Our office kitchen just got a fancy new coffee machine. It’s an impressive thing with a snazzy color display and can make you a dozen different types of drinks. We now have TWO machines and folks love it - we go through coffee pods like crazy!
But this got me thinking—why are organizations willing to spend so much on coffee but skimp on cybersecurity?
Now, as a Managed Security Services Provider (MSSP) we DO spend more on our cybersecurity protection than coffee and other perks, but many organizations that we speak to do not.
Let’s break this down.
Say you run a 100-person consulting company in metro Washington, DC.
You have a nice office and provide some basic amenities to your team. Let’s talk about how much they cost each month:
- Coffee: 2 K-cup machines and the pods to keep people thoroughly caffeinated. $550/month.
- Snacks: With the coffee you provide a limited amount of chips, energy bars, etc. $600/month.
- Friday lunch: You’ve thought maybe about eliminating this perk, but it’s great for morale and helps bring people together, reducing silos. $800/month.
Now, most organizations have a couple of events a year, and our hypothetical consulting company is no exception. Some places have more extravagant winter holiday parties than others, but let's take $5,000 as a median cost for the average event.
Maybe throw in a second event, such as a picnic or something in the summer. Let’s say that’s about $800.
So, here’s what is spent each month on employee amenities alone:
$550 + $600 + $800 = $1,950.
Add to that the cost of the parties, amortized over 12 months and you have $1,950 + $416 (party) + $66 (picnic) = $2,432.00
It’s time for some tough love!
If an organization will spend $2,432 each month on amenities without a thought but are neglecting their cybersecurity protection, their priorities are seriously misplaced.
How Much Should You Spend on Security?
I think we can agree that it’s madness to pay more for coffee and snacks each month than you do to protect your business from cyber threats and attacks.
So, what’s an appropriate amount?
This is trickier to answer than you’d think at first glance as the answer depends in part on your industry and your clients’ expectations.
The financial industry, for example, spends more on IT as a percentage of its revenue than any other, from 4.4% to 11.4% according to one source, about 7% according to another.
Across all industries, though, percentage of spending on IT averages out to 3%-4% of revenue.
However, an organization that is committed to cybersecurity should expect to spend at least 10% of its IT budget on security.
Let’s see how that works out for our fictitious 100-person company assuming it has annual revenue of $10 million.
Following the guidelines above, this means that the annual cybersecurity budget would be $40,000, or about $3,300 per month.
For $3.3k A Month - What Do You Get?
Not a lot of people know what Managed Security Services are, but in a nutshell, for a recurring monthly fee you can hand off your cybersecurity protection to a third party provider.
This provider, typically referred to as a Managed Security Services Provider (MSSP) will completely manage your security for you, whether you have an IT team or not.
But back to our $3.3k example - what sort of cyber protection can you get?
Here's an example of four items that bundled together will give you killer cybersecurity protection, all completely managed for you.
Multi-factor authentication $3/user = $300
Endpoint detection and response $5.50/user = $550
Intrusion detection and response (SIEM and SOC) $2,100
Monthly managed phishing prevention training $3/user = $300
For about $3k a month, you now have a spectacular cybersecurity program that includes:
- 24x7 security operations center (SIEM and SOC) monitoring your infrastructure for signs of attack
- Advanced endpoint protection to stop ransomware and other malware in its tracks
- Multi-factor authentication to prevent unauthorized remote access to your infrastructure
- Training to make your employees less susceptible to phishing attacks.
Government contractors worried about NIST SP 800-171 and CMMC, this checks a huge number of boxes for you!
Don't Want to Spend More on IT Security Than Snacks?
Don't have the $3k a month?
How about just over $1k a month - what can you get for that?
Let's eliminate the intrusion detection solution and maybe beef up your email security by implementing Microsoft’s Office 365 Advanced Threat Protection (ATP.)
Here's a more cost effective package for you:
- Multi-factor authentication $3/user = $300
- Endpoint detection and response $5.50/user = $550
- Microsoft O365 ATP $2/user = $200
- Monthly managed phishing prevention training $3/user = $300
Total monthly spend on security: $1,350.
Cybersecurity Saves You Money in the Long Run
In my experience, small to mid-sized businesses (SMBs) typically invest in cybersecurity AFTER they’ve had a significant incident.
The loss of data, productivity, and tens of thousands of dollars helps them see the value. Forgive me for being blunt: this is crazy.
In what other part of your life do you buy insurance after the bad thing happens? Home insurance isn’t cheap, but you don’t wait until after you have a fire to start insuring your house.
Cyber insurance is a good thing to have, but investing in proper cybersecurity protection keeps the bad thing from happening in the first place!
Time to get your priorities in order.
I’ve written before how SMBs are increasingly a target for ransomware. We see attacks with compromised users’ credentials just about every week.
They can and will happen to your business.
You can stymie these attacks, preventing disruption and financial loss for less than what you spend on lame packaged cookies and really dreadful coffee.
Think of that the next time you’re reaching for a K-cup!
Not sure where to start? A good place to begin is with a cyber security risk assessment to learn where your biggest vulnerabilities are and what you can to fill your security gaps!