In IT security, sometimes it’s what you don’t know that hurts you – but sometimes it’s what you already know but never get around to acting on.
Startlingly, a full 89 percent of security breaches in early 2013 would have been avoided merely by implementing commonly known security controls and best practices, according to a 2014 study cited by Peak 10 security partner SilverSky. Many organizations probably have a nice checklist of security actions they mean to get around to, but just haven’t had the time.
But then there are the security measures you just don’t know about. Maybe you have the best hardware and software tools, but they’re not configured to resist the latest hacker tricks. Or maybe a new threat emerges that nobody saw coming. Remember the “Heartbleed” bug? Even though this SSL bug had existed since December 2011, nobody identified it as a threat vector until April 2014.
Either way, the impact of mismanaged security is dire. Verizon’s 2014 Data Breach Investigations Report , inspecting 63,000 incidents in 95 countries, will quickly get your attention. A couple of key observations:
- Although 60 percent of breaches are for financial reasons, intellectual property and espionage incidents are a growing threat at 25 percent.
- The speed with which hackers perform their exploits is consistently outstripping the pace of discovery.
- The biggest categories of breaches involving actual theft of data are web app attacks (35 percent) and cyber-espionage (22 percent).
Those breaches do not come cheap. A data breach now costs a company an estimated $3.5 million – with the costs trending upward every year.
So how do you tighten up your security infrastructure? For a mid-sized company, the tradeoffs are painful. You may not have a chief security officer with a team dedicated to tuning up the infrastructure, checking hardware passwords, monitoring the tools and investigating incidents. Amidst daily demands for business improvement or resolving internal issues, security can easily slide to the back burner. But no company, no matter the size, is immune from attack.
For a business without a dedicated security team, the answer is to hire one: a managed security provider (MSP). An outsourced security team focuses entirely on your organization’s security without the distractions an internal staff faces. Chances are that an expert team can do it more efficiently and more consistently than your internal team can – which brings a host of advantages.
1. Gain Control
It’s a common misperception that when you outsource security functions, you are left with less control over the results. In reality, it’s the reverse: the collaboration multiplies your control. When you aren’t solely responsible for the details of how security gets done, you and your MSP can shift your attention to the bigger picture. By selecting the right managed security vendor, you immediately access high-level expertise that would take months or years to build internally. These experts augment your internal team by applying industry best practices to your environment.
For instance, you may have the best hardware and software tools, but if you haven’t configured them right, the latest hacker exploits will still get through. You’ll also benefit from expert assessment of risks in your customer-facing staff and applications. And finally, you’re never short-staffed, either because of employee turnover or unforeseen fire drills: your MSP’s staff augments your team to get the job done.
The result? The out-of-control security checklist comes under control, and you’re confident it’s done right.
2. Play Offense, Not Defense
New technologies, new strategies and new devices are great for your business. In general, the more information connections available to employees and customers, the better. The dark side of that openness, however, is that these same connections can become avenues for intrusion if not properly managed.
That’s why a distinct, dedicated security team makes so much sense. The MSP can play defense while your team stays on the offense.
The optimal use of your internal team is to help make your business better. You live at the heart of the profit engine, supporting new strategic initiatives, solving customer issues and satisfying the line-of-business managers. Those are business-critical tasks your organization can’t easily outsource.
Meanwhile, you can’t afford to get distracted by the minutia of security management. If you diverted all your resources to locking down security, theoretically you could make yourself a rock-solid, secure infrastructure – in a company that’s going nowhere.
Your MSP brings the security practices to balance your growth. Until they audit your environment, you may not even know all the devices and applications that are accessing your system. Then the provider will offer comprehensive services such as security planning, unified threat management, automated threat blocking, failover compatibility and real-time reporting.
3. Stay Current
If you had unlimited time, you could read the journals and websites required to stay on top of the news. Almost daily, new threats are identified, security best practices are improved and tools are sharpened. But staying ahead of hackers is a distressingly time-intensive endeavor.
Here’s where a MSP really shines. First, its dedicated team actually does stay current with the state-of-the-art on a daily basis. More significantly, its security knowledge and skills are being fine tuned with a variety of clients every day. Your organization benefits from the research and techniques developed for all of your vendor’s clients.
The widespread alarm caused by the revelation of the “Heartbleed” bug put many organizations and help desks into a frenzy. Establishing a sensible course of action took several days, during which time half-baked advice ricocheted around the Internet. In an episode like this, an outside team dedicated to security expertly helps you cut through the news clutter to pinpoint your best action plan.
4. Address Compliance
Many organizations first get serious about security when governmental regulations loom. The need to comply with the details of regulatory requirements can multiply your security concerns overnight.
Top MSPs bring thorough knowledge of PCI, HIPAA or whatever regulations you’re under. They assist you in analyzing security needs for data retention, disclosure and access, as well as reviewing the surrounding infrastructure and employee practices. Your security team collaborates with you in putting the right controls in place to guard what’s important in a compliant fashion.
If some aspects of your business are in the cloud, all the better. Industry-leading vendors such as Peak 10 have specific cloud offerings around HIPAA and PCI. Hosting your infrastructure in a compliant cloud streamlines and integrates security without taxing your internal resources.
5. Make Good Choices
Security is never 100 percent. That’s why your MSP’s methodology for prioritizing coverage is so important.
What do you most need to protect? A good priority list will help you choose to deploy your MSP’s energy where it helps you the most.
Begin with a thorough outside audit of your organization. That will reveal troves of treasure that are worth a lot to your business, and perhaps a few things that really don’t matter as much. With corporate (and international) espionage growing, you may need to strengthen protection of your intellectual property. Or maybe customer data is the irreplaceable treasure. You make the choices.
Then you build the security plan. Your MSP functions as the expert consultant here to ensure that the plan maximizes the value to your organization with minimal disruption.
While you’re at it, build an integrated plan for disaster recovery. In the event of an unforeseeable breach or loss, you want to be ready with an immediate plan for action, including both system recovery and public communication. An organized incident response will do much to calm anxious customers and avoid confusion.
6. Mute Email Annoyances
One of the quickest “wins” the MSP can provide is managed email security. Email has become both the backbone for distributing business information and at the same time a disturbing vector for intrusion. Email arrives on so many devices and readers that it seems like an insurmountable task to get it under control. But it can be done.
Peak 10’s email services handle as many as 10 million messages each day, scanning for viruses or SPAM, and forwarding only valid messages – greatly reducing the load on your internal systems. It’s all managed transparently, with just a simple DNS MX record update, so the impact on users is minimal.
You gain better email security, higher reliability and a full web-based configuration tool to adjust performance.
Security concerns aren’t going to disappear in the foreseeable future. Businesses will always have to stay alert to keep ahead of the bad guys. However, security doesn’t need to be a daily distraction for IT management. In partnership with a strong MSP, organizations can get better security control, better focus on strategic business concerns and, best of all, the confidence that the right security practices are in place.
For more information on Cloud Security, read the eBook on 13 Tips for Cloud Security