Cybersecurity for Your Small Business – Starting at $500

Cybersecurity for your small business doesn’t have to break the bank. In fact,  around  $500 can implement basic cybersecurity measures that go a long way. 

Now for the disclaimers: Around $500 covers 10 devices, one wireless router, one server, and you’ll need to pay for a cloud office production suite not included in the $500. This is really the bare minimum investment a small business can make for an entry level of cybersecurity, and you have to accept certain risks to maintain this lower expense. 

Your people make the difference

Start with your people, as your employees are the most important part of any small business’ cybersecurity defense. Your employees are both the first and last line of defense: they are the first line of defense because they interact directly with incoming emails, phone calls, and guests, all three of which can pose a cyber threat. Your employees are also the last line of defense as they can identify malicious computer or network behaviors. If a computer is not functioning properly –if large amounts of data are being transferred to an external location, or if a device is lost or stolen – your employee can alert people in your small business who are responsible for implementing an incident response plan.

In order for your employees to be key cybersecurity assets, they need cybersecurity awareness training and education. Fortunately for our under $500 challenge, there are multiple free options. The Cyber Readiness Institute, CISA (Cybersecurity and Infrastructure Security Agency), and your Michigan SBDC (Small Business Development Center) can all provide cybersecurity awareness training and education at no cost!

Policies and processes matter too

Next up are policies and processes. These are rules and steps that guide and safeguard your business against improper behavior, improper actions and everyday business tasks –for example, both a policy and process for onboarding new employees or offboarding leaving employees. It may also be a business process when changing payment accounts to ensure the request is legitimate and authorized to occur.

Fortunately, policies and processes are something that a small business can implement at no additional cost. You can write your own small business policies and processes, implement them and update them as needed.

Technology

Next up:  the challenge of implementing the technology needed to secure a small business, starting at around $500.

Antivirus/Antimalware: This is a must have for all devices, including computers, smartphones and servers. Antivirus/Antimalware is a solution that can range from no cost to over $25 per device per month. The no-cost version may sound tempting, but it leaves you with zero control over use as it is a non-managed solution. For this reason, it is advised to go instead with antivirus/antimalware that allows you to inexpensively manage and deploy to your small business devices. When researching for this blog, I found a deal for 10 devices at $60 per year.

Endpoint Detection & Response: This is more than antivirus/antimalware, as it can monitor devices on your small business network for malicious behaviors and start an automatic mitigation of threats found – but this solution is a little more costly than antivirus/antimalware. Here’s an example of where you must accept some risk in order to be at a lower expense. Instead of implementing it onto all 10 devices and one server, we will only install it on the server. This keeps our costs down significantly, as for one device the cost is $60 per year.

Password Managers: This solution allows for secure management and organization of passwords by allowing users to create unique and complex passwords and access them quickly and securely. Similar to antivirus/antimalware, the cost ranges from no cost (unmanaged again) to over $10 per device per month. I found a deal for a managed solution for 10 users at $240 per year.

Multifactor Authentication: This provides an additional step(s) when accessing business accounts. MFA is commonly explained as “something you have” like a smartphone or security key, “something you know” like your username and password, and “something you are” like a fingerprint or facial recognition. After an employee enters in their username and password they are prompted for an additional step, perhaps an expiring six digit code sent to their smartphone or maybe a push notification to that same smartphone requiring a fingerprint. This extra step makes it more difficult for a cyber criminal to access your employee accounts. Once again there are options from no cost to over $10 per user per month. Fortunately for me, the password manager I selected also has MFA as a feature included for $0 per year.

Data Backups:It is critical that a small business has backups of its data as hard drives can fail, computers can refuse to turn on, and devices can be broken, lost, or stolen. All of these are ways a business can lose its data. For whatever reason a business may lose access to its data, backups can help a business recover it. For data backups we will follow the 3-2-1 Rule (3 copies, 2 media types, 1 copy stored offsite) for our challenge. Our small business will utilize our server, our cloud office productivity suite, and an external hard drive we need to purchase. This will give us our 3 copies, 2 media types, and 1 copy offsite. Our server cost comes from the IT budget and not the cybersecurity budget, the cloud office productivity suite comes from the IT budget as well, and the external hard drive will come from our cybersecurity budget. We will make a one time purchase for the external hard drive and utilize its included backup software for $105.

Wireless Router: Often a wireless router is provided by the internet provider but at a high monthly cost. To eliminate that cost, we will purchase our own dual-band wireless router. This will allow us to manage our own router and reduce long term expenses with a one-time cost of $39.

Time for the math

After crunching these numbers for hours with my super computer, for 10 users/devices, one wireless router, and one server we come to a grand total $504 ($360 per year & $144 of one-time costs).

It is important to remember that this challenge will provide the bare minimum a small business should do for entry level cybersecurity. For more information about how to best manage cybersecurity for your small business, register for consulting here.

Scott Taber
Lead Center
Cybersecurity Awareness Program Specialist

 

 

 

 

Join our newsletter for more information!