What Price Cybersecurity - Part 2 "Your Costs May Vary

Many Approaches, Many Pricing Models

There are several strategies one COULD take to get compliant Cybersecurity System (or Infrastructure) but ultimately it will come down to a cost/benefit decision by management. Knowing what's 'out there' is key to selecting a strategy that meets your individual needs. It is Market Research 101 from a contracting perspective.

In that regard I shall share some of my experiences in the cybersecurity enhancement process from the standpoint of a VERY SMALL (Micro) business located well to one side of the continuum. The idea? Provide a data point for comparison that others may use. Am I typical? NO! Do I represent what the average small business will do to meet FAR 52.204-21 requirements? If you delete my client facing software (not needed by most other businesses with the possible exception of using the collaboration platform as an alternative to Office 365) then perhaps so. But this is just one very personal look at the issue - but a perspective that home-office professionals may be considering. If that is the case I hope my experiences help.

Over the past year I have dug deep into the various requirements, overcame the Tyranny of the Cybersecurity Lexicon and spent countless hours (and dollars) modifying my network and communications strategy to adapt first to Cyber then to COVID. My network today is much changed from what is was back then .. but in my mind (thanks to the NIST Self Assessment Handbook HB -162 and a companion Excel workbook from my friendly local Procurement Technical Assessment Center (PTAC)) I feel that I am compliant with FAR 52.204-21 and could (with some additional documentation) attain CMMC Level 1.

we attack such issues (Cybersecurity) with an enthusiasm and highly undeserved confidence - after all "what could go wrong"?

But two things need to be considered about the preceding statement:

1. Just because I did it doesn't make my solution the best, most economical, or compliant solution out there.
2. The cost of my time far exceeds the cost of having an expert come in, set things up, and give me an invoice. I knowingly spent hundreds of hours as an investment in learning rather than a less expensive way of meeting the requirements.

The 'in-house' solution

This week I'll address what was my knee-jerk first reaction to the cybersecurity issue. I'm a computer 'geek' and admit it. It started in the Air Force chasing ones and zeros around avionics systems and morphed into home computers in the early 1980's. I was the Subject Matter Expert for the computer and electronics on several letter sorting systems - to the point where I engineered detailed and intricate testing programs for the printed circuit boards they used. Like my peers who grew up in the 1950's my generation takes a 'do it yourself' point of view with everything from home improvement to hot rods.

But, unless your company is of a certain size and generates a sufficient volume of revenue to cover the expenses of a 100% in-house solution you may find fulfilling the 110 NIST SP 800-171 requirements to be a crushing load. Yes, there are hybrid solutions that can help but the cost of just the people to staff the cybersecurity solution will easily cost you well over 100,000 per year per person once all fringe benefits, overheads, and general and administrative costs are considered. In certain locales that number is easily 50% more.

Self Assessment

The cost of doing the self assessment CORRECTLY, documenting the results, doing the gap analysis, identifying the remedial actions required, and setting up the plan to address them is significant. Fortunately there are analysts who can help or companies like Core Business Solutions that can offer hybrid on-line and in-person assistance to do the analysis, write the security plan, and get you on your way to compliance.

My approach ... part of the DIY mind set was to work with my colleagues at the local Procurement Technical Assistance Center (PTAC) get a copy of the aforementioned NIST HB 162 and slog my way through the requirements. As I did so there was a fair amount of internet research involved as I had to familiarize myself with not just what the various requirements said ... but what they actually meant.

I used an excel template based on HB162 that PTAC offered me and the result was a pretty comprehensive analysis and a clear road-map of what needed to be fixed. This assessment then was elevated to the status of a compliance worksheet/log and I updated it as each requirement was addressed.

Filling the Gaps

With the self-assessment in-hand I began chipping away at the hardware, software, and services required to implement the corrective action plan.

Note: The solutions selected and the costs identified are for general informational purposes and do not represent an endorsement for any product or service. The costs are based on out-of-pocket expenses incurred and others may find better or less expensive alternative.

1. Servers. In my case that meant upgrading my servers (long past due) to more modern equipment that offer such things as a silicon root of trust (that according to HPE) ... "protects against firmware attacks, detects previously undetectable compromised firmware or malware, and helps to rapidly recover the server in the event of an attack." Those new servers were outfitted with Windows Server 2019 Standard Edition and placed behind a nice new commercial grade firewall. My servers are relatively modest (HPE Microserver Gen 10 Plus) units scaled for my network (less than 50 users with no more than 10 accessing network resources at a time). I have two of these servers, I probably need a third. Cost per server averaged $2,500 with 32GB memory, Xeon processor, 4 x 2TB drives, iLo 5 lights out management, and Windows Server 2019.

