> TRIPLA SECURITY

Cybersecurity for small and medium-sized enterprises: Part #1 – Do you pay too much?

As part of our research initiative at Tripla Consult, we conducted a study to identify the main reasons why cybersecurity tends to be so challenging in small and medium-sized enterprises (SME). Our study is based on our working experience and interactions with SME, as well as reports, papers and articles published by major and trusted names in the industry, including:

  • ENISA – European Union Agency for Cybersecurity
  • Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) – U. S. Government programs
  • Harvard Business Publishing
  • Business Wire
  • Embroker

Three main root causes have been identified: the cost, the resources, and the time it takes to integrate cybersecurity in your business lifecycle. During this series of blog articles, we will analyze each one of these challenges and cover the following topics:

  1. Do you pay too much?
  2. Do you buy services that you don’t need?
  3. Do you use a price-model that matches your budget?
  4. Do you allocate time for cybersecurity?
  5. Do you estimate enough working hours for cybersecurity tasks?
  6. Do you integrate cybersecurity in your business lifecycle?
  7. Do you have the tools it takes?
  8. Do you have the people you need?
  9. Do you define the right policies?

Do you pay too much?

.. other and things to consider when calculating, negotiating and reviewing the cybersecurity costs.

While many SMEs have engaged with the cloud under subscription model, due to their size many SMEs often do not qualify for special offers and have to deal with fixed cybersecurity SLA contract clauses, unable to reach the SLA flexibility dedicated to large organizations. (ENISA Report – Cybersecurity for SMES Challenges and Recommendations)

Advanced solutions offering great variety of abilities and possible customizations useful for more cybersecurity-mature organizations, are often not used by SMEs due to SMEs not being aware of understanding the solutions offered. In many cases, the cybersecurity features are often part of high-level subscription plans which may not be suitable to an SME. (ENISA Report – Cybersecurity for SMES Challenges and Recommendations)

In the same study the interviewees noted that implementation cost is a major challenge. They indicated that “the VPNs are costly and cumbersome”, “the antivirus and other software security measures are expensive” and “security comes on an additional cost”.

The guys from ProvenData wrote an amazing article about How Much Does Cyber Security Cost? Common Cyber Security Expenses & Fees – and what really caught our attention is the prices ranges: firewall subscriptions range from $50 to $6,000, and if we consider also the product cost + installation the yearly price range can be somewhere between $1,500 and $15,000.

A vulnerability assessment is anywhere between $1,500 – $6,000 for a network with 1-3 servers and $5,000 – $10,000 for a network with 5-8 servers. Security program development can take 5 to 20 hours depending on the complexity of the program. Hourly rates range from $149 to $479 per hour.

As you can see, the price difference between the low and the high-end can be anywhere from 2x to 10x more expensive.

Without proper understanding of how cybersecurity service prices are (and should be) calculated, you can end up overpaying.

Five aspects to consider

There are five main aspects that influence the costs of cybersecurity protection (Reference)

  • company size
  • data type
  • service type
  • industry
  • risk
1. Company size

The number of employees, combined with the amount of devices (workstations, laptops, phones, etc.) and the number of business assets (servers, applications, databases, etc.) is used as one of the major factors in determining the price of cybersecurity services, however this should not always be the case.

What’s critical to understand is which one of these 3 numbers (employees, devices, assets) is relevant for the service you acquire.

Whether your organization has 10 or 100 employees should be irrelevant when in comes to the price of pentesting your main application, but may be taken into consideration during a phishing exercise for example.

Similar, the price of an External Attack Surface Management may be irrelevant to how many employees you’ve got, but could increase if your DevOps team likes to spin a new cloud server every day.

Make sure that your service provider takes in to consideration only the relevant aspects of your business size when it comes to determining the price based on your organization size.

Wether it’s the number of employees, devices or assets – understand if (and how) any of them is relevant to the service you are buying.

2. Data type

The type of information that your organization handles, stores and processes can also determine the cost of your cybersecurity program.

Companies that decide to store personal information, credit card numbers or account credentials may need additional security measures compared to those that prefer to outsource the payment process, use cloud storage and choose industry-approved single-sign on (SSO) providers.

While some of these implementation decisions are based on business needs, it’s worth taking into consideration the cost aspect to keep them secure.

Pentesting your SSO implementation is definitely advised, but it’s probably not worth paying someone else to hammer the same 3rd party services every six months.

Handling highly sensitive data may come with additional security requirements including encryption, key storage, additional backups, jump servers, or even air-gapped and zero-trust networks.

Classifying the security level of the data you handle (and outsourcing some of the services) plays a significant role on the end cost of your cybersecurity program.

3. Service type

Should you choose a product/tool or a consultant to do the job?

Based on your cybersecurity needs, a tool or a consultant may be the right type of service at different times and for different cases.

Paying for a consultant to do tasks that can be automated by a tool or SaaS will quickly rise the costs. Additionally, with the rise of AI in most of SaaS, it’s critical to consider if a consultant is necessary unless the expertise and experience is required.

Paying for a tool or subscription for which you don’t have the knowledge to operate is as well a waste of money, if no one in your organization is able to use it at its full capability.

By understanding your needs and how these can be achieved, you should decide if automating the job suits you or not.

Tasks the need critical thinking, recommendations that goes beyond best practices, advices which take into consideration business impact, and pentest for custom developed applications and logical vulnerabilities are in most cases suitable for an expert.

If you already have the skilled personnel to interpret the results and you use off-the-shelf solutions/frameworks and cloud services that only require configuration reviews, lowering the consultancy hours and investing in tools might be a better approach.

4. Industry

Based on the industry you activate in, your company may be required to be compliant with one or more industry certifications such as ISO27001, HIIPA or PCI DSS.

For organizations that process payment card transactions, becoming PCI DSS compliant can cost between $5,000 and $40,000.

Understanding the different levels of compliance and what are the normal price ranges for each one of them will help you determine whether you pay too much for the certification you are getting.

The PCI standard has 4 levels of compliance, from companies that have less than 20,000 transactions per year to those that exceed 6 million transactions.

The difference between two companies of the same size (i.e: number of employees) can be up to 10 times bigger in terms of the price paid for a PCI assessment based on the number of transactions they handle each year.

If you want to know more about the PCI DSS standard, make sure to check out my Beginner Friendly Guide about its 12 Requirements.

5. RISk

Risk is the product of business impact multiplied by its likelihood.

These two aspects of a cybersecurity attack should define how you prioritize the issues and what are the costs of your cybersecurity program.

In simple terms, risk is the possibility of something bad happening.

Without understanding and defining what are the risks (impact x likelihood) of your business, you can end up paying to mitigate irrelevant issues.

Companies that attempt to fix everything, don’t prioritize their issues properly, and they lack basic understanding of business impact can end up with a false sense of security and a big hole in their budget.

And all these while their business remains unprotected from cyberattacks.

While an XSS vulnerability is most of the time rated as a low risk, the same issue on a fintech application might be used by attackers to empty the wallets of all users.

Understanding what can be achieved with the same class of vulnerability in different context is the basis of assigning the proper risk rating and prioritizing your budget on the real problems.

7 Questions to ask yourself

  1. Which aspect of my company size is relevant to the service that I’m buying?
  2. What type of data is my company handling and processing?
  3. Do I need to store and process this information internally and ensure its security, or can it be outsourced?
  4. What security tools do I use and what needs do they cover?
  5. Which areas of my business needs human cybersecurity expertise? Can they be replaced by tools? Why/why not?
  6. Does me company needs to be compliant with any of the industry certifications?
  7. What are the risk areas of my business that can affect it the most? Why?