Edward Tuorinsky, Managing Principal of DTS, brings two decades of experience in management consulting and information technology services.
We’re a nation of sleepless business owners—up late worrying about the many aspects of business that we can’t control. The top of this list might include things like the threat of a cyberattack, meeting compliance standards and the cost of adding cybersecurity to everyday operations.
With the introduction of several security frameworks, you now have several approaches designed to keep your businesses safe. But it’s a little like being given a map without knowing your final destination—helpful but incomplete.
Implementing modern cybersecurity for most small- and medium-sized businesses requires the help of a managed network services provider (MNSP) and/or a managed security service provider (MSSP). Admitting you need help from a professional is an important step toward achieving the kind of security that can better protect your business, employees and customers. Before you search for an expert, though, there are three things you can do to be ready.
1. Know your end game.
Determine what level of cybersecurity or certification your business needs and what’s truly involved in that process. Obviously, you want to protect yourself against attacks and breaches. However, beyond that, there are a few reasons why companies may need enterprise-grade security.
• Many companies are starting to view cybersecurity as a requirement for doing business. They will only use vendors and partners who have invested in security, forcing your hand.
• Some companies are required by their state or industry to meet certain levels of cybersecurity or have a certification.
• Cybersecurity can be a competitive advantage. If there are 50,000 companies that do what you do, but only 75 of them have advanced cybersecurity, that can be a distinguishing benefit.
I’m seeing a huge push for small- and mid-sized companies to have some type of certification from a third party or to share their system security plan with others in their network. The question is, what do you really need?
To answer that, you’ll want to look at your specific contracts and partnerships for requirements. You’ll also want to research what certifications are advantageous in your market or industry. You can even get guidance from your insurance agent, for a certain level of security is required for cybersecurity insurance.
2. Take a hard look at the status quo.
Be realistic about where you stand. If you don’t know your stance, it could mean you aren’t doing enough.
It’s important to be brutally honest with yourself and others about your security posture. There are a lot of free tools and self-assessments you can use to determine your level or self-score, and of course, a third party can assess your stance. Here’s my advice: If you know you are lacking (no formal program, no policies, etc.), save yourself the hassle and headache of an assessment and move straight to remediation with a qualified service provider.
If you are working on cybersecurity (but not yet up to the level you need), you can use the 6-9-12 guide to determine how to get there. Note, though, that while this guide looks at your timeframe for achieving cybersecurity compliance, it doesn’t consider the size of your company, the complexity of your systems or your budget. According to this guide:
• If you have 12 months, you can hire the talent you need to implement basic cybersecurity or manage the process of an audit for certification.
• If you have nine months, you can use a combination of internal human resources and professional guidance.
• And if you have six months, you’ll probably need to bring on a full army of remediators and consultants to help you handle the technical parts of cybersecurity like migrating data and choosing network configurations—as well as write all of your policies and procedures and train employees.
As developing the specialized knowledge required to implement a sophisticated cybersecurity program is a full-time job in and of itself, I find that cybersecurity experts are usually necessary. A good pro will spend as much as 30% of their time on continuing education and keeping up with the latest news and trends.
3. Run the numbers.
Determine your budget and the metrics you’ll use to measure the business impact of cybersecurity.
Every business owner wants to do cybersecurity as fast and as cheaply as possible. Sadly, the kinds of steps that actually protect your business don’t happen overnight, and expertise and education can be costly. Skirting around the rules to try to get certified without actually increasing your cybersecurity posture leaves you at serious risk for a breach that can destroy trust in your company and land you in hot water with regulators or insurance companies.
As for setting a budget, my experience has shown:
• For bare-bones basics, like Level I for CMMC, expect to pay between $5,000 and $20,000 in labor, education or professional help.
• Remediation costs vary based on your network, your business and the level you’re aiming for, ranging from $20,000 to $100,000. Get a handle on the scope of work you need and get at least two estimates from certified providers.
• For certification audits, expect to pay for the cost of the audit itself plus a similar amount for preparation costs (your staff or a consultant spending time on cybersecurity), plus additional fees for staff training, travel (if the audit includes a physical visit) and other variables, for a grand total of $50,000 to $60,000.
• For ongoing security monitoring, recertification, software patches and other cybersecurity updates, budget $15,000 to $80,000 or more annually, depending on the standards and complexity of your system.
You can look at the impact cybersecurity investments have on your business in several ways: How much you’ve improved security, new business or contracts won or business maintained (that might have been lost if not for cybersecurity efforts).
Many now see cybersecurity as another cost of being in business like insurance, bookkeeping or payroll taxes. Most importantly, if cybersecurity has been the thing keeping you up at night, you can view your investments as the cost for peace of mind
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here