1. Firewall and End Point Security. Protection was added in the form of Commercial grade firewall (SOPHOS XG85) sized for my rather small (10 simultaneous 50 total) user load. The firewall was enhanced with SOPHOS firewall security software and endpoint software for my servers and workstations (including laptop) to guard against malicious code. Cost ... Firewall hardware software and and configuration $1,100. Endpoint security for servers and workstations was extra.
2. Software. My software needs were pretty standard with Windows 10 Pro, Office 365, and some more focused apps for my primary workstation. The two servers host client facing apps - one for project management & scheduling (Celoxis) and one for Collaboration (OnlyOffice). Total license costs for the first year (17 users Celoxis/50 users OnlyOffice) ... $8,000 - $10,000. As stated above these two programs are unique to my business model ... most small businesses won't need both but could benefit from on or the other .. especially project or team focused entities. Both offer cloud based SAAS versions but I elected to self-host (a more capital intensive choice) to keep the servers based in the U.S. and maintained by a "US Person".
3. Moving my public facing website off-site to a cloud server. This was risk based since it seemed to represent the largest target for a bad actor. My client-facing and business network are on a separate domain and that domain name is not published or advertised.
4. Secure conferencing application and improved webcam/microphone. This solution was quite inexpensive (roughly $400/year for the conferencing app) and about the same for a high quality 4k webcam and Yeti Blue microphone. These have been used extensively during COVID and are a highly recommended solution for anyone doing lots of time on Zoom or GoToMeeting.
5. Configuration and fine tuning. then came the fun: configuring all the myriad settings of this 'solution' to make it work together effectively and efficiently. Roughly 40 hours at $200/hour.
6. Certificates and security tokens. One of the more surprising costs was that of obtaining secure encryption keys for my network. For my business (two domains) it was $800 for two years for the SSL certs. The SMIME for my email was cheap in comparison at $25. Of interest here are the YubiKey security tokens that add a second (physical) factor to the secure login process by requiring the device be present to encrypt your plain text password to match the encrypted value used to gain system access.
7. Back-ups. I use RAID 5 devices comprised of 5 low cost (relatively) hard drives in an external chassis as either network attached storage (NAS) or direct attached storage (DAS) or both to back up my servers. I had these on hand so their cost wasn't included in my network enhancement program. What was a cost (albeit minor) was obtaining cloud storage for 2TB of essential business information. Why both? fire, flood, theft ... all significant concerns.

Operations and Maintenance

This is the cost of running the system, monitoring compliance, fixing issues and reporting incidents. In the process of doing this came several 'ah-ha' moments and the need/desire to enforce multi-factor authentication. Cloudflare for Teams has really stepped up to the plate for small businesses and workgroups by offering a free version for up to 50 users and made this requirement pretty easy ... how welcome!

I could go on and on about my personal adventures in cyber land - and that's simply getting to the LOWEST tier at what would ultimately be a 'basic' level of certainty/compliance. In doing so there are some lessons learned applicable to small(er) businesses that I would like to share.

Lessons learned from doing it myself.

1. It's not fast, it's not easy. and it's not cheap. The costs of compliance for the self-hosted and do-everything-inhouse solution probably only cross over from a net loss to revenue neutral at a much higher level of activity than this one-man-band consultancy will ever see.
2. There are some positives to doing the whole network in-house cybersecurity enhancement regime including heighten awareness of cyber threats, developing and instilling good cybersecurity practices, and identifying the risk footprint of my company and individually plugging those gaps.
3. Moving up the scale from the most basic (FAR 52-204-21) level to more advanced levels - including CMMC Level 1 and then CMMC Level 3 - is not economically viable under the present circumstances.
4. There comes a time when you will have done all you can (and probably should) do and it is time to seek expert assistance.

Which brings me to a convenient segue into part three of the series (stay tuned) where I will look at various hosted solutions or managed services that offer an alternative to my hard headed do myself approach.

If this sounds like I may have taken the wrong approach then consider adding the cost of a couple hundred hours of my time (at my billing rate) to the mix and the cost proposition is not one I'd approve or ask others to undertake. That said, there will be a lot of folks with a similar attitude and rather low threshold requirements that won't need my client facing software and only want to 'batten down the cybersecurity hatches' and improve their own cyber hygiene. To them I say (as John McClane in Die Hard) "Welcome to the party pal ..."