Skip to content
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA

2024 Managed IT Services Cost & Pricing Guide

You’ve probably heard about how managed IT services saves businesses money and are wondering if that’s possible for your organization too. This guide will help walk you through different pricing strategies and costs you can expect.

Cybersecurity header background

Cybersecurity 101:
Intro to Cybersecurity for US & Canadian Businesses

The Baseline for Foundational Security Has Changed What Business Leaders Need to Know

If every cyberattack that happened in the United States and Canada were in the news headlines each day, there wouldn’t be room for anything else to be covered. We only hear about the really big data breaches that take place, but cyberattacks happen every day, every hour, every minute, to organizations large and small.

Here’s what the headlines would look like if cyberattacks were all reported and published:

  • School district refuses to pay ransom to cyber criminals and personal data of students and staff is exposed on the web
  • 100+ businesses down for 45 days after cloud provider encrypts all their files
  • Employee pays $3,000 out of his own pocket to buy gift cards for hacker
  • Manufacturing company spends $250,000 to remediate ransomware attack
  • Accounting clerk tricked into sending more than $150,000 to criminal’s bank

You get the idea.

We created this guide to help executives like you understand the need for business cybersecurity, the risks that are associated with running a business today, and what you need to do to effectively manage those risks.

If you’ve been in business for a while, you might think that you’ve learned everything that you need to know about cybersecurity for executives. But in our experience in talking with hundreds of business leaders, we’ve learned that for many, there’s a false sense of security that makes their organizations easy targets for cyber criminals.

We wouldn’t wish a cyberattack on anyone. It’s our sincere desire to help you to avoid becoming a victim by giving you information about cyber risks and how best to manage cybersecurity.

If there’s only one thing you get from the information we’re sharing, please let it be this:

The cybersecurity baseline has moved.

Basic security standards aren’t enough to protect you.

Act now before you become a victim.

How the Cyber Landscape has Changed

 More Targets, More Endpoints, More Accountability

  • Hackers are Opportunistic

    In some ways, the tactics that cyber criminals are using to kidnap, steal, and exploit data and networks are the same ones they’ve been using since predators first started stalking on the internet. These tactics have always been focused on finding opportunities to sneak into networks unnoticed and trying to manipulate and trick people into letting them bypass security measures to gain access.

     

  • Cyber Criminal Tactics Have Evolved with Artificial Intelligence

    Despite reliance on tried-and-true techniques, cyber criminal tactics have changed in some very important ways. The software tools they’re using have evolved and they’re using the power of Artificial Intelligence (AI) to make their actions more automated and targeted.

  • Every Business Is a Target

    Cyber criminals have increasingly turned their attention to small- and medium-sized businesses. One reason for this is because lax security has made smaller businesses easy targets. A second reason is because cyber criminals have found that they can get access to bigger targets through the network connections of small businesses.

  • Number of Internet of Things (IoT) Has Exploded

    The Internet of Things (IoT) has exploded the number of devices connected to a network and the security of these devices is too often unknown (or nonexistent). If they aren’t secured, IoT devices (like AV equipment, security cameras, smart thermometers, etc.) can create gaps in the technical perimeter that you’ve set up around your network, making your firewalls and endpoint protection inadequate at keeping out all predators.

  • More Employees Are Working From Home

    Because of COVID-19, many companies have more people working remotely, which creates the same kind of security considerations as if you had a multi-location business. Remote employees are connecting to your network through their home networks, and sometimes using their personal devices to do so. Assuring security while working from home means equipping employees with the tools and habits they need to make their home office as safe as your physical office for your data.

  • Accountability for Data Privacy Is Increasing

    Before we talk more about the risks, there’s one more thing that’s changed in the cyber landscape – an increasing obligation toward accountability. Organizations are increasingly accountable to protect the data that they gather and store. Industries like healthcare and financial services have needed to comply with regulations for maintaining confidentiality for quite a long time. Similar regulations are working their way into many other industries as well, which means that companies should expect this accountability for data protection to impact them very soon (if it hasn’t already).

