Cyber security is now a business-critical concern. But how much does it cost, and how much should you invest to protect your company?
How much does cyber security cost? It’s a challenging question because so many different variables go into it. Including the size of your company, what industry you are in, your risk appetite, and something many companies seldom factor in; the customer’s expectations.
In addition, there is a good chance if I asked you what you are paying right now for cyber-security, you wouldn’t have an exact number in your head. This is not unusual because cyber security cost is usually not a board room discussion.
Also, cybersecurity is typically an add-on to the monthly managed service fee, so you don’t see it broken out.
As one of the first Managed Service Providers in the Twin Cities and just one of several MSPs that offer fully-layered managed cybersecurity solutions, Imagine IT has been securing our partners for over 25 years.
Yet, one of the questions we are asked often is, how much does cybersecurity cost?
So, we felt compelled to answer that question to give you a clear, unbiased picture of the cyber security cost so you can make the best decision possible.
In this article, you will learn what the current state of cybersecurity is for SMBs. We’ll also identify what affects cyber security cost, what happens if you get breached, and why the security conversation has moved from cyber-security to cyber resilience.
The biggest myth SMBs have with cybersecurity
“We are too small to be a target for hackers or cyber-criminals.”
Unfortunately, that is no longer the case!
Yes, cybercriminals are targeting governments, multi-national companies like Amazon, Walmart, and Target … of course, they are. But hackers and cybercriminals are opportunists. They can find vulnerabilities and opportunities with any size organization, from a one-person shop to huge international companies and everything in between.
No matter how big or small you are or what industry you are in, you have a wealth of information on your system, and so do your people.
This info includes credit card info, social media info, bank apps, healthcare info, email addresses, personal information, customer contacts and, and of course, all of your company’s proprietary data.
The state of cybersecurity
We understand there is a lot of hype around cyber-security. And as an SMB in the Twin Cities, there probably isn’t a week that goes by you aren’t hit by emails or phone calls from security companies telling you how dangerous it is out there.
So it’s next to impossible to know what is real and what is hype!
But, 2021 was an unprecedented year in so many ways; with the COVID and pandemic and an entire or hybrid remote workforce, Ninety percent of businesses are surprisingly under-protected.
Some actual cyber-security statistics to consider:
- 45% of SMBs lack any type of cybersecurity defense plans
- 60% of SMBs that are breached go out of business within 18 months
- The average breach costs SMBs $383,365
- $7.5 million: The average price of an insider related cyber incident for SMBs
- Human error accounts for the largest percentage of all breaches
- 1 in 365 emails are malicious
- 67% of SMBS report experiencing a data breach in the past 12 months.
- 70% of SMBs employees passwords were stolen or lost
These stats are not scare tactics of any kind. We include them here to give you an honest picture of your organization’s risk levels.
And it’s not just your organization that could be affected: Your customers, employees, vendors, or any third parties you connect with could experience the fallout from a cyber-attack to your business. The only way to stop and prevent an attack is to strengthen your posture and defenses.
And this leads to a significant paradigm shift regarding cybersecurity. That shift is moving SMBs from concentrating on just cyber-security and instead embracing a strategy dubbed Understanding Cyber Resilience.
The move to cyber resilience
Cyber resilience measures your organization’s business strength in preparing for, dealing with, and recovering from a cyber-attack. It relies on your ability to anticipate, identify, protect, respond, and recover quickly from a cyber event. Cyber resilience combines cyber-security, business continuity, and incident response.
Cyber resilience is critical because no matter how good your external cyber-defenses are, it is just a matter of time before you are penetrated. And whether externally from a cyber-hacker or internally from an employee who mistakenly or intentionally causes a breach, they will get in, and you need to have a strategy to deal with it and recover as quickly as possible.
So we addressed some of the cyber issues you should be aware of now; now, let’s look at what affects the costs.
What affects cyber security cost?
Six main factors determine cyber security cost
- Business size
- The size and number of employees are the most significant factors that affect cyber-security costs. Of course, the bigger you are, the more employees, devices, and equipment you need to secure. Because employees are the primary cause of data breaches and failures, the larger workforce you have, the more comprehensive cyber-security solutions you will need … translating to increased costs.
- Custom or off-the-shelf solutions
- You can buy off-the-shelf cyber-security products that your internal team can manage. Or you can hire a Managed Service Provider or third-party cyber-security company that will create a custom solution for your business. There are advantages to both, but because cyber-criminals have become so sophisticated, many internal IT teams don’t have the expertise to keep you totally secure.
- Features in products and services
- The more protection you have in the form of products and services, the higher the cost will be.
