A survey of 1,000 executives of organizations that generate less than $100 million in revenue finds 59% believe the right amount of budget is being allocated to cybersecurity, with 64% noting they also believe their organization is too small to be an attractive target.

Conducted by Wakefield Research on behalf of Coalition Re, a provider of cybersecurity insurance, the survey also noted that nearly three-quarters of respondents (74%) are allocating less than 10% of their total business budget to cybersecurity. Only 26% said their organization should be spending more, even though 83% acknowledged cybersecurity risks have grown over the past year.

Additionally, 69% estimate that the cost of a cyberattack would be less than $2 million, with 30% expecting those costs to be under $500,000.

Joe Toomey, head of engineering for Coalition, said the survey suggests that small business executives still don’t fully appreciate the level of risk a cyberattack represents, even though 79% have experienced one cyberattack in the past five years, with 23% having been victimized in the past year.

On the plus side, a full 87% of respondents are more concerned about cybersecurity, with 20% being very concerned. However, concern doesn’t appear to equate to a willingness to increase funding, noted Toomey.

Most small businesses have limited financial resources and there are always going to be multiple competing priorities. Most of those executives are already making stark choices between what they need to invest in the core business and all the ancillary functions, including IT, needed to support it. They are generally going to ignore any call to increase spending on ancillary functions, especially when that investment might be at the expense of the core business.

Ultimately, more smaller businesses should be relying on cybersecurity services. Few of them can afford to hire and retain cybersecurity experts, which means most of them are relying on internal IT teams to manage cybersecurity alongside all their other responsibilities. Most organizations would be simply better off if they relied more on a managed detection and response (MDR) service that is provided by an organization that has more cybersecurity expertise, noted Toomey.

Regardless of approach, the one certain thing is that both the volume and sophistication of the cyberattacks being mounted against all businesses are only going to increase. In theory, advances in AI might enable smaller businesses to combat those threats, but not without incurring additional costs that a managed security service provider (MSSP) is more likely in a better position to absorb.

Each organization will, as always, need to determine what makes economic sense given the level of risk to business and the amount of cybersecurity they can afford. In some instances, that may mean relying more on insurance to cover any costs that might be incurred in the wake of a cybersecurity attack. The challenge these days, however, is most of those insurance providers are not only going to require small businesses to invest more in cybersecurity to qualify for coverage; they are not likely to cover the cost of the cyberattacks if it is shown that fundamental best practices for cybersecurity were ignored in the first place.