As economic uncertainty continues in Q3 of 2023, many small and mid-sized businesses (SMEs) are struggling to stay afloat. Spending needs to be curbed and executives are faced with tough choices about where to make cuts. For many, trimming the cybersecurity budget is often one of the first steps. After all, what are the chances a bad actor will go after a mom-and-pop shop when they can make far more by attacking a large corporation or major financial institution? Higher-ups also often question how much security an SME really needs. What’s the harm in trimming staff or cutting a few security tools?
Unfortunately, reducing coverage could easily result in no coverage. If you lock the door, but leave a window open, a bad actor can still climb in. Plus, adversaries don’t discriminate, especially against SMEs. Many of them use bots to launch thousands of automated attacks on businesses large and small in every industry. They’re also aware that SMEs have smaller cybersecurity budgets and many are looking to reduce those budgets even further, creating an environment that’s easy to target.
Roughly 43% of cyberattacks are aimed at small businesses, making them the largest target for attackers. In 2021, 42% of small businesses were affected by a cyberattack.
So, if bad actors are pointedly targeting small businesses, what does a data breach look like, and how likely is a small business to recover?
The real cost of a data breach
When looking to offset spending by reducing a cybersecurity team’s budget, it’s important to know how expensive a data breach can be.
According to IBM’s 2023 Cost of a Data Breach Report, the cost of a data breach for businesses with fewer than 5,000 employees is on the rise. The average cost of a data breach is $3.31M for businesses with fewer than 500 employees, $3.29M for businesses with 500-1,000 employees, and $4.87M for businesses with 1,001-5,000 employees.
The true cost of a data breach can be attributed to any ransoms that are paid, legal fees, compliance fines, remediation and investigation, data recovery, and lost business due to system downtime or negative publicity. Those costs need to be made up somewhere. IBM’s report found that 57% of survey respondents had to raise their pricing in order to cover the costs of the breach, while other surveys have found that 60% of small businesses that are victims of a cyberattack go out of business within six months.
When you consider the millions of dollars a data breach could cost and the significant portion of cyberattacks that are aimed at small businesses, the $150K that the average SMB spends on cybersecurity starts to feel like a relatively low price to pay.
But could that price tag be even lower? Perhaps.
How to build a smarter cybersecurity budget
Cutting expenses in your cybersecurity budget is possible, but it needs to be done in the right way. Often, the easiest and most obvious cuts will cost you more in the long run. Here are a few dos and don’ts when it comes to cutting your security budget without taking on any additional risk.
- Don’t cut cyber insurance: Cyber insurance premiums can be hefty, and it can be tempting to cut something that you might never need. But given the extreme costs associated with a breach and the decent probability that your small business will be attacked, it’s important to have that safety net in place. Otherwise, a breach could mean the end of your business.
- Don’t choose an MSSP over a more comprehensive partner: MSSPs are outsourced security partners that come at a lower price point than more comprehensive services like MDRs and managed security programs. That’s because an MSSP only gathers your data and alerts you when there’s an abnormality. It’s still up to your team to determine whether or not a breach occurred, where it occurred, and how to stop it. Not only do companies working with MSSPs tend to get alert fatigue, but it takes significantly more time to respond to and remediate the threat. In the meantime, the bad actors continue to work their way through your systems.
- Don’t combine IT and security roles: Many companies have experienced layoffs this year, and security teams are among those being cut. However, be wary of consolidating IT and security roles. The days of tasking your IT manager with your company’s security efforts are long gone, and the two roles have become entirely different disciplines. IT professionals rarely have the tools, expertise, or time to handle a company’s security efforts. In short, they won’t be able to provide the coverage you need.
- Don’t cut tools arbitrarily: Given today’s threat landscape, you can’t just buy one security tool to protect your organization. You need a full security tech stack that ensures all your bases are covered.If not, you’re leaving gaps in your defense system that bad actors can exploit again and again — which they will. Roughly 67% of companies that experience a cyberattack get attacked again within one year of the original breach.
- Do outsource your security to a managed security service: Maintaining a full security that’s capable of 24/7 monitoring, detection, and response as well as a full suite of cybersecurity technology can be expensive — unless you outsource your security efforts to a cybersecurity partner. The right managed security program should offer 24/7 coverage, detection and response services, a full security tech stack, and discounted cyber insurance.
- Do invest in an incident response provider: While it may seem out of the question to add another service provider, there’s a clear financial incentive here. IBM’s previously mentioned report shows that an incident response (IR) team, on average, lowered the cost of a data breach by $1.49M and resolved issues 54 days quicker. Clearly, this will outweigh the cost of any IR retainer.
What is a managed security program?
Managed security programs allow businesses to fully outsource their security efforts; much like they might do for recruiting and hiring, legal services, or payroll. Managed security programs offer 24/7 monitoring, detection, and response services. That means by the time you hear bad actors attempted to break into your environment, they’ve already been stopped, ousted, and the vulnerabilities in your system have been fixed.
If a breach does happen, your managed security partner can help you better recover and take action to ensure it doesn’t happen again. They should also help you obtain cyber insurance, hopefully at a discounted price. That’s because insurance companies offer discounts to organizations with an excellent security posture. With the right partner, your insurance carrier knows you’re in good hands and are, therefore, a low risk.
Unlike MSSPs or MDRs, the right managed security partner will conduct an audit to determine your security needs, then save you the work of searching through thousands of security vendors to find the right tools. Your security partner will present you with a tech stack that has everything you need and nothing you don’t. By managing this tech stack for you, your managed security partner is your only point of contact — and your only contract! This simplifies the management of security significantly and often means cost savings for you.
SolCyber is a managed security program provider that’s the first of its kind. In addition to our 24/7 monitoring and detection services, our Foundational Coverage allows small to mid-sized businesses to fully outsource their security efforts. As a bonus, we can guarantee such incredible protection that you’ll automatically be pre-approved for cyber insurance — and get a discount on your premium. Best of all, we do it all for a small per-user, per-month fee. So no more annual contracts that may or may not yield results. SolCyber provides guaranteed outcomes — and peace of mind.
Ready to become cyber resilient? Reach out to SolCyber, the experts in cybersecurity to see how we can help. Feel free to also check out our Pricing Calculator to access the most affordable managed solution for your organization.
Q1: Why should small and mid-sized businesses (SMEs) be concerned about cybersecurity spending in 2023?
In today’s landscape, 43% of cyberattacks target SMEs, making them the largest prey for attackers. It’s vital for SMEs to invest in cybersecurity to avoid potential financial losses and data breaches.
Q2: What are the risks of cutting your cybersecurity budget?
Reducing your cybersecurity budget without a proper strategy can lead to more significant risks. It might result in insufficient coverage, alert fatigue, slow threat response, or leaving gaps in your defense system that cybercriminals can exploit.
Q3: How can SMEs maintain strong cybersecurity while managing costs?
One effective approach is to outsource your security to a managed security program. This solution offers 24/7 monitoring, detection, response services, and a tailored security tech stack. By doing so, businesses can improve their security posture, reduce costs, and gain peace of mind.