Is Your Company Paying More For Office Cleaning Services Than Cybersecurity Services?

Unlike batteries, security isn’t something that you walk into Target to buy or a brand-new car you go pick up at a dealership. I think the least uttered phrase I’ve ever heard is “I need to buy some security.” When you are in the business of selling cybersecurity services, that really isn’t something you want to have going for you. However, it’s well past the time where organizations can view security as a ‘nice-to-have’. Because cybersecurity can be extremely complex, many business leaders fail to understand the ramifications associated with the attacks carried out by increasingly well-funded malicious actors, the increased likelihood of a breach caused by the rapid expansion of the size of an organization’s technology footprint due to today’s digital-first world, and a rapidly-evolving threat environment that even some technology professionals fail to keep up with.

Additionally, cyber threats don’t discriminate by company size. From multinational enterprises to local stores, any organization that holds data is a potential target. Additionally, the financial stakes have never been higher, as per IBM’s 2024 Cost of a Data Breach Report, the average cost of a data breach reached $4.8 million in 2024 – a 10% jump from the prior year and the highest ever recorded. This includes an average cost for a US company of $9.36 million, the highest globally for the 14th straight year. This resulted in lost businesses, regulatory fines, and massive remediation expenses. Small and midsize companies shouldn’t see these numbers as abstract – most of them need help spelling the difference between recovery and closure.

Some of the most alarming statistics that I’ve recently seen regarding the cybersecurity landscape include:

Nearly half of breaches hit smaller organizations. Published in January 2025, The strongdm Small Business Cybersecurity Statistics You Should Know Report highlighted that 46% of all cyber breaches impact businesses with fewer than 1,000 employees, putting an end to the myth that a company is ‘too small to matter’

Human error is the leading cause of security incidents. The 2025 BD Emerson Small Business Cybersecurity Statistics Report identified that a staggering 95% of cybersecurity incidents are initiated by an employee mistake (clicking a malicious email, misconfiguring a cloud setting, using weak passwords, etc.)

Small businesses likely won’t recover. Qualysec’s 52 Small Business Cyber Attack Statistics for 2025 states that given the lack of resources to recover, 60% of small businesses that experience a cyberattack go out of business within six months, with the average cost of a data breach to a small business being $120,000.

The most glaring themes that the statistics presented in these reports that stood out to me were 1) the fact that many of these threats can be avoided by implementing basic cybersecurity hygiene and 2) the frequency with which small and medium businesses face cyber threats makes it virtually impossible for them to respond to each of them, given their lack of resources.

I HATE selling. When I was deciding whether I wanted to start this company, one of the things that initially held me back was determining whether I could convince small and medium sized businesses to invest in cybersecurity, given the capital constraints that most of these companies face. However, once I got into meetings with these business owners and leaders, it became evident that there were fundamental things we could do that wouldn’t cost them nearly as much money as they were thinking:

Writing and updating cybersecurity policies – Per the above mentioned Qualysec report, 80% of small businesses don’t have a cybersecurity policy. I can draft a set of cybersecurity policies, based off the framework or regulatory requirements of your choice within 2 weeks – and I don’t charge an hourly rate, it would be a flat fee.

Employee Cybersecurity Awareness Training – With human error initiating 95% of data breaches incurred by small businesses, I won’t leave a potential client’s office without them agreeing to allow me to conduct awareness training. To quantify this risk for you, cybercriminals send out 3.4 billion phishing emails every day. I have already created most of these training materials, I will add some content specific to your organization and industry, and record the session to allow employees to watch it in the future. And as new threats emerge, I’ll update and deliver training to reflect these changes. Most of you have enough cash in your wallet to pay for this service.

User ID and Access Assessment – 30% of small business data breaches occur as a result of stolen user credentials. Most small businesses don’t utilize multi-factor authentication nor are they monitoring for failed access attempts, so it’s easy for the bad guys to compromise an account via brute force attacks. Even easier, they can just find your credentials on the Dark Web. To give you a real-life example of how prevalent this is, I identified over 500 user IDs and passwords on the Dark Web for two potential clients. A review of your user accounts and password policies is something I could do in one day, while simultaneously scanning the dark web for your information. Because multi-factor authentication is such a critical control I’d work with you to prioritize getting this implemented as quickly and cost efficiently as possible.

Third-party Risk Management – Most small businesses outsource nearly all their IT services. While 85% of small businesses outsource IT services, only 40% do anything to vet their provider’s cybersecurity practices. Before you sign a contract to procure any software or any IT services, let me review it and provide you with a list of items to challenge your potential vendor on. Additionally, I’ll review deliverables periodically provided by your third-party providers that are intended to demonstrate their on-going compliance with their contractual obligations. I can easily review a contract in a day. It might take me a couple of days to review the monthly service packs they provide you with (depending on how much data they even report).

The stakes are too high for cybersecurity protection to be viewed as a luxury anymore. Small businesses spend on average $2,000 per year on cybersecurity software. This is not nearly sufficient in today’s threat environment. I know that reaching out to big consulting firms for help is daunting and that you may end up buying more than you need. That’s why you have another alternative.

Malcom Risk Advisors wasn’t formed to become the next brand-name security company. We are here to provide you with retained access to cybersecurity executives for half of what you’d pay an incoming security analyst. Malcom Risk Advisors works with business leaders that we know and trust. These leaders understand the impact a cyber-attack could have on their businesses and have been able to increase their security posture by spending less money than what they typically pay their cleaning crew each month. No one wants crumbs on their lobby floor, but shouldn’t we invest the same level of care in ensuring our systems stay up and running and that our data is protected? Reach out to Malcom Risk Advisors as we possess the flexibility to provide you with affordable, expert-level cybersecurity services. And unlike bugs on your carpet, bugs in your IT systems could put you out of business. Let’s work together to prevent that!