Article 5 of 5
Applied to Our Three Michigan SMB Profiles
The Question Every Michigan Business Owner Is Actually Asking
By the time a business owner finishes reading the first four articles in this series, they have done something most of their competitors have not: they have accepted, mathematically, that a breach is not a hypothetical. They know their annual probability. They know what the first 72 hours of a ransomware incident look like for a firm with a plan versus one without. They know that their employees are simultaneously their most significant vulnerability and their most trainable line of defense.
And then comes the question that always follows the data.
Okay. What do we actually buy? And how much do we spend?
That is the question this article answers.
The security controls discussed in Articles 1 through 4 were not hypothetical. Multi-Factor Authentication, Endpoint Detection and Response, immutable backups, incident response planning, and security awareness training are not aspirational technologies for enterprise companies. They are available, affordable, and deployable by any $5 million business in Michigan that decides the math justifies the investment. The data in this series strongly suggests it does.
But security controls do not exist in a vacuum. They must be selected against a realistic threat profile, sequenced in the order that reduces the most risk per dollar spent, and maintained against a threat landscape that does not stay still. Vendor risk, cloud security, and patch management all sit inside that equation, and all three are areas where Michigan SMBs consistently leave significant exposure unaddressed.
This article builds the equation from the ground up. It applies the same three company profiles this series has followed throughout: Company A, the law firm; Company B, the medical practice; and Company C, the accounting firm. It prices the controls. It calculates the returns. And it hands you a prioritized security roadmap you can take into your next budget conversation with a number and a rationale behind every line.
SERIES ARC : Articles 1 and 2 showed you how to measure your risk. Article 3 showed you what a breach costs when you are prepared and when you are not. Article 4 showed you how your people fit into the equation. This article closes the loop: what to invest, in what order, and why the math justifies every line item.
Part One: The Cost of Not Investing
Before the Roadmap, the Baseline
Every security investment decision exists in comparison to an alternative: what happens if we do not make this investment? In most business decisions, the alternative is simply not having the feature or capability in question. In cybersecurity, the alternative is quantifiable and well-documented.
The Monte Carlo analysis in Article 2 produced expected annual loss figures for each of the three company profiles at $5 million in revenue, with no additional security investments beyond their existing posture. Those figures are the starting point for every ROI calculation in this article.
| Company Profile | Annual Breach Probability | Expected Annual Loss | 90th Pct 3-Year Exposure | Current Security Gap |
| Company A: Law Firm | 18.3% (Beta Model) | $43,344 | $379,322 | No EDR, annual phishing training only |
| Company B: Medical Practice | 28.0% (Beta Model) | $100,538 | ~$800,000 | No dedicated IR plan, partial MFA |
| Company C: Accounting Firm | 25.4% (Beta Model) | $68,505 | $567,477 | Partial MFA, no EDR, no immutable backup |
| All Three (Avg) | 23.9% | $70,796 | $582,000 | No tested incident response plan |
These numbers are not warnings. They are baselines. They represent what each business is already spending, on average, in expected loss from the current threat landscape, without making any additional investment. The question the roadmap in this article answers is not whether to spend money on security. It is whether to spend it proactively, on controls that produce measurable risk reduction, or reactively, on breach response costs that arrive without warning and without the opportunity to plan.
THE BASELINE ARGUMENT : Company B, the medical practice, faces an expected annual loss of $100,538 at its current security posture. The annual cost of a comprehensive security program that addresses its primary gaps runs between $28,000 and $40,000 per year. The expected annual savings from that program exceed the cost of the program before the first year is complete
Part Two: The Controls That Move the Numbers
What Each Control Does and What It Costs
Security controls are not all created equal. Some address your highest-probability attack vectors. Some address your highest-cost breach scenarios. The most effective security programs prioritize by both dimensions simultaneously, investing first in controls that reduce the most risk per dollar deployed. The table below maps the seven core controls discussed in this series to their cost ranges, their primary risk reduction targets, and the attack vectors they address.
