Before we get too far into this conversation, I do want to make something clear. Vendors should be able to add a bit extra to the price tag when it comes to providing security measures. However, it should not double or triple the cost of the service you are getting. You should also not need to bump up a tier to get security (from a business or pro plan to enterprise). Doing that is just not cool. Yet this is what we see almost across the board. We are even seeing cloud providers locking down their APIs unless you have the higher tier subscriptions. Again, we are not talking about a few dollars here and there, but more than 100% increase in cost. Moving from MS365 Small Business Premium to MS365 E5 is $37 per user per month.
Other security features like Single Sign On and even multi-factor authentication can have an add-on price just to use them. It has gotten bad enough that there are even sites that are tracking services that add in a security tax on top of the regular amount you must pay just to use the service. These services do not always have to be free, but it would be nice to see them not cost so much and to be offered at more stating tiers.
Starting and running a small business it hard, it costs money. Most of the time it is money that you do not even have (Venture Capital or Loans). That means you are starting out in the hole and trying to climb out from day one. As you are planning out expenses, you are planning out expenses you are going to be const conscious. If adding proper security to a cloud service offering is going to double your costs, it is likely to be left as a “do later” item. Attackers know about this mindset and are looking to go after the exposed targets, if for nothing else than access into the cloud service. The security tax has created an entire class of organizations that are open to attack and ripe for the picking. No, they are not the targets for the ATP groups, but they are targets for the Malware as a Service consumers. They offer the best return on their investment and take advantage of the security tax all the time.
As you are planning out your services (or looking to renew them) see what their security tools cost, if they are doubling your budget or adding too much overhead maybe it is time to look for a replacement. If enough organization make this type of move, it could change the way the industry treats security and that would be a good thing.