions such as “How should I think about my IT budgeting?”, “What level of cybersecurity investment should I pursue?”, “How do managed service providers price their services?”,  and “What are the items I have not yet considered?”.  Let’s dive in!

Investing in cybersecurity should be a top priority for all small and medium business and is a core component of your IT roadmap. When thinking of the downside revenue risks present for not securing a business, it can be difficult to put a price tag on risk mitigation.   Cyber attacks can be costly and damaging to a company’s reputation. Investing in cybersecurity measures such as firewalls, endpoint detection & response software, and employee training can help protect your business from cyber threats.  At EC Managed IT, we invest heavily internally on our cybersecurity stack, which allows us to offer those same solutions to our clients, providing exceptional value.  We also audit our practices yearly to ensure we continue to align with the Cybersecure Canada certification we hold.  


Cybersecurity spending

When it comes to allocating budgets, the last few years have changed the game in terms of cybersecurity investment, and the projections for the years to come are that this trend will continue. Just a few years ago, this may have come in around 10% of overall IT budgeting. Details and context of your specific business are the only things that can determine your specific requirements, but 10% of IT budgets should be the very minimum.  Increasingly we are seeing upwards of 20-30% focused around creating security layers.  

Beyond this, forward looking executives are shifting their mindsets from viewing cybersecurity simply a cost centre toward viewing it as fundamental ongoing and integrated capabilities that inform business strategy.  



Your team is your biggest security liability.  Specifically, individual decision making in the moment is what most often leads to compromise.  Sometimes this is company policy related, and sometimes its simply user targeted phishing or social engineering scams.  Accidental exposure happens all to often as well, such as simply sending an email to the incorrect contact and therefore exposing company or client data. Due to this, Security Awareness Training is paramount to instill a security first mindset.  



Company policies related to cybersecurity are one of the most neglected areas that we have seen within small-medium sized businesses.  An honest look at internal company policy will provide great security value for your organization.  Policies allow a framework to help identify risky behaviour within your business, and help to provide a simplified decision making process for your team when they encounter situations that could lead to data leakage, breach, etc.   



Never before have we had such an advanced technology stack at our fingertips.  Over time the expense of enterprise-level solutions has given way to broad availability for small-medium sized businesses at reasonable cost.  That said, not all security technology is created equally, and note all options will properly complement your environment. There are, however, common areas that need to be addressed as part of nearly all cybersecurity stacks.  


Driving value by working with a partner:

Driving value in your investment is paramount.  Make no mistake, cybersecurity risks cannot be 100% outsourced.  It must be a partnership between your business leadership and its 3rd party providers to ensure that people, processes, and technology are all effectively addressed.  Working with an experienced managed cybersecurity partner can give you confidence in your cybersecurity posture.  How?  We are glad you asked! The list could be very extensive, but we will focus it on the following:


  • Experience and expertise: experienced partners have security professionals with a wide range of expertise in various security fields such as threat management, incident response, and compliance.  Experience can guide you to the most effective use of your internal resources and even licensing.  
  • Proven track record: partners should have a proven track record of delivering high-quality, reliable security services to a variety of clients in different industries.  Track records build confidence.  
  • Advanced security technologies: At EC Managed IT, we use advanced security technologies and best practices to protect clients’ networks and data, such as firewalls, intrusion detection and prevention systems, and security information and event management (SIEM) systems.  We have forged partnerships over years that we are excited to bring to bear for you and your business. 
  • Scalability: Whether its 20 users, 200 users, or upwards of 2000, we are able to scale our services to meet the needs of clients of different sizes and industries.  This combines with flexibility, allowing tailored services to meet the unique needs of clients as they grow. 
  • Future conscious:  Partners should be continuously updating their processes and technologies to adapt to the latest security threats and trends, giving  clients insight on new options that protect against emerging threats. This is a business orientation that demands awareness of and understanding of the client’s business in order to provide solutions that fit for them.  


The takeaway

Your business has a unique risk profile, and therefore unique cybersecurity needs.  As you think about IT budgets overall, and security related spending in particular, it’s important to begin to shift to a mindset wherein cybersecurity helps drive strategy, rather than thinking of it simply as a cost.  A security first mindset throughout your organization will help you to thrive well into the future.  



  • Part 1: Establishing budget – Overall IT infrastructure
  • Part 2: Establishing budget – Cybersecurity allocation
  • Part 3: Managed IT Services Pricing models [COMING SOON]
  • Part 4: Hidden Costs:  What have I not considered? [COMING SOON]  
  • Part 5: Hidden Costs: Shadow IT (leverage SaaS Management) [COMING SOON]


Related Articles

cyber insurance readiness

Cyber Insurance Readiness

Cyber Insurance Readiness – Building a Safer Cyber Space Through Proactive Risk Management Today’s digital landscape is extremely interconnected. By adopting a forward-thinking approach, organizations

Read More »