The Business Case for Cybersecurity

What Would Happen to Your Business If You Lost Access to Your Data and Network?

The first step to becoming better at managing cyber risk and security is to consider what’s at stake.

  • What assets are you protecting?
  • What’s the value of your assets?
  • What would be the impact on the organization and its people if these assets were stolen, damaged, or exposed?

Then ask yourself: How much risk am I willing to accept?

Orange Laptop Icon

Data as a Business Asset

If you made a list of all of the data that you gather and store, you could probably categorize it by importance.

Some data has value because it’s essential for your daily operations. Other files are important because they document your trade secrets and intellectual property. The information that you keep in employee records is valuable to the individuals involved as well as your organization. Some files that you store might already be publicly available like the content that’s published on your website. Do you store any information about your customers? Consider what that data is worth to them.

Where your mind goes when you consider these categories of data could be the first indicator of their importance to you. You have to think of what would happen if you lost access to all this information.

  • We’ll be shut down
  • We’ll be out of compliance
  • Our customers will be upset and may leave
  • Our employees will be upset and may leave
  • We’ll be sued
  • Our reputation will be dirt
  • Damage control will be costly
  • Our competitors will beat us
Orange Controls Icon

Network Connections as a Business Asset

Not only does your data have value but your network connections do too. The big Target cyberattack in 2013 that exposed 41 million accounts happened because the hackers got to the Target network through their HVAC company’s network. This was big news then, but it’s extremely common now and there’s a name for it – island hopping.

Add to that the fact that it can take as long as six months or more for a network intruder to be discovered, and you’ve got a situation where you could be responsible for data breaches that happen not just to you but to your customers and vendors.

Alert-1

Business Impact of a Cyberattack

Just the thought of having to deal with the impact of a cyberattack should be enough to make your heart race and put a rock in the pit of your stomach. Let’s go a step further and challenge you to see if you can quantify the pain that you’ll experience if your network gets breached.

  • What if your employees couldn’t access your network for a day? What would that cost?
  • What would happen if you lost your biggest customer because they became a victim of a cyberattack through your network? What kind of a hit would that be to your revenue?
  • What if the social security numbers of your employees were exposed? How much would it cost to provide them with an identity management solution? How much would it cost to rehire and train the people who leave because they don’t trust you anymore?
  • What if you violated confidentiality regulations? Give your best guess as to what penalties and legal fees might cost.
  • What if you didn’t get paid by your customers because their payments had been diverted to a cyber criminal’s bank? How big of a cash flow hit can you handle?
  • What if your reputation as a trusted supplier and employer was damaged? How much do you think it would cost to hire a professional communications company to do damage control? How much more resources will you have to put toward sales and marketing to attract new customers?
Orange Questions Icon

How Much Risk Are You Willing to Accept?

If you have a cyberattack, there will be costs. The question is, are you willing to pay that cost after the fact or would you rather use those same resources on prevention?

If you are one of 76% of businesses that has had to deal with the fallout of a cyber incident, then you know that even if the dollars are about the same, it’s much better for everyone involved if you spend the money on being proactive instead of reactive.

Being proactive about cybersecurity means that you must have a strategy.

Cybersecurity Strategy

Security Includes Everyone And It Starts at the Top

Security isn’t just the IT department’s job. If it were, then all you’d have to do is make sure you have the right firewalls and software tools to make cyberattackers bounce away.

That isn’t realistic.

The best cybersecurity strategy consists of layers that include technical, administrative, and physical tactics, plus cyber insurance.

If you’re in an industry that has compliance regulations, these will play a factor in your security strategy. Compliance is all about being accountable for the safekeeping of information. Just because you’re not in the healthcare or banking industry doesn’t mean that you won’t need to have the same level of accountability for data storage and use.

If you haven’t already experienced it, greater accountability is coming for everyone.