| Control | Annual Cost (SMB) | Primary Risk Reduced | Attack Vector Addressed |
| Multi-Factor Authentication (MFA) | $0-$8/user/mo (often included in M365) | Credential-based attacks: 35% of breach pathway | Phishing, password spraying, credential stuffing |
| Endpoint Detection & Response (EDR) | $8-$18/endpoint/mo | Endpoint malware: 45% of breach pathway | Ransomware, lateral movement, zero-day malware |
| Security Awareness Training + Simulations | $15-$30/employee/yr | Human element: contributes to 68% of all breaches | BEC, phishing, spear phishing, vishing |
| Immutable / 3-2-1-1 Backup | $200-$600/mo depending on your amount of data | Ransomware leverage: eliminates ransom payment scenario | All ransomware variants |
| Incident Response Plan (tested) | $2,500-$5,000 one-time + annual review | Breach cost multiplier: reduces 90-day loss by 80%+ | All incident types |
| Patch Management (automated) | $5-$12/endpoint/mo | Unpatched vulnerabilities: 18% of ransomware entry | Exploited software, OS vulnerabilities |
| Vendor / Third-Party Risk Management | $500-$2,500/yr (assessment + policy) | Third-party compromise: 6% of SMB incidents, growing | Supply chain, vendor credential abuse |
A 12-person law firm running all seven controls at mid-range pricing invests approximately $22,000 to $30,000 per year in its total security program. That figure sits against a 90th percentile three-year exposure of $379,322 and an expected annual loss of $43,344 with no program in place. The return on that investment is positive before the program completes its first 12 months.
THE COST COMPARISON : The full security program for a $5 million SMB costs between $22,000 and $40,000 per year depending on size, industry, and existing infrastructure. The unprepared ransomware outcome for Company C in Article 3 cost $540,000 in 90 days. The prepared outcome cost $9,300. The security program that produced the prepared outcome cost $22,000 per year. That is a 24-to-1 return in the first breach scenario alone.
Prioritizing by Risk Reduction Per Dollar
Not every business can implement every control simultaneously. Budget constraints are real, and sequencing matters. The framework below orders the seven core controls by the risk reduction they produce per dollar invested, calculated against the attack vector data from Article 2 and the breach cost models from Article 3.
| Priority | Control | Risk Reduction Delivered | Why This Order |
| 1 | Multi-Factor Authentication | Eliminates ~72% of credential-based attacks; covers 35% of breach pathway | Highest impact per dollar. Often included in existing software licenses at no additional cost. |
| 2 | Security Awareness Training | Reduces phishing click rate from 30-35% to under 10% in 90 days | Addresses the entry point for 41% of ransomware incidents. At $15-30/employee, the lowest-cost meaningful control available. |
| 3 | Immutable Backup (3-2-1-1) | Eliminates ransom payment leverage; enables recovery in hours, not weeks | Removes the financial engine of ransomware. Without this, every other control still leaves the business exposed to ransom demands. |
| 4 | Endpoint Detection & Response (EDR) | Reduces endpoint malware contribution from 19% to 6.76% of breach pathway | Addresses the single largest attack vector at the endpoint level. Detects attacks before they reach file servers. |
| 5 |
Incident Response Plan (test d) |
Reduces 90-day breach cost by 80%+ in documented scenarios | The plan itself is inexpensive. The tested plan produces the outcome differential seen in Article 3. |
| 6 | Automated Patch Management | Closes 18% of ransomware entry pathways from unpatched vulnerabilities | Often overlooked because it is unglamorous. Consistently exploited in published attack data. |
| 7 | Vendor Risk Management |
Addresses growing third-party compromise vector; required for regulatory compliance | Smaller current percentage of incidents but growing rapidly. Required under FTC Safeguards Rule and HIPAA. |
The ordering above is designed for a business with a limited budget implementing controls for the first time. If MFA is already fully deployed, move to training. If training is already in place, move to immutable backup. The priority sequence is not rigid, but it reflects the risk data: controls ranked higher address higher-probability attack pathways with higher return on investment.
Part Three: The Three Areas Michigan SMBs Underinvest In
Vendor Risk: The Breach That Starts at Someone Else’s Door
In the ransomware entry vector table from Article 3, third-party and vendor compromise accounted for 6% of SMB incidents. That figure is the smallest of the five categories. It is also the fastest growing, and it is the one category where your security investment produces the least direct protection.
Vendor risk exists because modern SMBs do not operate in isolation. A law firm uses cloud-based practice management software, a document storage provider, an e-signature platform, a payroll processor, and an IT support vendor. A medical practice connects to a health information exchange, an electronic health records system, a billing clearinghouse, and multiple insurance portals. Each of those connections represents a potential attack pathway that begins outside your perimeter.
The 2020 SolarWinds attack, the 2021 Kaseya ransomware event, and dozens of smaller incidents documented in the Verizon DBIR all follow the same pattern: an attacker compromises a trusted technology vendor, uses that trusted relationship to reach the vendor’s clients, and deploys malware or exfiltrates data through a pathway the client’s own security controls never had the opportunity to inspect.
