Small Business Cybersecurity Cost in 2026: What 30 Real Engagements Actually Spend

Tier 1 · Foundation

$18,000 to $32,000 per year

Who belongs here: 5 to 25 employees. No regulated industry exposure. No enterprise customers sending security questionnaires. No cyber insurance policy with required controls. Typical examples: a 12-person professional services firm, a 9-person early-stage SaaS pre-paying-customer, a 20-person retail or e-commerce business.

What it buys: Microsoft 365 Business Premium or Google Workspace Business Plus, EDR on every endpoint, immutable backups with quarterly recovery tests, security awareness training with monthly phishing simulations, a password manager, a written information security policy and incident response plan, and four to six hours a month of senior advisory.

What it does not buy: SOC 2 readiness, penetration testing on a regular cadence, a SIEM or managed detection and response, a vCISO retainer with named accountability, or formal customer audit support.

Tier 2 · Operating Baseline

$36,000 to $68,000 per year

Who belongs here: 25 to 60 employees. Possibly one or two enterprise customers who have sent a short security questionnaire. May or may not carry cyber insurance. No active SOC 2 or HIPAA program. Typical examples: a 40-person agency with two Fortune 1000 clients, a 50-person staffing firm with healthcare-adjacent placements, a 35-person SaaS company in the year before their first SOC 2 push.

What it adds over Tier 1: A real annual external security audit (not a self-assessment), an annual external vulnerability assessment, a managed detection and response option layered onto the EDR, vendor management workflow with documented reviews, a real access-review cadence, and a 6-month vCISO retainer averaging two days a month.

What it does not buy: A finished SOC 2 Type 2 report, an annual penetration test report bound for an enterprise customer's procurement, or a 24/7 SOC engagement.

Tier 3 · Customer-Audit Ready

$72,000 to $130,000 per year

Who belongs here: 40 to 100 employees. Three or more enterprise customers actively reviewing your security posture. Procurement teams asking for SIG Lite or CAIQ responses. Cyber insurance with a multi-page controls questionnaire. Typical examples: a 60-person legal services firm, a 75-person fintech-adjacent platform, an 80-person managed service provider with healthcare and financial clients.

What it adds over Tier 2: A trust portal with eight to twelve maintained documents, an annual external penetration test with a customer-shareable report, SOC 2 Type 1 readiness work in flight (or a Third-Party Security Attestation Letter as the bridge), an active vendor risk program with a documented register, the first wave of policy automation (drift detection on identity, IaC scanning), and a vCISO retainer with named accountability and four to eight hours a week.

What it does not buy: A finished SOC 2 Type 2 or ISO 27001 certificate, regulator-grade documentation, or HIPAA risk analysis depth.

Tier 4 · Regulated or SOC 2 Active

$140,000 to $210,000 per year

Who belongs here: 50 to 150 employees with at least one of: an active SOC 2 Type 2 program, HIPAA covered-entity or business-associate obligations, PCI DSS scope, state breach notification laws regularly invoked (e.g., NY DFS, California, Massachusetts), or contractual cybersecurity requirements from a major financial customer. Typical examples: a 90-person health-tech SaaS in SOC 2 + HIPAA, a 120-person fintech with state money transmitter licences, a 70-person law firm with high-value M&A clientele.

What it adds over Tier 3: A full SOC 2 Type 2 audit cycle in motion, formal evidence collection with a platform like Vanta or Drata layered with human judgment, an annual penetration test plus an interim re-test of remediations, quarterly tabletop exercises, a real BCDR program with tested annual exercises, third-party application security review on critical platforms, and a vCISO retainer with full named-individual accountability.

What it does not buy: Multi-framework simultaneous certification, dedicated 24/7 SOC, or red-team-style adversarial testing on a fixed cadence.

Tier 5 · Multi-Framework or Critical-Industry

$220,000 to $420,000+ per year

Who belongs here: 100 to 250 employees and at least two of: SOC 2 + HIPAA + ISO 27001 simultaneously, CMMC Level 2 or NIST 800-171 with a DoD prime relationship, NYDFS Part 500 obligations, healthcare with PHI volume that triggers OCR scrutiny, or fintech operating in regulated jurisdictions with banking-supervision flowdown. Typical examples: a 130-person defense subcontractor, a 180-person digital health firm, a 200-person regtech SaaS serving banks.

What it adds over Tier 4: Multi-framework readiness and audit calendar, a finished CMMC assessment or its equivalent, dedicated MDR or co-managed SOC, threat-intelligence subscriptions and quarterly purple-team exercises, dedicated security engineer time or a small in-house team, and a vCISO arrangement that approaches a part-time CISO function with board reporting.

What it does not buy yet: A full-time CISO hire. Most firms in this tier still find a senior vCISO with an implementation pod more cost-effective than a single in-house hire.

