So you think proper security is too expensive. We hear this a lot. But, a company doesn’t need to use every security solution out there to be properly protected. It comes down to the level of risk that you’re trying to mitigate. If you follow security and cyber security news, you’re going to hear the word risk in almost every sentence, because that’s the core of what security is about — determining your level of risk. And every element that you want to protect, whether it’s a server, a router, or a database is going to have a corresponding cost that’s based on the complexity and resources that are required to protect that.
Think of it this way — if a large national bank wants to protect itself, the scale alone would tell you that this is going to be a very expensive proposition compared to protecting a small 20 person office in Hoboken. The two very different sizes, have very different risks that they’re trying to mitigate and the process and costs are going to be proportional to that. Someone in a 20 person office is not going to spend the amount of money that a large national bank is going to.
So it doesn’t have to be that super expensive and often a core part of securing a company’s data is creating a security policy, which might not cost a thing, and could be just enough to get you started. We’re going to talk about some of the ways to do that and how to follow standards in a little bit, but what we want to emphasize is that the solution is not about throwing money at the problem, awareness can be a solid start.
Here are two steps to start:
Start off with a plan. Just like a good disaster recovery solution. You want to plan for your security, for potential breaches, how are you going to mitigate those breaches? You want to ask a lot of questions about your vulnerabilities and about your risks.
Determine the value of loss if the business data is attacked. All my files all of a sudden getting corrupted because someone hit a link on an email? Now what? Do I have good backups so that I could just restore on top of it and move along? If I don’t have a good backup am I going to have to pay that ransom? Is that going to put me at more risk? How long is it going to take to restore everything? How much can I suffer in terms of downtime and in terms of reputation with my clients?
* * *
So there’s a lot of questions that you have to ask when you’re trying to really determine what’s it going to cost to mitigate your risk, and to have security in place. So obviously, you shouldn’t spend more money on something than whatever the return value is going to be. If you’re a small office, you’re not going to spend $10,000 on a specialty firewall with lots of bells and whistles if your risk mitigation only calls for something that costs $600 or $1,000.
What you ultimately want is to keep an open mind about what it is that you need, and know that there are solutions at all different price and functionality levels that don’t lock out small businesses. It all starts by identifying your risks, then mitigating those risks is your next step and then your budget will determine how quickly and how deeply you can mitigate those risks. And ultimately, you just want to use common sense. You want to have something that’s based on a thought out plan. And remember, prevention is safer and more cost efficient than being hit by an attack, which can be devastating.
This post was originally published on Medium.