For Michigan SMBs in regulated industries, vendor risk is not an abstract concern. It is a compliance obligation. The FTC Safeguards Rule requires financial service firms to assess and monitor the security practices of service providers who access customer information. HIPAA’s Business Associate Agreement requirements extend breach liability to covered entities whose vendors fail to protect patient data. The question is not whether to manage vendor risk. The question is how to do it affordably.
| Vendor Risk Management Action | Cost Level | Regulatory Relevance | What It Accomplishes |
| Maintain a written vendor inventory | No cost | FTC Safeguards, HIPAA | Identifies every third party with access to your systems or data |
| Require SOC 2 Type II or equivalent from critical vendors | No cost | FTC Safeguards, HIPAA BAA | Confirms vendor has been independently audited for security controls |
| Include security and breach notification terms in vendor contracts | $500-$1,500 legal review | All regulated industries | Creates contractual obligation and notification timeline if vendor is breached |
| Annual vendor security review (questionnaire or assessment) | $500-$2,000/yr | FTC Safeguards Rule | Documents ongoing due diligence; required for formal compliance programs |
| Monitor vendor breach disclosures and CVE databases | Included in managed security services | All industries | Identifies when a vendor you use has been compromised or has a known vulnerability |
The vendor risk management program described above costs between $1,000 and $3,500 per year for most Michigan SMBs. It does not require a dedicated security team. It requires a vendor inventory spreadsheet, a written policy, contract language reviewed by an attorney once, and an annual review process. That combination satisfies the documentation requirements under the FTC Safeguards Rule, addresses HIPAA Business Associate Agreement obligations, and creates a defensible record that the business exercised due diligence if a vendor breach does occur.
THE VENDOR BLIND SPOT : Most Michigan SMBs can name every piece of hardware in their office. Very few can name every vendor that has remote access to their systems, the data each one can see, or the last time each vendor’s security posture was reviewed. That inventory is the starting point for a vendor risk program, and it costs nothing but an afternoon.
Patch Management: The Vulnerability That Should Not Exist
Eighteen percent of ransomware incidents in the Verizon DBIR enter through unpatched software vulnerabilities. That figure has been consistent for years, which means the cybersecurity industry has known for years that a significant portion of successful attacks exploit vulnerabilities that the software vendor had already identified and fixed. The attacker did not find something new. The victim did not apply something old.
Patch management is the process of systematically identifying, testing, and deploying software updates across every device in your environment on a defined schedule. It is not a glamorous security control. It does not have a dashboard that produces impressive visualizations. It does not generate the kind of conversation that MFA or EDR does in a board meeting. But in the published attack data, it is responsible for eliminating nearly one in five ransomware entry pathways.
The challenge for Michigan SMBs is not that patching is difficult. It is that it is invisible until it fails. A business that patches every system on time, every month, for three years never has a story to tell. A business that skips patches for six months because the update process disrupts productivity can produce a story that takes months and hundreds of thousands of dollars to resolve.
| Patching Failure Pattern | How It Is Exploited | Real-World Example | Prevention |
| Delayed OS patches (30+ days) | Attackers target known CVEs within hours of public disclosure | ProxyLogon: Microsoft Exchange exploit used in thousands of SMB attacks within 30 days of patch release | Automated patch deployment within 14 days of release |
| Unpatched third-party software (browsers, Java, Adobe) | Often lower priority than OS patches; frequently exploited via drive-by download | Log4Shell: Apache logging library exploit affected thousands of business applications | Include third-party apps in automated patch scope |
| Firmware on network devices (routers, firewalls, switches) | Rarely updated; often ignored; direct network access if compromised | SOHO router firmware exploits: common entry point for SMB network compromise | Quarterly firmware audit and update cycle |
| Unmanaged endpoints (personal devices, remote workers) | Outside the patch management system; create unmonitored entry points | BYOD environments routinely identified in post-breach forensics as initial access points | Mobile Device Management (MDM) policy for any device accessing firm data |
Automated patch management for a 12-workstation office, including operating systems, browsers, common third-party applications, and network device firmware, runs between $5 and $12 per endpoint per month through a managed security partner. For a firm with 12 endpoints, that is $720 to $1,728 per year. Against the 18% of ransomware pathways that patching closes, it is one of the most cost-efficient controls in the stack.
The critical distinction is between manual patching and automated patching. Manual patching depends on a human being deciding to apply updates, testing them, and deploying them on a consistent schedule. In a small business where the same person managing IT is also handling user support, vendor management, and a dozen other responsibilities, that consistency is the first thing that breaks under pressure. Automated patch management removes the human dependency from the most consistent attack pathway in the published data.
THE PATCH WINDOW : Most ransomware attacks exploiting known vulnerabilities occur within 30 to 60 days of the public disclosure of the vulnerability. That window is not a coincidence. It reflects how quickly attackers move to operationalize a newly disclosed exploit before most businesses have applied the fix. Automated patching within 14 days closes the window before the attack campaign reaches scale.
Cloud Security: The Perimeter That Moved Without Warning
When this series began, the three company profiles operated in a relatively traditional environment: workstations in an office, a file server on the local network, and IT infrastructure managed largely on-premises. That description fits fewer and fewer Michigan SMBs every year.