1. Buying tools before knowing the controls catalogue

A panicked founder buys a SIEM, an MDR, a vulnerability scanner, and a posture-management tool in the same quarter because every vendor demo promised SOC 2 readiness. Six months later half the tools are unconfigured, one duplicates another, and the SOC 2 program still has not started. The right order is: read the controls catalogue, decide what control each tool implements, then buy. Across our sample this single mistake adds $24K to $60K of recurring spend on tools that produce no evidence in the eventual audit.

2. Confusing automation with operations

Vanta, Drata, or Secureframe will collect evidence and track configuration. They will not run your access reviews, write your incident response, decide your risk appetite, or sit with your customer's CISO when the questionnaire comes back. Companies that buy the platform and skip the human end up with a green dashboard and a real audit finding. Plan for two-thirds tool and one-third human at Tier 3 and above.

3. Letting scope drift across the whole business

If your regulated workload sits in a single application and a small enclave of users, your SOC 2 or HIPAA scope can stay tight. If you let the entire production network, the entire sales laptop fleet, and every contractor's home VPN into scope, you have just doubled your audit cost and tripled your evidence collection burden. Across our sample, scope discipline is the single highest-leverage cost decision in Tier 4.

4. Hiring the wrong shape of consultant

A 40-person business does not need a 200-person consulting firm with a partner-led overhead, and a 90-person regulated business does not need a solo independent who has never been in a SOC 2 audit room. Match the shape of the consultant to the shape of your business: senior practitioner with a small implementation pod for most small businesses, mid-market specialist for the regulated 100-plus, big firm only when the board wants the logo.

5. Forgetting cyber insurance is now part of the controls catalogue

Insurers will not write you a policy without MFA, EDR, immutable backups, an email security gateway, and an incident response retainer. If your renewal is in 90 days and your controls do not match, your premium goes up by 30 to 70 percent or your application is declined. Build to the insurer questionnaire as a free dry run for any future audit; the controls overlap with SOC 2 and ISO 27001 by 60 to 80 percent.

What is the absolute minimum a 10-person business should spend?

All-in, $18,000 to $22,000 per year if internal time is honestly counted. About $12,000 in licences and tools, $5,000 to $7,000 in advisory and a one-time audit, and $1,500 to $3,500 in loaded internal labor. Going lower than this means either skipping internal time (which is dishonest accounting) or skipping a control your insurer or a future customer will eventually require.

Can I skip SOC 2 and use the Third-Party Security Attestation Letter instead?

For one or two customers, yes. The Attestation Letter is a credible bridge for procurement teams that need a third-party signal but cannot wait twelve months for SOC 2 Type 2. Beyond two or three enterprise customers, the attestation pattern starts to fail because procurement teams begin asking for the actual SOC 2 report or its ISO 27001 equivalent. We use the attestation for Tier 2 firms with one big customer and a 90-day deadline; we recommend committing to SOC 2 once the third enterprise customer hits the pipeline.

How much should I budget for the customer questionnaire response cycle?

For a 40- to 80-person firm answering one significant questionnaire every six to eight weeks, plan for 12 to 24 hours of internal time per response, plus 4 to 8 hours of senior advisory if the questionnaire touches HIPAA, PCI, or regulated finance language you do not handle in-house. That works out to $8,000 to $18,000 per year of pure questionnaire-response capacity at Tier 3. A maintained trust portal cuts that by 50 to 70 percent within the first six months.

Is a vCISO really worth it at our size?

A vCISO is worth it from Tier 2 upwards if the role is real, the named individual is senior, and there is an implementation pod behind the name. Below 25 employees, advisory hours are usually enough; above 25 employees, the vCISO frame is what produces the deliverables an insurer or customer will accept. We tell early-stage founders not to buy a vCISO retainer if all they want is monthly office hours; we tell 50-person firms with three enterprise customers that a retainer at $4,000 to $8,000 a month is cheaper than the alternative cost of failing a procurement review.

When does it make sense to hire a full-time security person?

In our data, the inflection point sits around 120 employees with a Tier 4 or Tier 5 profile, two or more frameworks in flight, and quarterly board reporting on security. Below that, a senior vCISO with a small implementation team produces more output per dollar than a single junior-to-mid hire. Above that, a senior in-house security engineer plus a vCISO oversight relationship is usually the next stop, not a full-time CISO yet.

My MSP says they handle security. Is that enough?

For Tier 1, often yes, provided the MSP genuinely delivers MFA, EDR, backup, and patching with documented results. For Tier 2 and above the gap opens quickly: an MSP does not write your incident response plan, run your tabletop, fight your insurer on the controls questionnaire, or sit with a customer's procurement team. The pattern that works for Tier 2 to Tier 4 firms is to keep the MSP doing IT operations and add a separate cybersecurity consultancy that handles governance, audit readiness, and customer-facing security work. The two roles are not the same.