Get in Touch

Is your business really secure from cyber threats?

There is a profound difference between feeling secure and being secure. Cyber security is constantly evolving with it's rules adapting every few months. Consequently, effective cyber security has become as much if not more reliant on process over products. In other words, it's more about how security is managed rather than the actual technology in place. So, if it's all about process, how does a small business that outsources their IT really know if they are secure?

The unfortunate truth is that most business leaders rely on blind trust.

Whether it be misplaced trust, ignorance, or a combination of both; most businesses are far more at risk than their leaders or owners are aware. This gap in understanding and resulting lack of actions being taken is contributing to many businesses becoming more and more exposed when it comes to data breaches, data loss and/or insurance issues.

 

The Reality for Many Businesses

When outsourcing IT, many businesses quite rightfully have an expectation that their provider is looking out for them on the cyber security front. Whilst this is generally accurate; there are many levels to cyber security. More often not, the reality of the protection a business has is very different to the expectations of where they think they are.

Effective cyber security requires clear communication of expectations and requirements between business leaders and the provider. Without regular dialogue, your security strategy is going to be misguided at best.

Your provider should be held accountable for communicating your exposure, providing recommendations, and providing you the ability to make clear and confident decisions. Commonly this dialogue is not routine but rather is instigated either by the client in reaction to a directors concern, or brought about by the provider in the context of a new product they have to sell.

If your provider is not driving the security conversation proactively then it is more than likely that your security is lagging well behind your expectations. Cyber security done well takes a lot of work; any provider working hard in this space is undoubtedly going to want to be talking to you about it.

 

What is 'secure'?

Being secure is like being healthy; despite everyone having a different opinion on what it is, you kind of know it when you see it. Likewise, it is important to define goals in the same way that you would with a nutritionist or personal trainer.

If you told a health professional you wanted to be healthier, you would expect them to start asking questions. Do you want to lose 10kgs? do you want to gain 10kgs? Do you want to run a mile? or do you want to climb a mountain?

Without understanding what you are trying to achieve, they would be ineffective in helping you achieve your goals. Similarly, an IT provider needs to take the time to ask questions. They should understand the risks, and impacts that a cyber attack could have on both the commercial and reputational elements of your business. Without this knowledge they are likely to provide little more than good feelings.

This is pretty easy to test; if you tell your provider that you are concerned about security and they immediately respond by explaining all the things they do to keep you safe or worse, begin to sell additional products and uplifts; then they're not conditioned to listen and understand your needs.

Some important things to consider when defining what 'secure' means to you:

  • What is the impact of downtime as a result of a cyber attack?
    A business with minimal transactions of high values products often has less risk than one with frequent small transactions. Losing a day's transactions could create irreparable damage to customer relationships in some settings.
  • What is the impact to your clients in the event of a breach?
    Many clients are now imposing compliance of various elements of data security. There could also be legal ramifications to a data breach.
  • Would you lose business if you had to declare a data breach to all customers and suppliers?
    You have an obligation to advise others if you experience a data breach. What reputational damage would such a breach create, and what may happen as a result.
  • What is your level of liability, and how are you protected?
    It's possible that directors may soon be liable for negligence around cyber security. Additionally, insurance companies are providing little leeway for businesses that are caught out.

The above questions and others like it are all about understanding exposure and risk. Ultimately its these elements that should inform what 'secure' is to you. The standard of 'secure' should be driven by the commercial impact to the business, rather than some arbitrary level of security as defined by the IT industry. If your provider is unable to have this conversation on a commercial level, you have a major gap in your security strategy that is either falling short, or wasting money.

 

Separating the Wheat from the Chaff

In either case, there are those who operate an effective security practice, and those that say they do security with their clients. The latter is far more common as Managed Service Providers (MSPs) look to create addons and low cost features to add to their subscription offerings in an effort to make them appear more valuable and appealing.

Whilst this technically passes the test for 'doing security', it commonly does very little in the modern world towards making an environment secure.

The most commons security features or addons provided by MSPs:

  • Managed Anti Virus
  • Managed Spam Filtering
  • Managed Backup
  • Managed Updates and Security Patches

Whilst these are all essential components of a robust security strategy, simply having them does not ensure any real level of success in regard to cyber security. These features are common predominately since they are all low touch, automated processes provided by the remote monitoring and management systems that MSPs employ.