Orange Team Icon

Who Owns the Cybersecurity Strategy

You, or you and your management team, are responsible for your cybersecurity strategy if it’s going to stick. If there isn’t buy-in at the top, then you’re setting your organization up to fail because security will feel like enforcement instead of responsibility.

Additionally, if you’re the one who’s responsible for managing risk, you can't exclude cyber risk in your list of business risks.

Your goal in owning, creating, and implementing a security strategy isn’t meant to keep everything on your shoulders alone. You need to create a culture of security.

Orange Certified Icon

What a Culture of Security Looks Like

While management is responsible for creating cybersecurity and compliance strategy, it’s everyone’s responsibility to implement that strategy within their role. It would be great if you could just tell people that corporate data is valuable and then they’d automatically treat it like the crown jewels, but that’s not realistic.

Helping employees understand the value of their organization’s information starts with teaching people about how information will be accessed, and by whom, with acceptable use policies. How you support those policies with training and enforcement will send a clear message to employees about the respect that your whole organization places on handling information.

Another way to grow a culture of security is to tie in the value of information with the value that the employees see themselves bringing to the organization. When you help people gain a sense of ownership of the impact that their work has on the organization, you can communicate to them that the role they play in handling information is important.

It all comes down to trust. You ultimately have to trust your employees to do the right thing. They have to trust that if they make a mistake or have an error in judgement that they can report it without fear of reprimand.

Trust comes from consistency and in clarity about expectations.

Orange Security Icon

Resilience = Goal of Cybersecurity Strategy

If you’ve been thinking about cybersecurity like a project – building walls and barriers – it’s time to change your thinking. Cybersecurity is an ongoing process that needs to be managed. Not only do you have to make sure that the technical walls and barriers don’t crumble, you must think ahead and decide how you’re going to respond when an attack does happen.

When you start thinking about security as a process that includes detection and recovery, a whole different set of questions pops up. Answering these questions proactively will be essential to build your ability to bounce back after a cyberattack.

  • What are the most likely threat scenarios that could happen?
  • What do we want employees to do if they suspect a cyber intruder or breach?
  • What protocols do we want in place to guide our response to a cyberattack?
  • How long can we afford to be without our IT systems?
  • How are we going to operate if our systems are down?
  • Have we prioritized our systems based on their importance to daily operations?
  • How will we determine the extent of the damage and which data was compromised?
  • What will we do in the event of permanent data loss?
  • How are we going to restore our systems so we can get up and running again?
  • How are we going to use communications to maintain confidence and uphold our reputation during damage control?

As you go through these questions, it’s clear that you’re going to have unexpected costs to deal with if you have a cyberattack. Cyber insurance is how you can get help to handle both the costs (and sometimes even get the expertise needed) to navigate through a data breach incident.

Cyber Insurance

Enable Resilience with Cyber Liability Insurance

No one can guarantee that you’ll never be the victim of a cyberattack, even if you’re diligently keeping up with security. You need cyber liability insurance in your security strategy to help you deal with the risks that you can’t avoid. Some cyber specialists refer to the day of a cyberattack as a “cold dark day,” and if (or when) one happens to you, you’ll be glad that you have access to the resources that cyber insurance provides.

Don’t assume that your general business policy will cover cyber incidents. It usually won’t because the types of incidents and the fallout are so different from the events that are traditionally covered in a general policy.

What Does Cyber Insurance Cover?

Just like any other insurance, coverage depends on your specific carrier and policy, and the type and amount of data that you gather and store, but here’s what you’ll generally get:

Data Breach Response – Communications to affected organizations and individuals, along with follow-up activities such as identity theft protection and legal fees.

Cyber Extortion – Covers the cost of paying a ransom, as well as expert services to deal with the cyber criminal and bringing the event to an end.

Legal Fees and Regulatory Fines – Relief for costs associated with legal proceedings and regulatory fines.

Business Interruption Reimbursement – Relief for loss of income and increased costs of doing business after a cyberattack.

Forensic Support – Covers costs for investigating the extent of the data breach and how the incident happened.

