The 3 C’s of Cybersecurity: why investing is in the best interest of your business

Reading Time: 3 minutes

If you’re like most people you might not know exactly what cybersecurity investment means. It may seem overwhelming, expensive, or just unnecessary, depending on your business. Read on to learn more about the key reasons doing so is the right decision for you and your business. Working with a managed service provider (MSP) like SUCCESS is one of the first steps to protecting your company’s data.


On average, businesses spend around three percent of their revenue on IT and cybersecurity, although that can vary depending on the size of your business and what kind of data you have to protect. Because this research represents both mature and immature companies, if you aren’t spending at least three percent, you’re probably underspending. The price of cybersecurity may seem like an extreme or overwhelming expense. However, the real cost can be much more detrimental to the sanctity of your business if you don’t have the proper security measures in place. This can leave you and your client’s information at risk of being stolen in a cyber-attack.

“The goal is to protect your business. You work hard to get your top line and your bottom line to a certain place, and one incident can destroy that,” Brandon Nohr, SUCCESS Computer Consulting’s Chief Technology Officer, explains. “You have to ask yourself how much you would be willing to pay to protect your business. How much would you be willing to invest to mitigate that risk significantly?”

Cyber Insurance

You may think because you already have cyber insurance, you don’t need to pay more to hire an IT or managed service provider. Nohr argues, however, that couldn’t be further from the truth.

“Insurance is your last line of defense against a breach,” Nohr says. “It is the financial safety net, but insurance typically doesn’t cover an entire breach. That is, it is only covering certain pieces of it, and you have to make sure you have enough insurance. Especially with ransomware and ransom costs continuing to rise.”

And rise they have. According to the Gallagher Cyber Market Conditions Report, in the first six months of 2021 alone, $590 million dollars were paid in ransom payments, a staggering increase from $416 million paid in 2020. The report also states that the average downtime following a ransomware attack was 23 days, which can mean almost a month of interrupted business and loss of income. And depending on your insurance policy, not everything is guaranteed coverage in the event of a cyber-attack.

You can eliminate additional fees associated with resolving a data breach altogether by being proactive.


Since your business may be responsible for complying with regulations such as HIPAA, PCI, etc., what Nohr recommends is that, instead of trying to manage around those compliance regulations, businesses should start with good security and then work to make adjustments where necessary.

“We believe, and this is actually contrary to a lot of our competitors, that you should focus on good security and then manage to the gaps of compliance,” he says. “This is much easier to do than managing to compliance and calling it ‘secure’ or managing compliance and security at the same time. Start with what good security looks like. Then if there are gaps between a good framework and your compliance then you manage that.”

Narrowing your business’s focus to establishing a foundation built on good cybersecurity can greatly reduce the risk of having to explain to your customers and clients their data has been stolen, which can strengthen their trust in you and your services moving forward.

A more in-depth look at SUCCESS’s guide to navigating issues of compliance can be found here.

So where do I begin?

It’s important to recognize there is no one-size-fits-all approach when it comes to cybersecurity.  SUCCESS has laid out important questions to ask your IT provider to help you get started:

  • Are you following a framework?

This question is especially important since, according to Nohr, a framework is the first step to establishing good cybersecurity. And if you’re unsure what framework is right for you, SUCCESS recommends starting with one such as CIS Controls that is easily understandable to business owners new to cybersecurity, as well as help to prioritize the needs of the business.

  • How do you prioritize investments?

A framework is the first step to establishing good cybersecurity practices. You should also consider what is most important to your IT provider and how it relates to your business. Depending on your specific needs, your priority may fall to either compliance or insurance, with insurance more of a primary concern as the number of cyberattacks rise. Understanding your IT provider’s method of prioritizing can assist in knowing where to manage the gaps between what they offer and what you need.

Ready to take the first step to investing in cybersecurity? Contact SUCCESS Computer Consulting for a prioritized cybersecurity roadmap aligned with industry best practices.