With the cyber risk to SMBs increasing every day, many organizations are trying to figure out how to protect themselves and what it will cost. There are many factors in “securing your company” so we should start by defining what that looks like because you can come up with many different answers to the cost question based upon what someone says they will do to secure your organization.
Let’s start by saying that there is no 100% secure solution and if anyone promises you 100% that you will not suffer a breach, they are not being 100% truthful with you because no one can promise that level of security. You can however significantly reduce your likelihood of being attacked as well as the impact that an attack would have on your organization if/when it happens. This reduction of likelihood and impact will effectively reduce your cyber risk.
Understanding Your Attack Surface
The first aspect to discuss is what is called your Attack Surface. This is the outward-facing vulnerable area that a threat actor can attempt to exploit. Items in your attack surface would include your employees, your Internet connection and what is behind it, your cloud-based software and services such as Microsoft 365, Google Workspace, or other cloud-based applications, your company social media accounts, and any other places where a threat actor can attempt to gain access to your organization and its data. The goal of your cybersecurity program would first be to reduce that attack surface as much as possible.
Essential Cybersecurity Tools and Controls
The tools, controls, and services that a service provider would deploy such as multi-factor authentication, firewalls, employee awareness training, penetration testing, etc., will help you to close many “holes” in the attack surface thereby reducing the number of ways that a threat actor can get at your data.
Containment Strategies for Emergent Threats
As there is no 100% because you still have employees, use email, and need to access the Internet, the second step in protecting our organization is to contain any threats that do make it through as quickly as possible. This is done with security operations center (SOC) monitoring, network segmentation so people can only access what they need to access, strong policies which follow the least privilege access rule, and isolation tools that would attempt to isolate nefarious behavior as soon as it was identified so it cannot damage the entire network.
The Importance of Recovery Planning
The final step is to be prepared to recover quickly from any damage that was done to return your organization to full operational status. This includes having good backups of your data, cold spare equipment for critical devices that may not be able to be rebuilt, and Incident Response (IR) and Business Continuity/Disaster Recovery (BCDR) plans in place and regularly tested.
Crafting a Defense in Depth Strategy
If you combine all of this together it would be considered a comprehensive Defense in Depth security program. While every organization is different and there are many variables that would affect your investment for this type of plan, you should expect to spend somewhere between $200 and $250 per employee per month to implement such a program.
Personalizing Your Cybersecurity Investment
If you would like to know what it will cost to secure your specific organization, request a consultation with one of our Security Solutions Executives.