Cloud migration has been accelerating across every industry this series covers. Law firms have moved to cloud-based practice management platforms. Medical practices use cloud-hosted EHR systems. Accounting firms operate almost entirely in cloud environments during tax season, with staff accessing client data from home offices, coffee shops, and client sites. The perimeter that traditional firewalls were designed to protect has effectively ceased to exist as a meaningful security boundary.
This shift does not eliminate security risk. It relocates it. The threats that previously targeted on-premises servers now target cloud credentials, misconfigured cloud storage buckets, over-permissioned service accounts, and the API connections between cloud platforms. The Bayesian model in Article 2 showed that credential-based attacks account for 35% of the breach pathway. In cloud environments, those credentials are the only thing standing between an attacker and every file the business has ever created.
| Cloud Security Control | What It Addresses | Cost (SMB) | Priority for Regulated Industries |
| MFA on all cloud accounts (M365, Google Workspace, cloud apps) | Credential theft; unauthorized account access | Included in existing licenses | Critical: Immediate |
| Conditional Access Policies | Restricts logins from unusual locations, devices, or times; flags impossible travel | $6-$22/user/mo (Azure AD P1/P2) | High: Recommended |
| Cloud backup with versioning and immutability | Ransomware targeting cloud storage (OneDrive, SharePoint encryption) | $5-$20/user/mo | Critical: Immediate |
| Data Loss Prevention (DLP) policies | Prevents sensitive data from being shared externally without authorization | Included in M365 E3 and above | High for HIPAA, FTC Safeguards |
| Cloud Access Security Broker (CASB) | Monitors and controls data movement across cloud applications | $10-$30/user/mo | Advanced: Enterprise focus |
| Regular permissions audit (who has access to what) | Over-permissioned accounts; former employees with active credentials | No cost (quarterly manual review) | Critical: Often missed |
The most common cloud security failure in Michigan SMBs is not a sophisticated attack on a misconfigured API. It is a former employee whose Microsoft 365 account was never deactivated. Or a shared mailbox that three people know the password to, none of whom can remember when it was last changed. Or a SharePoint site that is technically accessible to everyone in the organization, including a part-time contractor who left six months ago.
The permissions audit described in the table above costs nothing but time. It requires answering three questions: Who currently has access to our cloud environments? What level of access do they have? Does that level of access match their current role and relationship to the firm? For most SMBs, the audit takes two to four hours and identifies at least one material access control failure that no technology purchase would have caught.
THE CLOUD MISCONCEPTION : Moving data to the cloud does not transfer security responsibility to the cloud provider. Microsoft, Google, and major cloud platforms protect their infrastructure. You are responsible for protecting how your users access it, what they do with it, and who has permission to reach it. That division of responsibility is defined in every major cloud provider’s shared responsibility model, and most SMBs have never read it.
Part Four: The Security Roadmap by Company Profile
Company A: Law Firm – 12 Employees, $5M Revenue, 18 Clean Years
Company A enters this roadmap with an 18.3% annual breach probability, a 90th percentile three-year exposure of $379,322, and a current posture that includes no EDR, annual phishing training only, and a local backup strategy that has not been tested. Its primary risk exposure is Business Email Compromise, which Article 4 showed can produce a 90-day loss of $219,500 without training and a written wire transfer protocol.
| Phase | Controls to Deploy | Timeline | Estimated Annual Cost | Risk Reduction Target |
| Phase 1 (Months 1-2) | Full MFA on all M365 accounts; conditional access policies; written wire transfer verification protocol; phishing simulation program | Immediate | $1,800-$3,600/yr | Reduces credential attack contribution by 72%; stops BEC at protocol level |
| Phase 2 (Months 3-4) | Immutable cloud backup with versioning; automated patch management; cloud permissions audit | Q1 | $3,500-$6,000/yr | Eliminates ransom leverage; closes unpatched vulnerability pathway |
| Phase 3 (Months 5-6) | EDR deployment to all endpoints; incident response plan development and tabletop exercise | Q2 | $8,640-$12,960/yr | Addresses endpoint malware pathway; reduces 90-day breach cost by 80%+ |
| Phase 4 (Months 7-12) | Vendor risk inventory and contract review; dark web credential monitoring; quarterly training modules | Q3-Q4 | $2,500-$5,000/yr | Closes third-party exposure; detects compromised credentials before use |
| Full Program Total | All seven core controls | 12 months | $16,440-$27,560/yr | Reduces annual breach probability from 18.3% toward 8-10% range |
The full program cost for Company A, the law firm, runs between $16,440 and $27,560 per year. The expected annual loss at the current posture is $43,344. The full program investment reduces the annual breach probability from 18.3% toward the 8 to 10% range, which the Monte Carlo model translates to an expected annual loss reduction of $18,000 to $26,000. The program pays for itself within 18 to 24 months on expected value alone, and in the first year of a serious incident, it pays for itself many times over.
