A business owner asked me this last week - and honestly, it’s a fair question.

Here’s what I told them:

 

When you take a proactive approach to security (the kind ISO27001 champions) you’re looking at straightforward, predictable, low-stress costs:

 

✅ £100–£200 for staff cyber awareness training

✅ £50–£100 for strong antivirus & patching

✅ £50–£100 for proper Microsoft 365 backups

✅ A couple of hours to set up sensible access controls

✅ A couple of hours to write security

That’s less than most businesses spend on coffee.

Now… here’s the reactive approach — what happens when you wait until something happens:

 

❌ £10,000–£20,000 on emergency IT support & data recovery

❌ Productivity crashes while everything is offline

❌ Damage to your reputation and client trust

❌ Possible GDPR investigations and fines

❌ And the big one: weeks of stress, fear, and lost sleep

 

Same problem. Very different price tag and timeline.

 

As small business owners, we all feel it: paying for security can feel like insuring your house against a fire you hope never comes.

 

But every week we speak to businesses who believed:

“We’re too small to be targeted.” (they weren’t – and it hurt)

“Everything is backed up on the cloud.” (it wasn’t – because the hackers targeted their Cloud.)

“My team would never fall for a phishing email.” (and they did!)

And the ones who don’t panic when something goes wrong? They’re the ones who put simple, sensible ISO27001-style controls in place before their phones lit up at 8am with cries of  “We can’t access anything.”

 

If you want to sleep well at night - and keep your business running smoothly; Put security ON the agenda, before it BECOMES the agenda!