Damages to a Third Party System – Covers costs that arise when your email or IT systems were used by a cyber criminal to gain entry or cause damage to another organization’s IT system.

Application Process and Costs for Cyber Insurance

The information that your cyber insurance application gathers is used to determine your risk level. Your risk level is determined by a variety of factors related to your industry, the size of your business, your history of cyberattacks (if any), and the combination of tactics you’re using in your cybersecurity strategy.

Basically, the more sophisticated your strategy, the less vulnerable you are to cyber threats. Expect to get some help from your IT team when you’re filling out your application because you’ll need to know if you do or do not have the technologies that are listed. When it comes to evaluating your security technologies, outsourcing IT and cybersecurity to professionals will be a plus.

It’s hard to gauge a ballpark premium price. Pricing (like coverage) depends on the amount and type of information you store, and the level at which you manage cyber risks. A small business like a construction contractor may be able to spend less than $4,000 a year on coverage, but a medical research company may have to pay over $200,000 a year.

Your cyber insurance policy and pricing is going to be unique to your organization and your situation. The bottom line is that cyber insurance is just as much a must have layer of security as the technical, administrative, and physical layers that are detailed here.

Before we get deeper into the tactics that should be a part of your cybersecurity strategy, we need to address cybersecurity compliance. If your organization needs to follow regulatory guidelines for the safekeeping of information, that should be addressed in your cybersecurity strategy.

Cybersecurity Compliance

Accountability for the Confidentiality, Integrity, and Availability of Data

The goal of compliance isn’t that different from the foundational goal of any cybersecurity strategy, which is to control access to information.

What’s different is that accountability for meeting this goal needs to be documented and verified. In other words, compliance doesn’t just mean “keep this data safe.” It means, “Prove how you’re keeping this data safe.”

Certain industries have had compliance requirements for a long time. For example, the Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. Banks and financial institutions have been required to follow Payment Card Industry (PCI) standards since 2006.

Orange Hand Icon

Security Standards Pushed Down the Supply Chain

More recently, NIST compliance has become mandatory for companies who contract with the federal government. If the Department of Defense (DOD) is your customer (or your customer’s customer), then you need to follow the Cybersecurity Maturity Model Certification (CMMC).

Increased accountability for companies that gather and store information about consumers is no doubt in the future, led by General Data Protection Regulation (GDPR) in the European Union, and in California with the California Consumer Privacy Act (CCPA) regulation that went into effect in January 2020.

 

misc-security-lock-coding-apps-websites-48 1Interpreting Regulations into Security Controls

If you’re not familiar with regulations for network security compliance, then you might imagine that all you have to do is implement a list of security measures and you’re good to go – but it’s not that simple. Most organizations need help interpreting regulations into the security controls that will meet compliance objectives, and then to maintain and manage the security process. It’s typically a specialized skill set.

While this guide doesn’t go into detail about how you should go about achieving compliance with specific regulations, our message that the baseline for foundational security has changed is relevant for you. Keep reading and you’ll be more informed when you have conversations about compliance, especially when it comes to the advanced tools that are included in the Security Controls section.

Threats and Vulnerabilities

Difference Between Threats and Vulnerabilities

Think about a threat as a bad thing that could happen. Cyber threats include ransomware, virusesphishing, business email compromise, denial of service attacks, bot nets, and more. The list of cyber threats is always increasing because the technology that the bad guys use is evolving just as fast as the technology that the good guys use.

Vulnerabilities are potential weak spots that threats can exploit.

Your cybersecurity strategy needs to include multiple layers of controls that are designed to address vulnerabilities so that you can either avoid the threat altogether, or enable detection and response to stop a threat in its tracks if it gets through.

In the following section, we’re going to present threats and vulnerabilities together so that you can start to connect them with the security controls that are used to manage vulnerabilities.

How Cyber Threats Exploit Vulnerabilities

Email Phishing and Spear Phishing

the-biggest-hidden-red-flags-in-a-phishing-email

Phishing involves sending out emails that look like they are from a trusted person or organization with the purpose of getting the recipient to click on a link or open an attachment that will unload malware. Some phishing schemes ask the recipient to transfer money or give the sender access to other financial resources. The source of the email can appear to be from an organization or a specific person that you know.

