A not-so-fun fact for you: 40% of cyber-attacks are against organizations with fewer than 500 employees.
And, according to the National Cyber Security Alliance, one in five small businesses falls victim to cybercrime each year. Of those, about 60% go out of business within six months after an attack.
In a different article, we dug into the top cybersecurity threats to small businesses, and what you can do to better protect yourself from these threats. In most cases, this discussion leads into another: how much should you expect to invest in your IT security initiatives?
After serving small businesses for over twenty years (and after being one for just as long), this is a question we're no stranger to. The good news is, if you’re asking this question, you’re already on the right track to shoring up your environment and keeping your data out of the wrong hands.
Below we’ll work through the main factors that will affect what your company’s overall IT security investment will look like, along with some benchmark amounts to give you an idea of how much you can expect to invest overall.
Key factors that influence the nature of your IT security spend
The amount you want to invest in your small business’s IT security each year depends on the following factors:
- Whether or not you’ve had a recent security audit. Before you can make any strides toward bolstering your IT systems, you have to establish a clear baseline. This takes the form of an outside provider performing an objective gap analysis that locates existing vulnerabilities and offers a roadmap for remediation. (Put simply, if you haven’t invested in a security audit recently, you’ll need to.)
- The size and complexity of your business. This one is pretty straightforward; the more ample and complex your technology environment is, the more effort (and likely money) it’s going to take to secure it. Not only that, but a larger staff count also means investing more time in properly training them on any security policies.
- The state of your current hardware and software. Are your servers and workstations regularly patched and monitored for health statistics? Are any of your servers out of warranty? Are you running machines with Windows XP that is no longer supported in any capacity? Is your software patched and properly licensed?
- The nature of your data. Is your company storing sensitive information, be it personal, financial, or otherwise? Are you subject to any compliance regulations? If your data were to get in the wrong hands, what would the repercussions be? The more tightly you need to control your data, the more you’ll need to invest in things like encryption (at the hardware, file, and email level).
- Your tolerance for risk. The million-dollar question: how secure do you want your company to be? Are you comfortable sacrificing maximum protection for the sake of cost savings? Where? Do you trust your employees to follow best practices without any controls in place? As you can probably guess, the lower your tolerance, the higher your costs will be.
How much should small businesses spend on IT security?
As you can see from the factors above, there is an adoption curve when it comes to security.
If you're just now taking the initiative to secure your business, you're going to have a significant amount of up-front costs to shoulder. If, on the other hand, you have been making security a priority and a part of your company culture for years already, you'll only have to look at maintenance to keep your data secure.
Case in point: getting that initial security audit to establish a baseline for your environment is going to run you an average of $10,000, with price increasing with the complexity of your setup.
From there, you could be looking at an investment of $5,000 to $7,500 in engineering and consulting labor to implement the necessary technology solutions and policies to eliminate existing vulnerabilities.
Once your environment is bolstered, you should expect your ongoing security maintenance costs (including testing and adjustments) to hover around $3,000 to $4,000 over the course of each year.
Above all, it's important to know that small businesses are just as appetizing to cybercriminals as larger ones. In fact, hackers tend to target small businesses first, as they're generally less protected, and often serve as convenient vectors into those billion-dollar corporations.
So, while these are all sizeable expenses, keep in mind what it would end up costing your business in reputation, recovery, and revenue if a breach were to occur.
The unfortunate reality is that it could end up costing you everything.