Dollars and [Uncommon] Sense: The Cost of Physical Security Testing.
The Video
Intro
So you’ve decided to add a physical security component to your next offensive security assessment. Great, now how should you scope and, more importantly, what should you pay for it. In this Three Minute Thursday, we’re gonna break down how much you should pay for your next physical security engagement.
Not All Assessments Are Created Equal.
For starters, pricing in the cybersphere is still somewhat subjective and, just like wine, cost isn’t always tied to quality. What’s important is that, just like your penetration testing, you select a vendor you trust to complete a thorough assessment.
We’ve all heard someone say, “You can’t prove a negative.” While this may be scientifically true, my first question when I hear that is, “Yes, and what did you try that led you to that conclusion?”
Who?
Select a vendor that has a demonstrable track record for successful engagements. Don't be afraid to ask about how many they've done, what style they prefer, and what a typical engagement looks like start to finish. Ensure your vendor has a reputation for going above and beyond and if they tell you it's been tested and it's secure, you genuinely believe they tried all reasonable measures to arrive at that conclusion.
What?
So you’ve got the who, now you need the what. At SEVN-X we break physical engagements into three styles. Technical. Social Engineering. Walkthrough. I’ll be describing the goals and details of these styles in a future video but for now, know that each of these is designed to assess a different element of your physical security.
If you’d like to find out more about each of these, contact us here.
Another key consideration that drives price is the cost that goes into making these engagements happen on the backend. There are insurance requirements, law enforcement contact, planning, preparation, on-site recon, maybe even the use of drones. All of that goes on behind the scenes when conducting technical testing.
For social engineering tests, recon, sourcing uniforms, and other props, will incur some costs. Finally for walkthroughs, cost will generally align more with standard consulting hours based on size and number of facilities. Unlike a pentest, we also like to allocate at least two operators to each engagement for obvious reasons. Speaking of numbers...
Where (How Many)?
If you’re a one-office-kind-of-company, this is an easy one, pick the only option you have. However, if you have multiple sites, consider a test at each one. For larger organizations consider a sample set that represents each type of facility. Take a bank for example. A bank can have multiple branches: a few stand alone, maybe some locations inside other buildings (e.g., a grocery store), and they usually have a corporate headquarters. I’d recommend the HQ, one shared space location, and one stand alone branch at a minimum.
How Much?
We price our assessments on a per site / per style basis and align the fee commensurate with our hourly rate. So the next question is how long do these things take?
We find that the smallest level of effort required for a site is approximately 20 hours. Conversely, our average top end is closer to 50hrs, though we have some (e.g., out of country, very remote, very technical, etc.) that break the mold, so we'll exclude those for now.
Here's a chart from the video that shows the low and high ends of the budget you should have for adding one of these to your next assessment (or consider doing it as a stand alone test). In short, the average cost of a physical security assessment is between $3,600 and $15,000.
Summary
Hopefully this helps shed light on how valuable this type of testing is and how much you should budget for conducting one. We're always here to chat if you have questions and thank you for stopping by.
-Matt