There is a profound difference between feeling secure and being secure. Cyber security is constantly evolving with it's rules adapting every few months. Consequently, effective cyber security has become as much if not more reliant on process over products. In other words, it's more about how security is managed rather than the actual technology in place. So, if it's all about process, how does a small business that outsources their IT really know if they are secure?
The unfortunate truth is that most business leaders rely on blind trust.
Whether it be misplaced trust, ignorance, or a combination of both; most businesses are far more at risk than their leaders or owners are aware. This gap in understanding and resulting lack of actions being taken is contributing to many businesses becoming more and more exposed when it comes to data breaches, data loss and/or insurance issues.
When outsourcing IT, many businesses quite rightfully have an expectation that their provider is looking out for them on the cyber security front. Whilst this is generally accurate; there are many levels to cyber security. More often not, the reality of the protection a business has is very different to the expectations of where they think they are.
Effective cyber security requires clear communication of expectations and requirements between business leaders and the provider. Without regular dialogue, your security strategy is going to be misguided at best.
Your provider should be held accountable for communicating your exposure, providing recommendations, and providing you the ability to make clear and confident decisions. Commonly this dialogue is not routine but rather is instigated either by the client in reaction to a directors concern, or brought about by the provider in the context of a new product they have to sell.
If your provider is not driving the security conversation proactively then it is more than likely that your security is lagging well behind your expectations. Cyber security done well takes a lot of work; any provider working hard in this space is undoubtedly going to want to be talking to you about it.
Being secure is like being healthy; despite everyone having a different opinion on what it is, you kind of know it when you see it. Likewise, it is important to define goals in the same way that you would with a nutritionist or personal trainer.
If you told a health professional you wanted to be healthier, you would expect them to start asking questions. Do you want to lose 10kgs? do you want to gain 10kgs? Do you want to run a mile? or do you want to climb a mountain?
Without understanding what you are trying to achieve, they would be ineffective in helping you achieve your goals. Similarly, an IT provider needs to take the time to ask questions. They should understand the risks, and impacts that a cyber attack could have on both the commercial and reputational elements of your business. Without this knowledge they are likely to provide little more than good feelings.
This is pretty easy to test; if you tell your provider that you are concerned about security and they immediately respond by explaining all the things they do to keep you safe or worse, begin to sell additional products and uplifts; then they're not conditioned to listen and understand your needs.
Some important things to consider when defining what 'secure' means to you:
The above questions and others like it are all about understanding exposure and risk. Ultimately its these elements that should inform what 'secure' is to you. The standard of 'secure' should be driven by the commercial impact to the business, rather than some arbitrary level of security as defined by the IT industry. If your provider is unable to have this conversation on a commercial level, you have a major gap in your security strategy that is either falling short, or wasting money.
In either case, there are those who operate an effective security practice, and those that say they do security with their clients. The latter is far more common as Managed Service Providers (MSPs) look to create addons and low cost features to add to their subscription offerings in an effort to make them appear more valuable and appealing.
Whilst this technically passes the test for 'doing security', it commonly does very little in the modern world towards making an environment secure.
The most commons security features or addons provided by MSPs:
Whilst these are all essential components of a robust security strategy, simply having them does not ensure any real level of success in regard to cyber security. These features are common predominately since they are all low touch, automated processes provided by the remote monitoring and management systems that MSPs employ.
This is the functional equivalent of putting on a jacket and helmet before riding a motorbike. It will provide the comfort of feeling safe, but ignores all the other variables of safety such as weather conditions, the riders ability, the roadworthiness of the bike, adherence to speed limits, etc. All of which are just as important albeit much more difficult and costly to control.
Some of the hallmarks of an MSP that is truly providing an effective security practice include:
Ultimately if you decide that security is important to you, ie. it represents a big enough risk to justify investing in it, you need to understand the difference in the above to avoid wasting your money on false assumptions.
You shouldn't need to become an expert in cyber security to get the results you require. Your provider should be meeting you on your level to have these discussions.
Like any specialised field, you may not understand all that they do, but you can recognise a mature and competent person/provider in their field when you see them. You can recognise them by the way that they work, the logic of their processes, and ultimately the clarity and insight they are able to provide you regardless of your knowledge in the matter.
This is what great customer service and value is made of, and is likely a cornerstone in your business as it relates to your product or service.
The gap between good and bad is as broad as that of good to great. If you're not getting great clarity and results in regard to cyber security, you really need to assess your needs and consider that you may need to make a change.
Ignorance is not bliss in the realm of cyber security. Likewise, it's important to keep a good balance between security, functionality and costs.
If your unable to have this conversation with your provider, are intimidated by the topic or would just like an outsider's perspective; we would be happy to have a brief chat to get you pointed in the right direction.
Simply give us a call or book a time directly here https://calendly.com/ray-sweeney