VULNERABILITIES

  • Minimal email spam filtering
  • Inadequate password and identity management
  • Employees don’t know how to recognize phishing
  • Lack of business policies for verifying financial actions

Malware, Spyware, and Ransomware

ransomware-3998798_1920-2

Malware is any piece of software that is intended to do harm. Malware is delivered in many ways including clicking links, opening attachments, downloading software, and browsing a compromised website on the internet. There are many kinds of malware, but we want to draw your attention to two types because they are especially prevalent right now.

Ransomware is a type of malware that you’ve probably heard of. In the past, having a good backup was considered insurance against ransomware. The rationale was that you could refuse to pay the ransom and just restore from a backup. Unfortunately, ransomware heists are now threatening to expose data if a ransom is not paid, instead of holding it until you pay.

Spyware is exactly what it sounds like. It’s a program that lets a bad guy see everything that you’re doing on your network. They’re not only looking for account access and your weaknesses but they’re also observing your email communications so they can impersonate your people in phishing schemes.

VULNERABILITIES

  • Out-of-date and unpatched software
  • Email impersonated from a look-alike domain
  • Unmanaged endpoints
  • Unrestricted access to the internet

Social Engineering

why-do-hackers-hack-compuvision

When people are tricked and manipulated into doing an action they wouldn’t otherwise do, that’s social engineering. These ploys often use authority and urgency to coerce a person to provide login credentials, change banking information, purchase gift cards, or click a link or attachment in an email.

The entry way for a social engineering trick may come in through a phone call or text, as well as an email or online message. The goal of this irritating tactic is to get a person to either give up information or to persuade the person on the line into taking an action that will give the hacker access to their computer or network.

Phone scams can be very targeted with their attack, with the bad guy possessing information about the recipient that leads them to believe that they can be trusted.

VULNERABILITIES

  • Basic email and spam filters
  • Inadequate password and identity management
  • Lack of knowledge about social engineering
  • Inadequate business processes for verifying certain actions

Connected Devices

Handsome young boy standing and browsing on his phone-713738-edited

If you have remote workers, you’re a multi-location business. The laptops and PCs that your people connect to your network are all considered endpoints. You probably have more vulnerable endpoints than you realize because anything connected to your network – anything – should be protected. That goes for your heating and cooling system, security cameras, and other IoT devices as much as it does for your computers and tablets.

Smartphones are also connected devices, and they often control your other connected devices. There are some additional factors to consider with phones because they move around with the owner, and they may be owned by the employee and not your company.

VULNERABILITIES

  • Unsecured network access
  • Out-of-date hardware and software
  • Easy passwords or no passwords
  • Lack of Mobile Device Management (MDM)

Insider Threats and Physical Security

hybrid_employee_work_environment_1200x630-1-1

Hopefully, you can trust the people you hire and you’re assured that they wouldn’t do anything on purpose to steal, corrupt, or expose your data. Unfortunately, that’s not always the case.

It's nice to think that none of your employees would betray your trust, but things happen. Whether it’s a bribe from a competitor or the act of a disgruntled employee, you want to be aware of the actions that your people could take to compromise your business information and IT systems.

Don’t forget that cyber criminals don’t just operate online. They can walk through your front door. Maintaining the security of your office space includes limiting access to your server room, locking workstations when not in use, and never leaving post-its or other notes with login credentials where someone could easily find them (re: your desk drawer or stuck to your monitor).

While you might envision intruders sneaking their way into your facility, don’t discount potential threats from people who have a reason to be there – whether they’re visiting or are one of your employees.

VULNERABILITIES

  • Uncontrolled access to your facility
  • Uncontrolled access to servers
  • Unhindered access to computers and servers
  • Sharing account credentials between multiple people

Security Controls - Cyber Defenses with Layers

Prevent, Detect, and Respond

As you get ready to call it a night, the last thing you do before you head to bed is lock the doors, turn on the electronic alarm system, and give your German shepherd a pat on the head as he snoozes in his bed.