Company B: Medical Practice – 8 Employees, $5M Revenue, One Prior Breach
Company B carries the heaviest risk profile of the three: a 28% annual breach probability, an expected annual loss of $100,538, and a 90th percentile three-year exposure approaching $800,000. Its regulatory environment adds HIPAA liability to every breach scenario, and healthcare consistently leads all industries in both breach frequency and per-record breach cost. Its current posture includes partial MFA and no dedicated incident response plan.
| Phase | Controls to Deploy | Timeline | Estimated Annual Cost | Risk Reduction Target |
| Phase 1 (Months 1-2) | Full MFA immediately; HIPAA-compliant immutable backup; phishing simulation program with healthcare-specific templates | Immediate | $3,200-$5,500/yr | Addresses credential theft (35%) and ransomware leverage simultaneously |
| Phase 2 (Months 3-4) | EDR on all clinical and administrative workstations; automated patch management including EHR software | Q1 | $4,800-$9,600/yr | Closes endpoint malware pathway (45% of breach entry); addresses EHR-specific vulnerabilities |
| Phase 3 (Months 5-6) | Incident response plan with HIPAA notification checklist; pre-activated insurance IR retainer; tabletop exercise | Q2 | $3,500-$6,000 one-time | Reduces 90-day breach cost from $591,000 unprepared to under $100,000 prepared |
| Phase 4 (Months 7-12) | Business Associate Agreement audit for all vendors; HIPAA Security Risk Assessment; staff training on PHI handling | Q3-Q4 | $4,000-$8,000/yr | Regulatory compliance documentation; reduces civil penalty exposure |
| Full Program Total | All seven core controls | 12 months | $28,000-$40,000/yr | Reduces annual breach probability from 28% toward 12-15% range |
The full program cost for Company A, the law firm, runs between $16,440 and $27,560 per year. The expected annual loss at the current posture is $43,344. The full program investment reduces the annual breach probability from 18.3% toward the 8 to 10% range, which the Monte Carlo model translates to an expected annual loss reduction of $18,000 to $26,000. The program pays for itself within 18 to 24 months on expected value alone, and in the first year of a serious incident, it pays for itself many times over.
Company C: Accounting Firm – 10 Employees, $5M Revenue, Two Prior Breaches
Company C is the most urgent case. Two breaches in five years, a 25.4% annual probability under Beta modeling, partial MFA, no EDR, no immutable backup, and a posture that the Bayesian model in Article 2 showed carries a 37.5% residual risk. A single detected phishing attempt updates that probability to 70.6%. The roadmap for Company C must move faster than the roadmaps for Companies A and B.
| Phase | Controls to Deploy | Timeline | Estimated Annual Cost | Risk Reduction Target |
| Phase 1 (Weeks 1-4) | Full MFA on all accounts immediately; immutable backup replacing current local backup; phishing simulation program | Immediate | $3,500-$6,000/yr | Closes credential pathway (35%); eliminates ransom leverage; most urgent gap given breach history |
| Phase 2 (Months 2-3) | EDR on all endpoints; automated patch management; dark web credential monitoring for all staff | Month 2 | $6,000-$12,000/yr | Closes endpoint malware pathway (19.3% of current residual risk); detects compromised credentials before use |
| Phase 3 (Months 3-5) | Incident response plan with IRS Publication 4557 and FTC Safeguards checklist; tabletop exercise; pre-activated insurance retainer | Month 3 | $3,000-$5,000 one-time | Converts third breach from $540,000 outcome to under $50,000 outcome |
| Phase 4 (Months 6-12) | Vendor risk program; FTC Safeguards Rule compliance review; WISP (Written Information Security Plan) if not current | Q3 | $2,500-$4,000/yr | Regulatory compliance; required under FTC Safeguards Rule for tax preparers |
| Full Program Total | All seven core controls | 6 months to full deployment | $22,000-$35,000/yr | Reduces residual risk from 37.5% to 18.7%; clean 12 months reaches 10.3% (Bayesian model) |
The Bayesian model from Article 2 showed that Company C, with full MFA and EDR deployed and 12 months of clean performance, reaches an annual breach probability of 10.3%. Under Laplace’s Rule of Succession, reaching that level would require 53 years of perfect history. The security program compresses that timeline to one year. For a business that entered this series at 42.9% under Laplace, that is not an incremental improvement. It is a transformation of the risk profile.