This is the functional equivalent of putting on a jacket and helmet before riding a motorbike. It will provide the comfort of feeling safe, but ignores all the other variables of safety such as weather conditions, the riders ability, the roadworthiness of the bike, adherence to speed limits, etc. All of which are just as important albeit much more difficult and costly to control.

Some of the hallmarks of an MSP that is truly providing an effective security practice include:

  • Security Standards and Policies that are regularly reviewed and implemented.
  • Processes & regular audits designed to ensure that essential security software (as above) is not only operating correctly, but that their configuration remains consistent with changing policies and best practices.
  • Cyber security training & regular testing of users for potential vulnerabilities.
  • Compliance checks, configuration management and routine reporting of key findings.
  • Strategy & Advisory around key decisions to bring security in line with requirements.

Ultimately if you decide that security is important to you, ie. it represents a big enough risk to justify investing in it, you need to understand the difference in the above to avoid wasting your money on false assumptions.

You shouldn't need to become an expert in cyber security to get the results you require. Your provider should be meeting you on your level to have these discussions.

Like any specialised field, you may not understand all that they do, but you can recognise a mature and competent person/provider in their field when you see them. You can recognise them by the way that they work, the logic of their processes, and ultimately the clarity and insight they are able to provide you regardless of your knowledge in the matter.

This is what great customer service and value is made of, and is likely a cornerstone in your business as it relates to your product or service.

 

Summary

The gap between good and bad is as broad as that of good to great. If you're not getting great clarity and results in regard to cyber security, you really need to assess your needs and consider that you may need to make a change.

Ignorance is not bliss in the realm of cyber security. Likewise, it's important to keep a good balance between security, functionality and costs.

If your unable to have this conversation with your provider, are intimidated by the topic or would just like an outsider's perspective; we would be happy to have a brief chat to get you pointed in the right direction.

Simply give us a call or book a time directly here https://calendly.com/ray-sweeney

 

 

As we are all still trying to understand what the lasting impact of the COVID-19 pandemic will be, many organisations are taking a hard look at their operating costs and looking for potential cuts. Protecting cash flow is vital right now. At Sensible we want to help you implement strategies that can help reduce your IT costs and set you up with a system flexible enough to support your business through the many changes (or pivots) you might be making to position yourselves to thrive through it all. We want to offer you guidance and support through these times, and potentially help you save some money.

Step 1- Do an Internal Audit

Take a look at your current technology solutions. Take stock of everything you are paying for and ask yourself these questions:

• Is this the right system for my business? Does it accomplish all I need it to?

• Are we currently utilising all the tools we are paying for? Can we cut any?

• Do we lack internal processes? Are there ways I can improve efficiency and save our employee’s time?

Step 2- Cut Any Redundant or Unnecessary Services

The easiest way to reduce costs is to get rid of what’s not working. Many companies have a habit of purchasing a new tool or service to meet an immediate need. Little do they know they usually already have a tool that could meet that need, it’s just not being used properly. Here is a free tip: Do you have Office 365? Most companies get this package so they can use programs like Word and Excel, but don’t fully utilise the other apps that come with it. Microsoft teams can easily replace Slack and Zoom, and Sharepoint or OneDrive can do the job of Google Drive and Dropbox. You’re already paying for Office 365, and the tools themselves are more powerful, providing integration of your information and files across all the apps. You might simply need some training or guidance on how to implement these tools into your business processes, and we can help with that.

Step 3- Evaluate Whether It’s Cost Effective to Manage Your Own IT

Is IT your core skill set? Will you ever be as efficient and skilled as a complete team of specialists? Often your time will be better spent doing what you are best at, then wasting countless hours trying to learn an entirely new skill set. Additionally, can you really afford not to do IT the right way? Payroll and training costs alone can be a nightmare. Outsourcing a portion of your IT needs to a 3rd party resource like Sensible can help you simultaneously improve your technology management, and potentially save money. If you’re currently relying on an internal IT manager or a small internal team, are they struggling to keep up with the tsunami of complex and ever-changing technology needs and services? Important competitive projects may be delayed while your team has to complete training, and you become the test environment for their new skills, increasing your risk. Sensible offers a full-service solution for your IT needs, resulting in a higher standard than most organisations can achieve in-house.

Step 4- Don’t Pay for Quick Fixes, Invest in A Reliable Solution

How does your current IT resource handle your technology needs? Are you currently working with a “break-fix” style of management, where you pay for problems as they occur whether or not they happened before? Or are you paying a predictable monthly fee for a process that analyses your business, looks for opportunities to improve your staff productivity and tries to prevent problems in the first place? We believe you should engage a provider like us, who trusts their systems to offer you unlimited support for a fixed fee. Those quick fixes add up quickly, and with the right solution, you can eliminate them.