- The layers of security your organization needs
- The more sensitive data you need to protect, the more layers you will need to your cyber-security. For example, in two industries with strict requirements like healthcare (HIPAA) and banking sectors, you will need more layers, increasing costs.
- Maintenance and audits
- You may require third-party audits to assess your compliance, and you could need regular troubleshooting of your cybersecurity solution from time to time.
- Cybersecurity training
Employees are your first line of defense when it comes to cybersecurity. Providing them and your upper management with security training regularly ensures that they are up to date on the latest threats and techniques used by cybercriminals. Such activity is effective in preventing data breaches and downtime. And keep in mind, the most significant percentage of breaches for SMBs are caused by phishing emails or a mistake an employee made regarding cyber-security.
What cyber-security options do MSP’s offer
Unfortunately, there is no standard for cyber-security offered by Managed Service Providers (MSP), as there are over 22 different solutions they offer. The real problem is that over 50% of MSPs only provide what is considered standard security solutions.
The 10 standard cybersecurity services include:
- Backup and disaster recovery
- Patch management and updates
- Firewall monitoring and updates
- Spam filtering
- Web content filtering
- Awareness training for employees and AUP creation
- Multi-factor authentication
- Dark Web monitoring
- Advanced endpoint security
But the minimum standard is no longer good enough.
Why? Because the minimum will not be sufficient any longer. There are several services that the average MSP doesn’t include in their services that are critical for your cybersecurity.
These could include:
- Intrusion Detection System
- Security assessment and penetration testing
- Advanced Threat detection
- External vulnerability scanning
- Training and phishing exercises
- Could server posture
- Cisco umbrella
- Remote access lockdown
- Active Directory cleanup
- Strong/extended password policy
- Email monitoring
- Cyber-liability insurance review
- Annual Security Posture review
- Incident response process
As you can see, quite a few things are missing from many providers’ cyber-security offerings. So you need to know precisely what you are getting. And keep in mind, when it comes to cyber-security, you cannot lock your front door and leave your windows unlocked. Meaning, you can’t address ten issues and leave the second ten unprotected. It just won’t work!
What cybersecurity technologies will you need: Doing a cyber security self-assessment
In order to assess your organization’s current cyber-security position, you should first start with a self-audit. This should include:
- Assessing the sensitivity and value of your employees, and customers information
- Identify the most critical assets, including financial info, customer data, employee personal info, vendor data, and any other third-party connections you have.
- Prioritizing the info and assets, you must protect
- Determine the cost if you lost this information due to a breach.
- Identify and inventory any devices that need cybersecurity protections, especially with any kind of remote workforce.
- What security updates and patches are handled automatically, and how are they tested and managed.
What is the cost if you get hacked or breached?
The truth is, your system may have already been hacked, so quite honestly, right now, the hack isn’t costing you a penny.
… until the hacker decides to show themselves!
Then the cost could be very substantial!
The average cost of a breach for SMBs is $383,833 and but it often gets in the millions. And it even gets worse from there; a large percentage of SMBs will close their doors within 18-months after being breached.
Have you heard that before?
Yes? Did it change your position on your cyber-security measures?
We’ve learned that the main reason why SMB’s don’t act on this info is this statement:
“We are too small for anyone to care about us!”
So is all of this cyber-security talk hype? The answer is no, and yes. There are definitely scare tactics out there to get you to act. Think about it this way; How much does it cost if you get in a car accident? How about if you have surgery? Do you have health insurance and auto insurance? Of course!
So you must decide, how much is your company worth? And what about the privacy of your employees and your customers … how much is that worth?
Over the past 25 years, we have learned that most SMBs don’t have adequate levels of cyber-security protections in place. So a good place to start is to do a self-assessment to see where your company is at.
Putting the price of cyber-security into perspective
As we explained in the first paragraph, the typical cyber-security cost for small to medium-sized businesses is between $10 and $50 per user per month unless you tackle it yourself.
But imagine that you just acquired three new customers for your company, and a day later, you find out that hackers had got into your system and had been inside your company for the last six months?
How would that affect these new customers? How would it affect the hundreds or thousands of existing customers, suppliers, and employees … and most of all, what would it do to your reputation?
What type of investment would be worth protecting that from happening?
We understand that cybersecurity is a challenging subject and understand that is why such a large percentage of SMBs are under-invested in cybersecurity.
If you have additional questions or wish to get deeper into cybersecurity or cyber-resilience, check out the resources below.
If you aren’t ready to talk with anyone at this time, check out these additional resources.
If you are further along in your search and would like to discuss your cyber security needs, please click on the link below.