COMPANY C’S INFLECTION POINT : A third breach before the security program is deployed pushes Company C’s Laplace probability from 42.9% to 57.14%, past the coin-flip threshold where a breach in any given year is more likely than not. The roadmap above does not merely improve the risk profile. It prevents the event that would reset the statistical clock again, potentially for decades.
Part Five: The ROI Calculation Every Business Owner Should Run
Building the Equation for Your Budget Conversation
Security budgets are approved in the same conversation as every other business investment: by demonstrating that the expected return exceeds the expected cost. The difference in cybersecurity is that the return is expressed as losses avoided rather than revenue generated. For business owners who are not accustomed to thinking in those terms, the calculation can feel abstract. It does not have to be.
The framework below is a simple five-step ROI calculation that any business owner can run with the data from this series. It produces a number: the expected financial return of a security program investment over a three-year planning window. That number belongs in your budget conversation alongside every other capital investment your business makes.
| Step | Input | Where to Find It | Company A Example |
| 1 | Annual breach probability | Beta Distribution estimate from Article 2 | 18.3% |
| 2 | Median breach cost for your industry | Monte Carlo median cost from Article 2 | $137,122 |
| 3 | Expected annual loss (Step 1 x Step 2) | Calculation | $25,113 |
| 4 | 90th percentile 3-year exposure | Monte Carlo 3-year figure from Article 2 | $379,322 |
| 5 | Annual security program cost | Roadmap in this article | $22,000 (mid-range) |
| ROI (Year 1) | Expected annual loss minus program cost | Calculation | $25,113 – $22,000 = $3,113 |
| ROI (3-Year) | 3-year expected loss minus 3-year program cost | Calculation | $75,339 – $66,000 = $9,339 saved |
| Risk-Adjusted ROI (3-Year) | 10% probability of 90th pct scenario avoided | Monte Carlo data | $37,932 expected savings on tail risk alone |
The risk-adjusted ROI row is where the calculation becomes compelling. The 10% probability of the 90th percentile scenario, applied to the three-year exposure of $379,322, produces an expected tail risk value of $37,932 over three years. Added to the expected annual loss savings of $9,339, the three-year risk-adjusted return on a $66,000 three-year investment is $47,271, before accounting for the full program’s actual breach probability reduction, regulatory penalty avoidance, and insurance premium impact.
For Company B, the medical practice with an expected annual loss of $100,538 and a 90th percentile three-year exposure approaching $800,000, the ROI calculation is even more decisive. A $34,000-per-year security program produces expected annual loss savings that exceed the program cost in the first year and generates six-figure tail risk avoidance over three years.
THE INSURANCE PARALLEL: No CFO requires a building to burn down before approving fire insurance. No board requires a fleet vehicle to be totaled before approving commercial auto coverage. The only reason cybersecurity has historically required a breach to justify the budget is that the expected loss was not calculated and placed next to the program cost. This article gives you the calculation. The conversation is the same one you have been having about every other insurable risk in your business.
How a Security Program Affects Your Cyber Insurance Premiums
Cyber insurance premiums for Michigan SMBs have increased significantly over the past three years as insurers have refined their understanding of SMB breach rates and costs. The premium impact of a documented security program is now material, and it moves in both directions.
Businesses with no MFA, no EDR, no tested incident response plan, and a history of prior incidents are seeing declinations and exclusions that would have been rare five years ago. Businesses that can document a comprehensive security program, show evidence of regular employee training, provide their incident response plan, and demonstrate tested immutable backups are qualifying for better coverage at lower premiums and facing fewer exclusions on their ransomware coverage.
| Insurance Factor | Without Security Program | With Documented Security Program | Premium Impact |
| MFA deployment | Often a hard requirement; non-compliance leads to exclusions | Fully deployed and documented | -10% to -20% premium reduction |
| EDR / advanced endpoint protection | Higher-risk tier; broader exclusions | Deployed and monitored | -5% to -15% premium reduction |
| Tested incident response plan | Rarely present in SMBs; raises underwriter concern | Documented and tabletop-tested | Better coverage terms, fewer sub-limits |
| Prior breach history (Company C) | Significant premium increase or declination | Controls documented post-breach | Enables coverage that may otherwise be declined |
| Security awareness training | Rarely documented; assumed absent | Quarterly simulations with documented click rate reduction | -5% to -10% premium reduction |
| Combined effect | Standard or above-market premium | Documented program across all controls | Potential 20-40% total premium reduction |
For a $5 million Michigan SMB paying $8,000 to $15,000 annually in cyber insurance premiums, a 20 to 40% premium reduction produces savings of $1,600 to $6,000 per year. That figure partially offsets the cost of the security program itself, and it comes with the added benefit of better coverage terms and fewer exclusions on the scenarios that matter most.