Step 5- Plan for The Future, Secure Your Information

As we are working remotely, it is more imperative than ever to understand how to protect your data. Protecting your finances, your reputation, and your Intellectual property can be costly, mainly if not implemented properly. However, it is even more expensive if you don’t protect them adequately at all. Adhering to compliance regulations can be costly and often means implementing and maintaining a stringent security infrastructure- do you have the expertise to do this most cost-effectively?

We could cover many more steps to take, but these are the areas where we think you can make the most impact on you and your business. If you’re hesitant about tackling this problem on your own, that’s okay! We encourage you to contact Sensible. We can help you identify these problems and guide you on how to solve them. Give us a call!

As end users of Google’s suite of productivity enhancing tools, we all  have a right to know that the company is doing everything in its power to protect its billions of users - whether they are working from a desktop, browsing while they are on the go, or working remotely. But what measures do Google have in place to keep all its thousands of users safe and secure in the face of rising cyber crime? How can you be sure that, no matter what device you are using, you stand the best chance of protecting yourself from attack?

With more than one billion people using Google’s search engine on their desktops, and over a billion more accessing it through mobile devices, it is clear that security is – or should be - paramount. Google already claims to protect desktop users with its Safe Browsing segoogle-logorvice, but what about its mobile users?

With cyber threats ranging from the annoying, such as adware, to the unsavoury – hello spyware - and the downright terrifying (ransomware - we’re looking at you), mobile device users are increasingly demanding to know that they are being adequately protected when using Google’s products, tools and services. Therefore,  so as to protect the mind-bogglingly large number of people who are using Google on their smartphones, laptops, notebooks and tablets, Google recently unveiled plans to extend its Safe Browsing service to mobile users - or at least to those who are using Chrome on an Android device.

Whether you regard this as a blatant ploy to get users to switch to Android is something we’ll let you decide for yourself, but the fact is that Google is taking steps to protect its users. Back in August 2014, the company bolstered its Safe Browsing warnings with messages alerting users to unwanted software programs trying to sneak onto their computers by attaching themselves without warning to a legitimate download. In addition, both the Android platform and the Google Play Store have security measures in place to weed out potentially dangerous apps.

However, not every cyber security threat comes from an app or installation so, while Google is doing the right thing by guarding against threats in these areas, there are other issues that require a different means of protection. Enter social engineering, and phishing in particular, which can cause untold harm – such as data or identity theft - to a business or individual.

In order to protect against social engineering, an up-to-date list of malicious websites needs to be stored upon the device – this enables Google to send an alert to the user before they get ambushed. But there are problems with this which Google has had to overcome, not least of which is how to keep the list updated in the face of new threats. Compounding this issue further are factors that are unique to mobile browsing: mobile data speeds can be slow and connectivity patchy, depending where the user is. A fast, stable connection is crucial when the timing of an alert is paramount. Not only that, but using mobile data costs the end user money!

Bandwidth (and battery) limitations mean Google has had to find a way to ensure the data they send to users is as small as possible. Protecting their customers is crucial – but so too is not sapping battery life and data plans. Because this boils down to connectivity and speed factors, a device’s location is now taken into account. For example, if a known phishing scam is only affecting certain locations, only devices that are in that part of the world receive a warning.

Google also prioritises data by sending information on a need-to-know basis - in other words, bigger threats take precedence over more minor issues. They have also designed the software to limit network traffic, and to be as light as possible on memory and processor usage.

Since its announcement in early December, Google is now protecting all Chrome users on Android devices as default, making Safe Browsing part of their Play services from Version 8.1 onwards. Chrome Version 46 is also the first app to initiate Safe Browsing.

How do you know whether you are protected by Safe Browsing mode? Go to your settings in Chrome, and check your Privacy menu.

Google are obviously trying to improve their game, which is great. However, we believe that businesses need as much protection as possible - now. This is why we are constantly researching and  testing extra tools and practices that do assist.

How do you know if your small or medium-sized business stands the best chance of survival in the face of a cyber attack or phishing scam? Talk to us today and we’ll be more than happy to share our up-to-date knowledge with you.

Published with permission from TechAdvisory.org. Source.
Sales
Support
Email
Sensible Business Solutions © 2022 All Right Reserved
Privacy Policy
magnifiercrossmenuchevron-down