Now imagine that someone wants to break in. They’ll have to find a way to disable your alarm, get through the locked door, and maneuver past Fido in order to gain access to your valuables. These three layers of security act as barriers (locks and the dog), detect an intrusion (alarm and the dog), and attack the intruder (the dog).

An attacker could certainly find ways to circumvent all three of these security layers, but getting in and out for his mission will be more difficult and take longer than if he only had to deal with locked doors.

The concept is similar in a technology environment where the layers of security are designed to detect and thwart attacks before they can do any damage.

Three Types of Security Layers: Technical, Administrative, and Physical

Security controls aren’t just technical. They’re also administrative and physical. Your security strategy needs to include all three.

Technical Security Controls

How you use hardware and software to deter, detect, and respond to cyber intruders.

Administrative Controls

What your people need to do to deter, recognize, and respond to cyber intruders.

Physical Controls

How the physical environment is set up to promote security.

 

In our example, the actual doors and windows with their locks and the electronic alarm system would be like technical security controls. The administrative controls would include training people to get into the habit of locking the doors and turning on the alarm system, and teaching them what to do when the alarm or the dog gives an alert.

Let’s go through the list of security controls that you should be using. As you become familiar with the security tactics listed here, you’ll see some crossover because different tactics support and enhance others.

 

1. Basic Technical Controls

Firewalls, Patching / Updating Software, Network Design

Think of basic technical controls as the method you use to close and lock the doors to your data and IT systems. Keep in mind that older software and hardware don’t have the advanced capabilities that newer technologies include. Your network design should promote controlled access to data and minimize damage if/when a hacker does get through your defenses.

 

2. Advanced Security Tools

Threat Detection and Response, Artificial Intelligence, Email Security

The need for advanced security tools can’t be ignored when it can take more than six months for an intruder to be detected without them. That’s a lot of time for cyber criminals to plan out how they can get the biggest strike.

Advanced security tools use artificial intelligence to learn about your network traffic so that they can recognize activity that is not normal and act when something out of the ordinary occurs, which could be a sign of an intruder.

 

3. Endpoint Security Protection, Detection, and Response

Agent-Based Software on Connected Devices

Endpoint protection can be considered an advanced security tool, but it’s worth calling it out here because of the increasing number of devices that are connected to your network. Whether it’s your remote workers’ corporate or personal computers, your cloud services, or your smart devices, anything connected to your network is a potential access point for a cyberattack.

Endpoint security protection detects and responds to potential threats.

 

4. Mobile Device Management

Monitoring Software, Identity Management, Security Policies

Using smartphones makes it easy for employees to be in touch when they’re not in the office, but when you think of smartphones as doors to your network, then it’s scary to think of who could get access to your data if the phone is lost, stolen, or used by an unauthorized person.

Software can be used to control what employees can do on their phones. Teaching people how to use the security features that are available on their phones and providing training on acceptable use will help to instill in the employee their individual responsibility for using their smartphones with safety in mind.

 

5. Advanced Email Security

Spam Filters, Encryption, Identity Management, Cybersecurity Awareness Training

Phishing continues to be a preferred cyber criminal tactic because it works. The bad guys use tricks to impersonate companies and people whom your people trust to get them to do something that they wouldn’t otherwise do.

If your email software is up to date, you probably already have advanced security tools available but they may not be activated. This could be for many reasons, but it’s usually because your IT team doesn’t know about them or your leadership team has declined to use them due to the potential impact on workflow.

Cybersecurity Awareness Training (discussed below) and Identity Management are essential parts of email security.

 

6. Identity and Asset Management

Password Management, Multi-Factor Authentication, Biometrics

Identity and Asset Management (IAM) is like the set of keys that allow your people to access their accounts, your network, and your information. Cyber criminals want to get those keys because it’s a lot easier for them to unlock your doors than to figure out a way around or through them.