More practically: a business that experiences a ransomware incident and discovers that its policy excludes ransomware payments because MFA was not in place has paid a premium for coverage that does not exist when needed. The security program and the insurance policy are not separate decisions. They are the same risk management conversation.
Conclusion: The Equation Has Always Been This Simple
This series began with mathematics. Article 1 showed you how to calculate your annual breach probability using a formula developed by an eighteenth-century French mathematician. Article 2 translated that probability into financial exposure using the same Monte Carlo framework that insurance actuaries use to price premiums. Article 3 showed you what a breach costs when you are prepared and when you are not, using the same three Michigan businesses, the same attack, the same morning. Article 4 showed you the human factor: why 68% of breaches involve a human decision and how a $15 annual training investment changes that percentage.
This article adds the final variable: what the controls actually cost, in what order they should be deployed, and what the return on that investment looks like over a three-year planning window.
The equation is not complicated. The inputs are the ones this series has built, step by step, from the ground up.
Your breach probability is not zero. Your expected annual loss is quantifiable. The security program that reduces both has a documented cost. The return on that investment is measurable, defensible, and positive before the second year of the program is complete.
What this series has built, from risk modeling to breach response to human training to security investment, is not a case for fear. It is a case for preparation. The Michigan SMBs that will avoid being a statistic are not the ones who got lucky. They are the ones who ran the equation, made the investment, and built the kind of security program that updates faster than the threat landscape can evolve.
The math has always pointed in the same direction. This article is the last piece of it.
Frequently Asked Questions
We are a small firm with a limited IT budget. Where do we start?
Start with Multi-Factor Authentication and phishing awareness training. Both are either free or extremely low cost given existing software licenses, and both address the two highest-probability attack pathways in the published data: credential-based attacks and phishing as an entry point. MFA alone closes 72% of the credential attack pathway. Phishing training reduces your employees’ click rate from 30-35% to under 10% within 90 days. Neither requires additional hardware. Neither requires a large budget approval. Both produce immediate, measurable risk reduction.
How do we know if our current IT vendor is actually managing our security?
Ask for documentation of four specific things: the patch management schedule and last patch report, the backup testing log showing the last successful restore test, evidence of MFA deployment across all accounts, and an EDR console showing active monitoring. A competent managed security partner can produce all four on request. If the answers are vague, that is useful information. The absence of documentation is not the same as the absence of risk. It is the absence of evidence that risk is being managed.
We have cyber insurance. Does that mean we do not need a full security program?
Cyber insurance and a security program are not substitutes for each other. Insurance pays for breach costs after they occur, subject to your coverage limits, deductibles, and exclusions. A security program reduces the probability and cost of the events that trigger those payments. More practically: most current cyber insurance policies require specific controls as a condition of coverage. If MFA is not deployed and a breach occurs through a credential attack, your policy may exclude the claim. The security program is what makes the insurance policy pay when you need it to.
How do we approach vendor risk without creating an administrative burden?
Start with a one-time vendor inventory: a spreadsheet listing every vendor that has remote access to your systems or data, what they can access, and whether you have a signed agreement that includes breach notification obligations. That inventory takes a few hours and immediately identifies the highest-risk relationships. From there, prioritize the vendors with access to your most sensitive data and require a SOC 2 Type II report or equivalent annual audit from those vendors. The ongoing burden is a quarterly review of the inventory and an annual update to the high-priority vendor assessments. Most managed security partners include vendor risk management in a comprehensive program.
We have remote employees. How does that change the security equation?
Remote employees extend your attack surface in two directions. First, they operate on home networks that are not managed by your firm, which creates unmonitored entry points into your cloud environment. Second, they often access company systems from personal devices that are outside your patch management and EDR coverage. The controls that address remote employee risk most directly are conditional access policies that restrict logins from unexpected locations or devices, mobile device management for any device accessing company data, and EDR deployed to company-issued endpoints regardless of where those endpoints operate. If employees use personal devices to access company email or files, that creates a gap that policy alone cannot close.
How often should we revisit our security roadmap?
At minimum, annually. The threat landscape changes, your business changes, and your risk profile changes with both. The practical trigger points for a roadmap review are any security incident or near-miss, any significant change in technology or operations such as a new cloud platform or a remote workforce expansion, any change in regulatory requirements affecting your industry, and any significant change in your vendor relationships. The roadmap is not a document that gets filed and forgotten. It is a living plan that should reflect what your business looks like today and what the threat landscape looks like this year.
Security Investment Glossary for Business Owners
The following terms are used throughout this article and in professional discussions of security investment, vendor risk, patch management, and cloud security. Terms introduced in earlier articles in this series are not repeated here.
Investment and ROI Terms
Expected Annual Loss (EAL)
The probability-weighted average annual cost of a breach, calculated by multiplying annual breach probability by the median breach cost for the industry. EAL is not a prediction of what will happen in any given year; it is a long-run average that provides a financially defensible basis for security investment decisions.
