Can Small Businesses Afford to Pay for Information Security?
There is growing awareness of the risks posed to small and mid-sized businesses by cybercrime, but there seems to be a continuing widespread perception among many business owners and executives that the cost of high-quality managed security services is prohibitively expensive. In fact, the cost of implementing three of the most fundamental information security layers --- intrusion detection/intrusion prevention (IDS/IPS), firewall monitoring and server monitoring for up to 5 servers --totals approximately $1,200 per month, based on current pricing for Dell SecureWorks services, or $14,400 per year.
Compare that to the average cost of a data breach as reported by the 2012 Ponemon Institute's annual study: $5.5 million. The Ponemon-reported average is not intended to reflect the experience of small and mid-sized businesses (SMBs), so let's use another number from the Ponemon study, which is that the average breach cost $194 per customer record compromised. Customer records are not always the type of data that is stolen --- SMB are also often victimized by rapid-fire, fraudulent fund transfers after financial account access credentials have been stolen --- but in the absence of other confirmed data, let's play that out. If your SMB lost one to five thousand customer records, for example, that would average a total loss of $194,000 to $970,000, which makes a $14,400 annual expense look quite reasonable as an "insurance cost." And such loss averages do not reflect the hard-to-quantify issue of reputational damage and other indirect costs.
Speaking of insurance, many SMBs are actually finding that buying managed security service can pay for itself or actually more than pay for itself by reducing cybercrime insurance premiums. Cybercrime insurance has been available for approximately 8 to 10 years now. In a number of cases, companies have been able to reduce their premiums significantly by implementing the use of managed security services and documenting that for their insurer. In other cases, implementing managed security services has allowed SMBs to qualify for cybercrime insurance for the first time, after they had previously been denied coverage because of their weak or limited IT and security resources.
I recently spent time discussing SMB security issues with Jeff Multz, VP of the Midmarket Sales Team for Dell SecureWorks. Jeff legitimately qualifies as an authority on this subject, based on his 10+ years working in information security and the fact that he speaks to three to five meetings every week --- meaning trade associations, industry and professional groups, etc. And 80 percent of those are SMB-focused.
"We have to pop this bubble - this myth --- that information security services are not affordable for most SMBs," Jeff said. "I talk to many people who come to a meeting thinking that the antivirus programs they have on their PCs will protect them from malware, but most malware today goes right through everything. Malware is much more sophisticated today than it was even one or two years ago."
Many SMB owners/executives believe that their organizations have not been compromised because they have not discovered any malware or data losses. Obviously, the fact that a security compromise has not yet been discovered does not mean there is no compromise. Dell SecureWorks finds evidence of compromised systems in more than 40% of new customers.
As an alternative to committing to an annual or multi-year contract for managed security services, there is another approach that SMBs may consider. That is starting with a risk assessment project, done on a consulting basis by highly qualified firms like Dell SecureWorks. Those costs vary based on the scope and specific IT environments of the customer organization, but risk assessments can be done for as little as $10,000 to $12,000 for small organizations. As a strongly recommended second step, Multz recommends a business continuity planning project - to develop a set of plans for ensuring that an organization can continue to operate effectively in the event of a security event or a disaster.
Multz regularly asks small business audiences to raise their hands to indicate how many have an incident response plan or a disaster recovery plan. A surprising number of organizations have neither.
One meeting participant recently handed Multz a scrap of paper after his speech, saying "Here's my incident response plan." The note said: "Update resume. Assume fetal position."
So don't let a fear or expectation of "sticker shock" be an obstacle to taking action towards making your organization more secure. To reprise the title of this article, "Can small businesses afford to pay for information security?" The clear answer is that in today's Internet-connected world, SMBs can't afford not to invest in information security. The question then becomes "what is the best way to get the level of security and risk reduction we need in line with our risks and resources?"