The biggest problem with identity management is in getting people to take it seriously. Methods like multi-factor authentication (MFA) and biometrics have evolved so that you don’t have to rely on password management and human behavior alone to keep accounts safe. But they still require training. If a user will click on a pop-up to authenticate even when they weren’t the one who initiated it, then the cyber criminals will still be able to get in.

 

7. Secure Network Access for Remote Workers

Virtual Private Network (VPN)

Enabling your remote workers with security includes many components. VPN is the tool you need to let employees access your network securely.

VPN opens a secure path through your firewall that requires any connections to be encrypted and authenticated. It’s essentially a tunnel that prevents outsiders from seeing the traffic that goes in and out of your network.

 

8. Securing Cloud Applications

Encryption, Data Backup, Identity Management, Email Security

Whether your whole infrastructure is in the cloud, or you have several departments using cloud services, you can’t leave security totally up to the cloud provider.

Before using cloud services, make sure that the service meets your parameters for security and compliance. (Get help with this technical discussion if you need it.) Make sure you backup your cloud data and secure the devices that are accessing your cloud services with Endpoint Protection and Identity Management.

 

9. Cyber Forensic Tools

Logging and Security Information and Event Management (SIEM) Software

Cyber forensics is what you need after you have a cyberattack so that you can prevent the same thing from happening again and to determine the extent of the data breach.

These tools must be in place before the incident takes place.

The ability to track down how an intruder gained access and then determine what damage was caused will be critical when it’s time to make an insurance claim or defend your organization in legal proceedings.

 

10. Security Policies

Documenting, Training, and Enforcing How to Access Information and Your IT Systems

Think of your security policies as the way you answer your employees’ questions about how they should access your network and data. It starts with “What data do I need to do my job?” and details how that data may or may not be shared.

Your policies set out your expectations for how employees should act in certain situations, like what to do when a vendor needs to access your network. The effectiveness of security policies is directly related to the level of training and enforcement that is present.

 

11. Cybersecurity Awareness Training

How to Recognize and Respond to Potential Cyberattacks

Although both are directed at employee behavior, cybersecurity awareness training is different from security policies.

Cybersecurity awareness training uses simulations, tests, and interactive instruction to teach employees to recognize potential cyberattacks. Much of this training is focused on social engineering and how it’s used in phishing and spear phishing attacks, because these are favorite cyber criminal tactics.

 

12. Physical Security

Restricting Access to Facilities and Devices

Whether at the office, out and about, or at home, physical security matters when it comes to keeping prying eyes and sticky fingers off your business data. Part of physical security has to do with limiting access to your facility, but EVERY employee must play their part too. This can be as simple as getting into the habit of locking their screen when they step away from their workstation or making sure that someone doesn’t enter a building behind them.

Incident Response Plan

Hope for the Best, Plan for the Worst

If you don’t prepare for the day when your organization does have a cyber incident, then your cybersecurity strategy is not complete. An Incident Response Plan (IRP) documents what you want employees to do ahead of time so that they have a path to follow in the heat of the moment.

Your IRP answers questions like:

  • What do I do if I think I did something that created an entry for a cyberattack? (click a link, open an attachment, respond to an email or phone call, etc.)

  • What do I do if I suspect we have a cyber intruder?

  • After the IT team, who should we notify?

  • Do we notify law enforcement? When?

  • What do we tell employees?

  • Who will lead communications?

  • What’s our plan to restore from backup?

  • What backup or alternate systems can we put in place to keep operations going until we can be fully restored?

Putting Your Incident Response Plan into Action

Your IT team should have documented procedures for their response to a cyber incident. They’ll need to confirm that an incident has taken place and stop the activity. Preparation for their response includes having all the resources that they might need in one spot – hardware, software, cables, chargers, communication protocols, etc. – so they can pick them up and go.

Preserving the Scene

The investment that you made in logging tools is going to pay off when it’s time to figure out what happened – but you have to balance your need for investigation with your desire to get back up and running.

