submitted by : Derek Marin Client Success Manager, NSI firstname.lastname@example.org
Cybersecurity is a hot topic among Connecticut business leaders, and with good reason. More and more, we see headlines about big brands that have suffered a cyber attacks or data breaches with their customers’ private information dragged to the Dark Web for sale to the highest bidder. And while cyber liability insurance will pay the significant financial losses as a result of a data breach, investment in preventative measures can reduce the risk of this happening to your business. But at what cost? We will look at the cost of cybersecurity protection in Connecticut.
Research from industry leaders, including IBM, project that a healthy cybersecurity budget should make up nine to 14 percent of an overall IT department’s annual budget. Yet in reality, businesses spend less than six percent of total IT budgets on security and risk management. With the financial impact of a data breach starting at $20,000, and reaching over $100,000 on average, an ounce of prevention through proactive investment in cybersecurity goes a long way. For about $5-$6 per employee per day, you can have the peace of mind about your IT environment, and keep your company out of the headlines as the latest victim in Connecticut.
Security education is the first line of defense
Cyber threats come in many different forms, so knowing how to recognize them and react accordingly can mean the difference between a successful data breach and a thwarted attempt.
Security awareness training teaches employees about cybersecurity, IT best practices, how to identify phishing attempts, and in some cases, even covers compliance topics. Many of the available security awareness trainings are web-based, making it easy for businesses to deploy, and for employees to consume. Different packages will even include fake phishing emails sent to employees to test their knowledge. Business owners will then get a report of who got hooked and who didn’t.
Security education is not only affordable but it gives some of the best return on investment. For a small business with 25 employees, Webroot, an online-based security awareness training provider, runs about $16.00 annually per person. Local providers like Connecticut-based NSI include security awareness training as part of their managed services package, providing a one-stop approach for businesses looking to hand off their IT services.
Network and systems protection
The most common and well known component of network protection is a firewall. Almost every cable modem and office router includes some sort of a basic firewall that will at least keep unwanted visitors from wandering into your network from the Internet. This is a good start, but hardly secure. Commercial firewalls will provide you with more control on what goes out of your network, as well as protect against more advanced attacks.
A decent commercial firewall will start around $300-$400 for the hardware. Expect to pay a little more per user for VPN licensing, which allows users to securely connect to the office from remote locations. These costs cover the hardware, but not the installation or configuration. Remember that a firewall is only useful if set up correctly and requires regular maintenance like other systems on your network and factor that cost into your estimates.
The next layer of protection is for your endpoints – your desktops and laptops. These systems are most vulnerable to attack by viruses and ransomware, which are malicious pieces of software designed to steal your information, or worse – hold it hostage until you pay a cybercriminal to unlock it. The most practical way to guard against this is through the use of endpoint protection software.
A simple Google search will return dozens upon dozens of results for antivirus software. More than half of these are “free” but are actually malicious software programs posing as endpoint protection. Make absolutely certain you choose a reputable vendor. One example is WebRoot Business Endpoint Protection, which goes for around $150 per year for 5 systems.
One of the most important steps in protecting your systems is keeping them current. It may not seem like a big deal, but lapses in updating software to the latest version leave the door open for cybercriminals to gain access to internal networks. Most large software vendors today offer automated update services for their products, while smaller ones will post updates requiring their customers to proactively go check for new versions and install them.
Although you don’t have to pay for each minor update, someone still has to apply the updates. Most software updates are straightforward and can be applied by individual users. For more complex software (like QuickBooks server, for example), it’s smart to invest in outside help if you don’t have those skills in-house. This is especially true if a botched upgrade could impact your ability to do business. An upgrade by an IT consultant can run anywhere from a few hundred to a couple thousand dollars depending on number of systems and complexity, barring any unforeseen issues.
Do I really need an IT person?
You bought and installed a firewall. You set up automatic updates on your office computers. You installed cloud-based endpoint protection on all of your systems. Do you still need a dedicated IT person to look after your network? Is it worth the investment?
According to Indeed.com, the average salary of an IT technician in Hartford is about $66,000 per year. A full-time IT technician has the expertise to configure firewalls, configure updates and maintain endpoint protection. That same resource could also handle other IT-related tasks, like laptop repair, mobile device configuration, and a variety of other things.
Alternatively, using a managed services provider specializing in security can handle all your security tasks and more. Managed services can be surprisingly affordable, too. CT-based managed services provider NSI charges just $175 per month per user. For a small business with 10 people, that’s $1,750 per month, or $21,000 per year. This is less than one-third the cost of a full-time IT resource with the collective knowledge of several experts, with no sick days and no vacations.
Summing it up
When it comes to cybersecurity, more is better. Like anything else in business, lack of investment can lead to real financial impact on your business. Budget for cybersecurity as part of your annual IT budget, and carefully weigh out your options to determine what’s right for your business.
Here are the key points
Don’t skip on educating your workforce
Get firewalls and patching
Have people monitor your network, whether they are in-house or not, to catch hackers if they breach.
2018 Cybersecurity Survey of Connecticut Businesses