How Much Does a Cyber Security Assessment Cost?

Nerds On Site
Article Written By Matthew Kirkland


Founded In


5-Star Reviews

4.83 / 5

Satisfaction Rating

Are you looking for a way to improve your company’s cyber security but don’t know where to start? Well, look no further! A cyber security assessment is a perfect way to identify your company’s strengths and weaknesses when protecting your data. But how much does one cost? Keep reading to find out!

About Us

Nerds On Site is a Managed Security Service Provider (MSSP) with over 25 years of experience. Founded in 1995, we expanded to become a global player in the Managed IT & Cyber Security space, serving over 10,000 Clients each year.

This article will cover our services, costs, and recommendations only. None of our Clients who have implemented our Secure Access Service Edge (SASE), Zero Trust (SME Edge) & other recommended solutions have ever experienced any network-related ransomware or data breach events. Our SME Edge software protects over 2 million devices globally.

How much a cyber security assessment cost

The answer is that it varies. Cyber security assessments come in all shapes and sizes, as do organizations.

Security Risk Assessment (Cyber Security Snapshot)

(High-level non-invasive assessment & presentation)

  • Existing Clients: 0-499 – Free
  • Organization Size: 0-99 $399
  • Organization Size: 100-499 – $799 (Includes multi-office & remote support)
  • Organization Size: 500+ Request A Quote

Center for Internet Security (CIS) Security Risk Assessment

(Invasive, not recommended unless you have a confirmed breach event and require network forensics, or it’s necessary for a designated or government body)

If your network is currently compromised, Framework Assessments are potentially dangerous and could trigger a ransomware event.

According to IBM’s Cost of a Data Breach Report 2021, the average time to detect a breach is 287 days.

Actions taken during the Framework Assessment would not be seen as normal behavior to someone monitoring the network and would typically indicate the presence of a professional IT security team.

Before any Framework Assessment, we recommend SASE Zero Trust implementation to protect the network from any existing malicious infrastructure communicating with C2 (Command & Control) centers, stopping a “kill signal” that would trigger ransomware events.

Cyber Security Framework Assessment Cost Request A Quote

What is included in a typical cybersecurity risk assessment?

Cyber Security Snapshot

We have created our own framework based on the CIS 20 Critical Controls. This is a high-level overview that will provide you with an understanding of your organization’s current cyber security posture and what needs to be done to improve it.

The Cyber Security Snapshot covers:

  • Network
  • Data
  • Devices
  • Identities
  • Awareness
  • Insurance
  • Dark Web
  • Email & Web

Our primary focus during the assessment will be critical infrastructure, device management, update management, cyber security culture, and policies & procedures.

We specialize in providing our results in plain business English, avoiding any overly technical jargon. Our presentations have been proven to be digestible by executives at large organizations and Small Office, Home Office (SoHo) business owners.

We will make recommendations to improve your business’s security posture during the final presentation. Recommendations will be based on Nerds On Site’s solutions or companies we have partnered with and have a proven track record of delivering results in the cybersecurity space for our existing Clients.

CIS Security Risk Assessment

The Cyber Security Snapshot will provide the insights and recommendations necessary to become secure for most organizations. Some organizations may require a full risk assessment; for example, post-breach, you may want to consider a full assessment to lay the groundwork for a future audit schedule.

The security assessment cost will depend on the size of your organization, the number of devices, and the current state of your network architecture.

The CIS Security Risk Assessment covers the following:

  • Developing the Risk Assessment Criteria and Risk Acceptance Criteria: Establish and define the criteria for evaluating and accepting risk.
  • Modeling the Risks: Evaluate current implementations of the CIS Safeguards that would prevent or detect foreseeable threats.
  • Evaluating the Risks: Estimate the expectancy and impact of security breaches to arrive at the risk score, then determine whether identified risks are acceptable.
  • Recommending CIS Safeguards: Propose CIS Safeguards that would reduce unacceptable risks.
  • Evaluating Recommended CIS Safeguards: Risk-analyze the recommended CIS Safeguards, to ensure that they pose acceptably low risks without creating an undue burden.

Pre-determined risk factors will be categorized into one of five categories.

  1. Negligible
  2. Acceptable
  3. Unacceptable
  4. High
  5. Catastrophic

These risk factories will be associated with a potential risk cost, ranging from 0-$100,000, with acceptable being up to $10,000 and catastrophic being any possible risk cost over $50,000.

Organizations may also define expectancy of risk, with expectancy scores defined as:

  1. Not foreseeable
  2. Foreseeable but unexpected 
  3. Expected but not common
  4. Common
  5. Could be happening now 

CIS Controls & Safeguards and an execution plan will be provided and executed over a predetermined period, along with a regular audit schedule monitoring results.

Who should get a cyber security assessment

Any organization wants to understand its current state of cyber security and what needs to be done to improve it.

Cybercriminals certainly target specific organizations and government entities, but, for the most part, we categorize their actions as opportunistic.

Businesses that are proactive in their cybersecurity strategy are far less likely to be victims of cybercrime than those that do not allocate the appropriate resources.

According to Deloitte Insights, Reshaping the Cybersecurity landscape, the average business spend per employee on Cyber Security in North America is $2,691 per year.

Note this cost includes Fortune 1000 companies and may not be relatable for small and medium-sized enterprises in Canada & the USA. In our experience, complete operational cybersecurity can be achieved with a smaller budget.

Organizations that want to prepare for a future audit schedule.

Before an audit schedule is implemented, an assessment is required to determine any vulnerabilities in your infrastructure, policies, or culture.

A cybersecurity risk assessment will provide indicators on the what, where, and why relating to your cybersecurity posture.

Post-breach, an assessment can help lay the groundwork for your organization’s recovery plan.

Post-breach is, unfortunately, when most SMEs start searching for cyber security solutions. Security risk assessment is always the first step to identifying existing security vulnerabilities and laying the groundwork for remediation.

Organizations preparing for a cyber insurance policy or a renewal

Nerds On Site works closely with insurance brokers in the United States. 2022 has been challenging for organizations looking to renew their policy, as cyber insurance underwriters have become stricter.

As part of the application process for a policy, most underwriters will either require an organization to have existing security infrastructure and procedures in place or request a security risk assessment. The report will help determine if the Client is insurable, the premium, and any necessary exclusions for the policy.

As a bare minimum, insurers are requesting forced multi-factor authentication (MFA) and advanced event detection & response (EDR) software.

How often should you get a cyber security assessment?

Assessments do not need a regular schedule and should be completed to set up a cyber security plan and an audit schedule.

Security audits should be completed on a quarterly or annual basis, depending on the size of your organization and how quickly your network changes.

What is the difference between a cyber security assessment and an audit?

An assessment will provide you with an understanding of your organization’s current security state and what needs to be done to improve it. An audit will be conducted on a quarterly or annual basis and will verify that the recommendations from the assessment have been put into practice and are still effective.

What are the benefits of getting a cyber security assessment?

As mentioned above in the article, cybercriminals are primarily opportunistic. They will cast a wide net via attacks like phishing or vulnerability scanning and follow up on any networks they can exploit.

When cybercriminals find a target, they will not look at a map to check if the target is in their country or not. The same goes for most hacking tools and techniques – they do not discriminate.

Organizations that take the first step into implementing a cyber security posture by completing a cyber security risk assessment will understand any risks they may be exposed to and their actions to remedy them.

Security Assessment Cost Conclusion

I hope this article has provided value for you and your organization in understanding the security assessment cost. If you would like to know more about our risk assessments and how your organization can utilize a security assessment to improve your data security, contact us about our cyber security snapshot today.

You May Also Like…