Unless you’ve been living under a rock (which isn’t looking like such a terrible setup these days), you’ve seen all of the headlines reporting cyberattack after cyberattack after cyberattack. If billion-dollar companies like Target, Home Depot, and Sony are vulnerable to hacks, where does that leave your organization?
Over and over we get questions from clients about the security of their network, and how they can be sure their data is protected (and if you’re asking, you’re on the right track already). The most comprehensive means of assessing this is to engage a third-party provider for a security audit.
How much will that cost you? As is usually the case with projects that demand significant investments of labor, there is a spectrum when it comes to pricing that we’ll walk through below.
What Does a Security Audit Cover?
Generally speaking, security audits are composed of several different pieces that come together to form a comprehensive assessment of your technology systems. Specifically, your provider will dedicate time analyzing:
- External vulnerabilities. How easily could a hacker penetrate your network from the outside? This can involve system scans and even “ethical hacking” techniques.
- Internal vulnerabilities. What are your password standards? Are user account permissions set to allow appropriate access? What are your procedures for terminated employees?
- Backup and disaster recovery. Where is your data being stored, and how fast can you recover from an attack?
- Social engineering. How easy is it for an outsider to pull sensitive information out of your employees?
- Physical security. Can strangers readily gain access to your offices? Your server room?
- Compliance regulations. If you’re subject to PCI, HIPAA, Sarbanes-Oxley, or other compliance regulations, are you meeting them?
If your provider finds weaknesses in a particular area, they’ll focus their efforts as needed to uncover the deepest layer of vulnerability.
In the end, you’ll receive a report that summarizes the findings and makes recommendations for remediation.
Typical Security Audit Price Ranges
All told, these assessments can run you anywhere from several thousand to tens of thousands of dollars, with the median being a one-time investment around $10,000.
The factors that most closely influence where you’ll land on the spectrum are:
- The scope of the audit (Are you looking for surface scans to uncover glaring external vulnerabilities, or a full-fledged PCI Compliance Audit PLUS an internal evaluation?)
- The size and complexity of the company and its infrastructure (More servers = more testing = more time.)
- The resources on-hand (Will the internal team save on labor by providing ancillary information that doesn’t affect the results of the audit?)
In some cases, providers will fix the cost of the assessment based upon an estimate of the total labor required to accomplish the goals you’ve set out. In other cases, the project will be billed on an hourly basis, with rates usually hovering between $125 and $175 per hour.
As we’ve mentioned before, be leery of any assessment offered at a severely discounted rate; in these cases, the provider generally just wants to hook you for additional services down the road.
And before you make any final decisions as far as your provider, take extra care to make sure they’re able to perform the work you need competently, and check their references extensively—both your data and a significant capital investment are on the line.
To end with a bit of perspective: while an audit may seem pricey, Target’s 2013 breach has cost them $148 million to date. Now THAT is pricey.