In this Expert Insight, Derek Kernus, the Director of Cybersecurity Operations at DTS talks about the challenges facing small businesses that are under pressure to adopt cybersecurity best practices without breaking their budget. Derek offers suggestions for prioritizing cybersecurity investments – and things to watch out for as you build out an advanced cybersecurity program.
American small businesses are struggling to budget for cybersecurity, unable to mirror large enterprises that spend an average of 9.9% of their IT budgets on cybersecurity. Most are doing only the minimum or, in many cases, having no cyber protection in place at all. One of the most obvious reasons being cost.
The technology shift in recent decades dictates how businesses operate and has ushered in a new expense, cybersecurity, that no business can afford to skip—the risks are simply too high. Understanding the factors that impact cybersecurity costs, as well as costly missteps to avoid, can help small businesses achieve advanced security.
Making a business case for cybersecurity
Small business networks are three times more likely to be targeted by cybercriminals because they are incredibly lucrative and are a great testbed for larger attacks. Ransomware hackers know these companies have fewer resources and staff to prepare for, defend against, and recover from attacks. IBM research indicates that the average cost of a data breach in a small company is $108,000. The disruption, recovery, and other losses, including customer trust, are far greater, estimated at $3 million per incident for companies with fewer than 500 employees. Many don’t survive, closing their doors within six months of an attack.
To build a business case for cybersecurity investments, we encourage companies to evaluate the risks and how cybersecurity can be used as a competitive advantage. While competitors delay, secure companies can cash in on customer and partner trust due to their cybersecurity program. Also, many companies and some industries now require that all their vendors, contractors, and partners meet standards for cybersecurity and be able to prove it.
Cost considerations for small business cybersecurity protection
All companies should put in the due diligence to deal with real numbers. Instead of being afraid of what they don’t know or intimidated by an imagined price tag, it’s far better to meet with several cybersecurity consultants; describe the scope and level of cybersecurity desired or needed; get educated about current and future cybersecurity needs—and then get estimates for the work.
Small businesses often find that although the initial investment may be a bit surprising, maintaining that level of cybersecurity quickly becomes another operational cost similar to accounting costs. If budget is important (and it always is), then consider the impact these factors have on establishing advanced cybersecurity:
- Appetite for exposure and risk: It’s up to company owners or leaders to determine their exposure, and subsequently how much risk they’re willing to live with. We’ve seen companies that only need multi-factor authentication and email scanning to feel protected and others who insist on ISO certifications before they can rest easily.
- Contractual requirements: Companies may have contractual security requirements or minimum standards they need to meet in their industry. Government contractors, for example, are wrestling with the demands and costs of the DoD’s Cybersecurity Maturity Model Certification (CMMC) program—a requirement for future contract awards.
- Scope: Not every part of a business needs advanced security, so scope is a factor in cost. For example, employees may not have company email addresses or access, so their security needs might be minimal, while those with access to customer data and financial accounts will need more sophisticated controls and rigorous training.
- Internal resources: Cybersecurity is a major undertaking that demands dedicated time and staff. Many small companies find outsourcing cyber is more efficient and affordable than hiring even one additional full-time cybersecurity professional.
Let’s talk numbers
The baseline for an IT budget is 3 percent of annual revenue, with at least 10 percent of that allocated to cybersecurity. This number isn’t inclusive of one-time or start-up costs necessary to bring a company into compliance or up to standards.
For really small companies, the IT budget may only be $25,000, putting cybersecurity budgets to $2,500, which might cover minimum protection but won’t come close to paying for licenses or Managed Security Service Partner (MSSP) support they might need to meet contractual requirements.
In helping small businesses, we’ve found that nearly everyone starts out saying they want to do things right and do them fast. There’s a mindset among some solution providers that these companies should choose a package or service level with pre-determined storage or backup systems. I caution against this approach. In fact, a tailored or a la cart approach is more appropriate and often more affordable for small businesses that may have unique or legacy IT systems. Start with a good foundation that can be built on and matured through budgeting and planning year over year.
Costly missteps in cybersecurity
Costly mistakes are another key reason many are afraid of cybersecurity spending and are usually a result of trying to implement cybersecurity fast. Reports of astronomical bills and endless service fees plagued the early days of modern cybersecurity. Today, many lightweight and less costly solutions provide protection for company data, while knowledge of good cyber hygiene keeps consumers safer at home and on the job.
Lack of knowledge: A large mistake companies make is not educating themselves about cybersecurity. Good resources are available free from the National Institute of Standards and Technology (NIST) and many other online resources. Knowledge can help company leaders understand their risks and prepare for conversations with cybersecurity consultants.
Choosing a partner based only on price: The best cybersecurity partner will help their clients be efficient and effective—suggesting solutions and plans within budget, configuring systems for easy management, and automating processes. Their bid might not be the cheapest, but their experience will move things along smoothly, ultimately saving time.
Thinking cyber is a one-and-done task: Evolving threats and new schemes require ongoing monitoring, security updates, and education to keep up a reliable defense. Cybersecurity is an ongoing, rapidly changing part of today’s business operations.
No business can afford the consequences of an attack or breach. Funding cybersecurity is an investment in continuity and sustainability. Controlling costs is a combination of understanding risk, the cost factors, and avoiding missteps.