Risk-Adjusted ROI
The return on a security investment that accounts for the full range of possible outcomes, including tail risk scenarios, rather than only the expected value case. Risk-adjusted ROI incorporates the 10th and 90th percentile outcomes from Monte Carlo modeling to reflect the financial value of avoiding catastrophic scenarios, not just average ones.
Security Program Cost
The total annual expenditure required to implement and maintain a comprehensive set of security controls. For a $5 million Michigan SMB, a full security program including MFA, EDR, security awareness training, immutable backup, patch management, incident response planning, and vendor risk management runs between $22,000 and $40,000 per year depending on size, industry, and existing infrastructure.
Patch Management Terms
Common Vulnerabilities and Exposures (CVE)
A public database maintained by MITRE Corporation that catalogs known security vulnerabilities in software and hardware. Each entry is assigned a CVE identifier and a severity score. Attackers monitor CVE disclosures to identify exploitation opportunities. Automated patch management that deploys fixes within 14 days of release closes most exploitation windows before attacks reach scale.
Zero-Day Vulnerability
A software vulnerability that is unknown to the vendor or has no patch available at the time it is discovered by attackers. Zero-day exploits are used in targeted, high-value attacks and cannot be addressed by patching. They represent a small fraction of total SMB incidents but are addressed through EDR, behavioral detection, and network segmentation rather than patch management.
Patch Cadence
The frequency and schedule on which software updates are deployed across an organization’s systems. Best practice for SMBs is a 14-day patch cadence for critical and high-severity vulnerabilities and a 30-day cadence for medium-severity updates. Patch cadence is a documented metric that cyber insurance underwriters increasingly request as evidence of security program maturity.
Cloud Security Terms
Shared Responsibility Model
The division of security obligations between a cloud provider and its customers. Cloud providers are responsible for securing the underlying infrastructure; customers are responsible for securing their data, identity management, access controls, and configurations within that infrastructure. Misunderstanding the shared responsibility model is the most common cause of cloud security failures in SMB environments.
Conditional Access Policy
A rule-based control, typically applied in Microsoft Azure Active Directory or Google Workspace, that restricts system access based on conditions such as the user’s location, device, time of day, or risk level. Conditional access policies are a cost-effective layer of protection in cloud environments that reduces the risk of credential theft being converted into unauthorized system access.
Data Loss Prevention (DLP)
A set of controls that monitor and restrict the movement of sensitive data outside authorized channels. DLP policies can prevent employees from emailing client files to personal addresses, uploading sensitive documents to unapproved cloud storage, or printing regulated data. For businesses subject to HIPAA, the FTC Safeguards Rule, or Michigan’s data protection statutes, DLP policies contribute to regulatory compliance documentation.
Vendor Risk Terms
SOC 2 Type II Report
An independent audit report issued by a certified public accounting firm that evaluates a technology vendor’s security controls over a defined period, typically six to twelve months. A SOC 2 Type II report is the standard evidence of security program maturity for cloud and technology service providers. Requiring SOC 2 Type II from critical vendors is a documented best practice under the FTC Safeguards Rule and a defensible due diligence standard under HIPAA.
Business Associate Agreement (BAA)
A contract required under HIPAA between a covered entity such as a medical practice and any vendor that handles protected health information on its behalf. A BAA establishes the vendor’s security obligations and breach notification requirements. Medical practices that share patient data with vendors without a signed BAA face direct HIPAA liability for that vendor’s security failures.
Written Information Security Plan (WISP)
A documented security policy required of tax preparers under IRS Publication 4557 and the FTC Safeguards Rule. A WISP specifies how a firm protects client financial information, which controls are in place, who is responsible for security decisions, and how the firm responds to a breach. The FTC Safeguards Rule requires that WISP documentation be kept current and tested annually. Cyber Protect LLC builds WISP-compliant programs for Michigan accounting and tax preparation firms as part of its core service offering.
Build Your Security Roadmap with Cyber Protect LLC
This series was built to give Michigan business owners the analytical foundation to make intelligent security investment decisions.
Cyber Protect LLC works with businesses in legal, medical, accounting, real estate, and construction across Michigan to build security programs that are practical, affordable, and grounded in real risk data.
Pricing is tailored to meet your specific needs and risk profile. Flat-rate options are also available.
Visit www.cyberprotectllc.com or call us (586) 500-9300 to speak with a Michigan cybersecurity specialist.
“No Geek Speak. No Hassles. Just Real Protection.”
Editorial note: This article was by AI tools and reviewed by cybersecurity professionals at Cyber Protect LLC for accuracy, clarity, and relevance.
About the Author
Cheyenne Harden
CEO