Security attacks are constantly evolving and becoming more prevalent. As a result, protecting your business’s IT environment from malicious attacks is increasingly important.
One way to do this is to hire an IT company to perform a comprehensive security assessment. The best security assessments use software and manual investigation to find vulnerabilities in your IT system and identify risk reduction solutions.
Here at The KR Group, we work with companies who could benefit from this type of assessment, and the top question we get asked is, “How much does it cost?”
The answer to that question depends on your company’s needs, but in general, there are five components that affect the price of a security assessment.
- You’ll pay a base price for the actual security assessment.
- Additional sites increase the cost of a security assessment.
- Customer cooperation can play a role in security assessment pricing.
- The price of security assessment excludes the cost of risk reduction measures.
- Yearly security assessment reviews are an additional fee.
In this article, we’ll explain how these affect the cost and show you how the KR Group’s Purple Team Hive Assessment is priced, starting with the base price.
1. You’ll pay a base price for the actual security assessment.
The base price of a security assessment encompasses all of the services provided in a security assessment.
A security assessment looks at more than a dozen components of your IT environment, including DNS risk assessment, firewall capabilities and practices, disaster recovery policies, vulnerability scans, and more.
The security assessment will also include a phishing exercise, which tests if the security adviser can lure your users to engage with fake malicious emails and provide confidential information.
Also included in the base price of a security assessment is project management and the creation and presentation of the report from your security adviser’s discoveries.
The base rate is priced per user — every employee who has access to your company’s technology.
If you opt for a Purple Team Hive Assessment, the base fee starts at a minimum of 200 users for around $75 each. Each additional user after 200 but before 251 is an average of $75 each. User #251 and beyond cost $15 each.
You should consider the per-user fee as an estimate when calculating the price of a security assessment, though. Pricing can fluctuate up or down based on the complexity of your IT environment as well as the following factors.
2. Additional sites increase the cost of a security assessment.
If your business operates out of one central location, the base price should cover your security assessment expenses.
If you have more than one location, though, your security adviser will charge you more per site.
More sites require more work. The security adviser will have to travel to each location and conduct repeat assessments covered in the base fee for the first site.
Each additional site after the first can add $700 or more to your overall security assessment cost.
This fee and the base fee cover the charges related to security assessment services. Your security adviser should calculate the security assessment cost — the exact base fee plus applicable site fees — for your specific company and include it on the statement of work they’ll present to you.
The next three points are situational. They aren’t listed in the quote for a security assessment, but they could affect your total price or be additional charges outside of the actual security assessment.
3. Customer cooperation can play a role in security assessment pricing.
Your cooperation is imperative to having the security assessment go smoothly. There are three common ways you could increase the price of a security assessment after the charge listed on your statement of work.
- You’re late turning in your environment information form before your security assessment.
- Your network connectivity slows down the security adviser.
- You miss on-site appointments during the security assessment process.
How much each situation will impact the project cost depends on the individual situation. Your security adviser should disclose these scenarios and that they can impact cost in their statement of work.
A. You’re late turning in your environment information form (EIF)..
To begin a security assessment, your security adviser needs to know some basic facts about your IT environment. You’ll need to fill out and return an environment information form. This tells your security adviser what hardware and software you have and provides the credentials to access your network.
If you’re late turning in the EIF, it could increase your security assessment price since it delays the security assessment and prolongs the project.
B. Your network connectivity slows down the security adviser.
No one likes working with a slow Internet connection. It makes you less productive and more frustrated.
Your security adviser will be on site for portions of the security assessment. If he or she can’t access your Internet or the connection is slow, they’ll spend more time on the assessment. That means the project will take more time, which can increase the projected cost.
C. You miss on-site appointments during the security assessment process.
While much of the security assessment is completed remotely, the security adviser will need on-site access for portions of the assessment.
When your security adviser schedules their on-site time, they’ll coordinate with your schedule to ensuring they’re able to perform the checks they need on-site access.
If you’re unavailable, closed, or can’t accommodate the security adviser when he or she needs to be on-site, though, you’ll delay the security assessment process.
If you miss the appointment or have to reschedule it, you could increase the total project time and, as a result, the cost of your security assessment.
While these factors can increase the price of a security assessment, it’s uncommon for them to be an issue. These factors are also explained in the statement of work you’ll receive before services.
4. The price of security assessment excludes the cost of risk reduction measures.
A good security assessment identifies your vulnerabilities and lists resolutions for them.
A reputable security adviser will avoid sales strategies focused on the purchase of new hardware or software to address all your vulnerabilities, though.
For example, if they discover you’ve had a lapse in a subscription-based service (such as a Cisco Smart Net agreement), they’ll recommend renewing the service. They won’t, however, push their Cisco services on you.
In this example, the cost to renew Cisco Smart Net won’t appear on a bill for a security assessment. That doesn’t mean you won’t have to pay for the service, though. It’ll just be billed by whatever Cisco partner you go through to purchase Smart Net.
In short, the price to address your security vulnerabilities is not included in the price of a security assessment
5. Yearly security assessment reviews are an additional fee.
The original security assessment will tell you what you need to fix and help you find priorities to improve your security posture.
While you’re busy focusing on the initial vulnerabilities, the threat landscape continues to evolve. You’re focused on addressing the problems laid out in your security assessment report, though.
To make sure you’re staying current with security practices, your security adviser may recommend inviting them back once a year. During the annual review, they’ll review your IT network, address new vulnerabilities in your system, and set new goals for the next year.
There is a 10% discount for repeat assessments, but this cost isn’t included in your original security assessment price.
What can you expect to spend on a security assessment?
Before you factor in an annual review and paying to address your vulnerabilities, the minimum you can expect to pay for a security assessment is $15,000. This cost covers companies with 200 users or less and is where The KR Group generally starts our pricing.
If you opt for a repeat assessment of your 200 users in a year, you can expect to pay at least $13,500.
The price for an initial security assessment would increase to $22,500 or more for 500 users, assuming you’re operating on one site. Your annual review would cost around $20,250.
If you have 500 users spread across five sites, the total price of the first security assessment would increase to more than $25,300 with site fees. You’ll pay around $23,000 for next year’s security review.
Keep in mind, these figures only cover the actual security assessment, not the price of the solutions to the problems it identifies.
When digesting the estimated costs of security assessments, we encourage you to think of the cost of doing nothing, though. Paying for a security assessment can prevent you from losing years of data if there is a security breach.
If you handle sensitive information, doing nothing and losing information could also mean paying fines and fees associated with losing confidential data.
The cost of losing or compromising your business’s data easily pales in comparison to the cost of a Purple Hive Assessment and the peace of mind you won’t be at risk for losing your work and customer information.
To learn more about how comprehensive our security risk assessment is, download our free timeline!