Cyber Scam or Cyber Security?

Many businesses are reporting that they are feeling pressured by their MSP (Managed Service Provider) to purchase additional cyber security products and services. According to a recent study by the Ponemon Institute, 58% of businesses share this concern.

Additionally, these recommendations often come with little consultation or explanation, adding further pressure.

Business leaders are not wrong for sometimes doubting the recommendations put in front of them. With the cyber security industry projected to reach $4.3 billion AUD by 2026, there is no shortage of ambulance chasers looking to make quick sales.

For some businesses, cyber security products & services can appear to be just as much of a scam as those they are trying to protect themselves from.

So how do you determine what cyber security products you actually need for your business?

In this post, we will talk about the challenges of knowing the difference between the scams and the essentials.

Levels of Understanding

The first roadblock business leaders face is their relatively low understanding of cyber security and its impacts on business.

A survey by Trustwave found that 28% of businesses were unsure about the effectiveness of additional security services suggested by their MSP.

Do you believe that investing in cyber security is worth the money?

Two major factors lead people to answer no.

• SMBs commonly underestimate the level of risk and impact of a cyber incident.
• SMBs struggle to understand what real-world benefits security solutions will have.

A staggering 87% of SMBs believe they are immune to cyber threats. In reality, no SMB is immune and very few are even adequately protected from threats.

Even when SMBs adequately assess their level of risk, a challenge emerges in actually understanding what to do about it.

Levels of Trust

In the absence of understanding, trust is critical. How can you ensure that your MSP is trustworthy?

Businesses should be careful in trusting MSPs when their recommendations can be easily swayed by confirmation bias and the commercial opportunity in front of them.

Do you trust your MSP?

These things might make you second guess your current level of trust:

• The 50% Rule
  If the majority of your recommendations come with a quote, you don't have security. At least 50% of recommendations should be 0-cost items that result from ongoing security reviews. MSPs making recommendations solely in the form of new solutions are being prompted by sales opportunities.
• The Seatbelt on the Airplane
  If you've been told you're secure because you have updated Anti-Virus (AV) and Firewalls, you're being misled. With 71% of breaches containing no malware, data in the cloud, hybrid working arrangements, AV & Firewalls have never been less relevant. Like a seatbelt on a plane, whilst still required, their impact is largely symbolic at this point.
• Security for the Sake of Security
  Ever get proposals where the justification is 'it's more secure'? Security is pointless unless it's protecting something valuable. An MSP that has your needs in mind should be able to relate their suggestions to specific risks in your business operations. If they are unable to do this, they may not understand your business and the advice could be invalid.

Ultimately you need to have a level of trust with your MSP. However, it is important to regulate that trust by understanding what biases or incentives may be influencing their advice. Blind trust is never a good thing, you should be in a position to have clarity regarding your spending decisions.

Levels of Certainty

A lack of technical knowledge should not preclude you from having certainty around cyber security products & services. In fact, in many ways, it should be a positive.

There are things you should know before investing in cyber security. Commercial requirements should dictate security requirements.

Cyber security exists to serve the business, not the other way around. Likewise, security advice should not be based on what other businesses are doing, but on what you need.

Your MSP should be able to provide advice as to how your current setup performs against your expectations and provide recommendations and advice as to how to bridge any gap between them. Keeping decisions behind a 'plain-English' business objective should make decisions easier.

Some items to consider:

• How long could you afford to be without access to your data?
• Would customers leave if you had to notify them that their data had been compromised?
• Do you have contracts with data security requirements and declarations?
• Do you require certain 'ticks in boxes' to maintain compliance with your insurance?

Undoubtedly, you should have the level of certainty where you could answer these types of questions in front of a board on short notice. If this is not the case, what are you really getting for your money?

Summary

Given the constant changes and evolution in cyber security, listing today's essentials would quickly become outdated. However, the longstanding advice is that you can differentiate between the scams and the essentials.

In summary, the validity of offerings can be evaluated by answering a few simple questions:

• What are the motives of the MSP making the recommendations? (sales or service)
• Are the recommendations feature-heavy? ('more secure' vs. business objectives)
• Is it being primarily presented as 'the next thing'? (made for market or made for you)

Feeling a little scammed by your managed service provider? Book a chat with us if you want to learn more about how you can address cyber security with trust, certainty & understanding.