How to know if you are paying too much for security solutions. What solutions do you even need or want.

I recently sat down with a commercial construction company to discuss their cybersecurity solutions. In this evaluation we discussed key risks that they face. First, how embarrassing would it be if your data was compromised or exposed? Second, what would it cost you per hour if you were unable to access your computers or data? Third, what personally identifiable information do you store that would need to be reported in a security incident?

The answers I got from the owner may surprise you.   The concern about exposing his data was minimal. In fact, we didn’t identify any data stored locally on his systems that would require him to report a breach.   His primary goal was to address the risk of downtime, and how to not miss out on his next opportunity.

When we attend industry conferences with peer companies, there are rows of vendor booths filling massive conference halls with countless Cybersecurity solutions.  Every vendor has a little bit of a different approach, many of these are very specialized and may only address one risk component. At these conferences vendors have sessions on how to sell their product and increase their own business' profits.  We have found many of these tools are built only to create more sales. They push out a simple scan manipulating the data to scare you into purchasing their product.  This creates the problem; are you being sold what benefits your business or a unnecessary solution? you really need and want or are you buying solutions you don’t need?

So how do you identify your own needs?

  • Start the conversation by identifying your risks and consequences.
  • Review your Cyberliablity Insurance Policy requirements.
  • Understand other Compliance standards that apply to your industry.
  • Determine an internal policy to address the risk for a security incident. Your policy could be to accept the consequences for not putting a solution in place.
  • Identify a trusted advisor who is looking out for your best interest.
  • Ask questions about possible solutions, and other alternatives.
  • Know who the actual product vendor is and do your research (It’s not your IT provider, they purchase existing solutions)

Watch out for these common mistakes:

  • Purchasing solutions that are complicated to implement
  • Misidentifying similar solutions to have the same functionality. (Example EDR vs MDR)
  • Cheap solutions may be the most expensive, don’t be undersold and under protected.
  • Assuming employees will keep your business safe and secure without proper training and testing.
  • Failing to enforce Multi-factor Authentication (MFA) for all solutions.
  • Believing you can outsource all protection, and compliance.