Self-assessment of security ROI for SMBs

As security professionals we often get the question: "What is the return on investment of security (and compliance)?". 

This is not an exact science, and of course fully depends on the value of your assets, your current exposure and your appetite for risk. But we hope this give a good indication of the typical annual costs a small to medium businesses should consider.

  1. Do you have a dedicated cybersecurity team or individual in charge of your cybersecurity efforts?
    1. Yes, a full team (Cost: > €100,000)
    2. Yes, one individual (Cost: €50,000 - €100,000)
    3. No, but we outsource (Cost: €20,000 - €75,000)
    4. No, we do not have dedicated cybersecurity resources (Potential Loss Cost: €100,000 - €500,000+)
  2. How often do you perform network security assessments?
    1. Monthly (Cost: €30,000)
    2. Quarterly (Cost: €20,000)
    3. Annually (Cost: €10,000)
    4. Never (Potential Vulnerability Assessment Cost: €50,000 - €200,000+ in breach remediation)
  3. Do your cybersecurity measures include endpoint protection for all devices?
    1. - Yes, with advanced threat detection (Cost: €40,000)
    2. Yes, with basic antivirus and malware protection (Cost: €25,000)
    3. Only on some devices (Cost: €15,000)
    4. No (Potential Endpoint Protection Cost: High risk of device compromise leading to costs upwards of €150,000 in breaches and data loss)
  4. Are your online order systems and databases encrypted?
    1. Fully encrypted with regular key management (Cost: €30,000)
    2. Partially encrypted (Cost: €15,000)
    3. Not encrypted (Potential Data Breach Cost: €120,000 - €1,000,000+ in fines, remediation, and reputation damage)
  5. How often do you update your cybersecurity policies and training?
    1. Semi-annually (Cost: €20,000)
    2. Annually (Cost: €10,000)
    3. Every few years (Cost: €5,000)
    4. We do not have formal policies (Potential Insider Threat Cost: €70,000 - €500,000+ in damages and IP theft)
  6. Do you conduct regular cybersecurity awareness training for employees?
    1. Quarterly with updates on new threats (Cost: €25,000)
    2. Annually (Cost: €12,000)- Occasionally (Cost: €6,000)
    3. Never (Potential Training Neglect Cost: €30,000 - €300,000+ in phishing and social engineering breaches)
  7. How do you manage access to your systems and data?
    1. Strict role-based access control with multi-factor authentication (Cost: €35,000)
    2. Basic user name and password (Cost: €10,000)
    3. We have no formal access management  (Potential Unauthorized Access Cost: €80,000 - €400,000+ in data breaches and system compromises)
  8. What incident response plan do you have in place for a cybersecurity breach?
    1. Comprehensive plan with regular drills (Cost: €40,000)
    2. Basic plan, rarely reviewed (Cost: €20,000)
    3. No plan (Potential Incident Response Cost: €50,000 - €500,000+ in operational disruption and recovery expenses)
  9. Do you have cyber insurance to mitigate the impact of cyber incidents?
    1. Yes, comprehensive coverage (Cost: €50,000)
    2. Yes, but only basic coverage (Cost: €25,000)
    3. Considering it (Cost: €0, but higher potential losses)
    4. No (Potential Cyber Insurance Neglect Cost: €200,000 - €1,000,000+ in uninsured losses and recovery costs)
  10. Are your web applications protected by a web application firewall (WAF)?
    1. Yes, with advanced rule sets (Cost: €25,000)
    2. Yes, with basic protection (Cost: €15,000)
    3. No, but we have other security measures (Cost: €10,000)
    4. No, we do not have a WAF  (Potential Web Application Attack Cost: €100,000 - €600,000+ in data breaches and service disruption)
  11. How do you ensure the security of your customer's data?
    1. GDPR compliance with regular audits (Cost: €35,000)
    2. Basic GDPR compliance (Cost: €20,000)
    3. Data is secured, but no regular audits (Cost: €10,000)
    4. Unsure about our data security measures (Potential GDPR Non-Compliance Cost: up to 4% of annual global turnover or €20 million (whichever is greater))
  12. Do you use a secure connection (HTTPS) for all your online transactions?
    1. Yes, always (Cost: Minimal, included in hosting/security packages)
    2. Only for sensitive transactions (Cost: High risk of data interception)
    3. No  (Potential Data Breach Cost: High, potentially millions depending on the severity of the breach and the value of intercepted data)
  13. How do you manage and secure your IoT devices and other smart technologies?
    1. Regular security reviews and updates (Cost: €30,000)
    2. Basic security measures in place (Cost: €15,000)
    3. No specific measures for IoT devices (Potential IoT Attack Cost: €100,000 - €500,000+ in breaches, data loss, and operational disruption)
  14. Have you implemented any Security Information and Event Management (SIEM) system?
    1. Yes, with real-time monitoring and alerting (Cost: €50,000)
    2. Yes, but with limited capabilities (Cost: €25,000)
    3. No, but planning to (Cost: €10,000)
    4. No, and no plans to do so (Potential SIEM Neglect Cost: €60,000 - €400,000+ in delayed incident detection and response)
  15. What is the level of security compliance of your third-party vendors?
    1. All vendors are required to comply with our security standards (Cost: €20,000)
    2. Most vendors comply, but not all (Cost: €10,000)
    3. We do not assess vendor security compliance (Potential Supply Chain Attack Cost: €150,000 - €750,000+ in third-party related breaches)
  16. Do you have a disaster recovery plan that includes cyber incidents?
    1. Yes, with regular testing and updates (Cost: €40,000)
    2. Yes, but not regularly tested (Cost: €20,000)
    3. No plan (Potential Disaster Recovery Cost: €100,000 - €2,000,000+ in data recovery, operational downtime, and reputational damage)

Again, this is not an exact science, but by now you should have understood that not taking care of security/compliance always results in higher costs compared to the minimum investment you should make. 

Remember, it is not IF, but WHEN you will get breached. And the only thing you can do is slow them down (ideally multiple 10x years from now)

Start planning your security/compliance today with and find your ideal sweet spot for ROI

Start for free now!  

Like with GDPR, don't wait until the last moment because this will only be more expensive and put unneeded stress on your teams!

Start your free account

What you need to know about the EU's Digital Operational Resilience Act (DORA)