Once you restore from backup, the data that you need for forensic analysis is gone. Let the cyber forensics experts do their postmortem to find out what happened, then restore.

Communications Plan

One of the biggest impacts of a cyberattack is going to be on your reputation, so you’ll need a communications plan within your Incident Response Plan. Your reputation helps you keep trust with your customers, employees, vendors, and even your local and industry communities. Your skill in getting the right messages to the right people will help maintain your reputation and confidence in your ability to handle the incident.

Contacting Your Cyber Insurance Company

Getting in touch with your cyber insurance carrier should be a step in your communications plan. They should be able to provide guidance on the steps you need to take, even if you’re still in the process of containing the breach.

Testing and Managing Your Cybersecurity Process

If you want to be confident that your organization is doing what they’re supposed to be doing to manage cybersecurity, you need to test your processes from time to time. Ideally, this would be done by a third party. Some industries require third party verification for compliance.

Whether you do it quarterly, twice a year, or annually, get into the rhythm of performing a risk assessment and security review. Include employee training in your process so that people can learn what they need to do and keep security top of mind.

Your backup and disaster recovery plan should also be tested. Some companies also run simulations with different threat scenarios to more fully train people to respond when there’s a cyberattack.

Communicating Cybersecurity Accountability to Customers and Vendors

As cyber risks persist and continue to threaten organizations of all sizes, there is a growing demand for organizations to be accountable for keeping data safe. We already see this in regulated industries like healthcare and banking.

As mentioned, companies that are government contractors and subcontractors must now follow the Cybersecurity Maturity Model Certification (CMMC) and/or NIST cybersecurity standards. These standards don’t just address cybersecurity controls. They give organizations common language to use when communicating expectations.

Accountability for cybersecurity is also important if you want to get the best rates on cybersecurity insurance, provide evidence that you took all necessary precautions when it comes time to file a claim, or build your defense in legal proceedings.

Having a detailed cybersecurity plan may be all the documentation that you need to verify your level of cybersecurity. If you want to go up a level, the NIST cybersecurity framework can be used by any organization to demonstrate your level of cybersecurity readiness.

Working with a Managed Security Services Provider (MSSP)

If you’re relying on your in-house IT team to take care of everything that’s involved with support and security, you could be sacrificing some goals for others. There’s an inherent conflict between IT management and IT security. IT management focuses on ease of access, productivity, data integrity, etc. IT security focuses on layers to keep the bad guys out. A lot of times, those layers get in the way of efficiency. You need to take a high-level look at both areas to get the right blend.

Additionally, cybersecurity expertise cannot be achieved part-time. You really should think about what your cybersecurity department should look like because there are different roles that you need to fill to make sure that all the technical, administrative, and physical components of your security plan are working together to effectively manage risks.

Managed Security Services Providers (MSSPs) are a good option to pull in cybersecurity expertise and guidance without increasing your payroll. In addition to collaborating with you to create and implement a cybersecurity plan that’s appropriate for your level of risk, they can interpret compliance requirements and bring ideas for how you can develop a culture of security at your organization.

Achieving the Goal of Resilience

When you think about it, the ultimate goal of cybersecurity is survival.

Surviving so that you can do business another day is much easier when you can proactively meet the challenges that come your way. Whether it’s activating your response plan when an incident happens or preventing intrusions in the first place, investment on the front end is a much more elegant use of resources and a lot less painful for everyone involved.

Uncover Your Security Gaps

It’s your job to be informed about the risks that your business faces so that you can make good decisions about how to allocate resources for their management. Thinking about cybersecurity, however, can be overwhelming. It might seem like you need to be an IT expert in order to put together the pieces of an effective defense.

Get a Cybersecurity and Risk Assessment

Knowing where you need to go with cyber security is much easier when you have a clear picture of where you are right now. A cybersecurity and risk assessment gives you new understanding about your vulnerability, provides recommendations for improvement, and helps you close the gaps that are exposing your business to unnecessary risk.

Assessment