Get in Touch

Is your business really secure from cyber threats?

There is a profound difference between feeling secure and being secure. Cyber security is constantly evolving with it's rules adapting every few months. Consequently, effective cyber security has become as much if not more reliant on process over products. In other words, it's more about how security is managed rather than the actual technology in place. So, if it's all about process, how does a small business that outsources their IT really know if they are secure?

The unfortunate truth is that most business leaders rely on blind trust.

Whether it be misplaced trust, ignorance, or a combination of both; most businesses are far more at risk than their leaders or owners are aware. This gap in understanding and resulting lack of actions being taken is contributing to many businesses becoming more and more exposed when it comes to data breaches, data loss and/or insurance issues.

 

The Reality for Many Businesses

When outsourcing IT, many businesses quite rightfully have an expectation that their provider is looking out for them on the cyber security front. Whilst this is generally accurate; there are many levels to cyber security. More often not, the reality of the protection a business has is very different to the expectations of where they think they are.

Effective cyber security requires clear communication of expectations and requirements between business leaders and the provider. Without regular dialogue, your security strategy is going to be misguided at best.

Your provider should be held accountable for communicating your exposure, providing recommendations, and providing you the ability to make clear and confident decisions. Commonly this dialogue is not routine but rather is instigated either by the client in reaction to a directors concern, or brought about by the provider in the context of a new product they have to sell.

If your provider is not driving the security conversation proactively then it is more than likely that your security is lagging well behind your expectations. Cyber security done well takes a lot of work; any provider working hard in this space is undoubtedly going to want to be talking to you about it.

 

What is 'secure'?

Being secure is like being healthy; despite everyone having a different opinion on what it is, you kind of know it when you see it. Likewise, it is important to define goals in the same way that you would with a nutritionist or personal trainer.

If you told a health professional you wanted to be healthier, you would expect them to start asking questions. Do you want to lose 10kgs? do you want to gain 10kgs? Do you want to run a mile? or do you want to climb a mountain?

Without understanding what you are trying to achieve, they would be ineffective in helping you achieve your goals. Similarly, an IT provider needs to take the time to ask questions. They should understand the risks, and impacts that a cyber attack could have on both the commercial and reputational elements of your business. Without this knowledge they are likely to provide little more than good feelings.

This is pretty easy to test; if you tell your provider that you are concerned about security and they immediately respond by explaining all the things they do to keep you safe or worse, begin to sell additional products and uplifts; then they're not conditioned to listen and understand your needs.

Some important things to consider when defining what 'secure' means to you:

  • What is the impact of downtime as a result of a cyber attack?
    A business with minimal transactions of high values products often has less risk than one with frequent small transactions. Losing a day's transactions could create irreparable damage to customer relationships in some settings.
  • What is the impact to your clients in the event of a breach?
    Many clients are now imposing compliance of various elements of data security. There could also be legal ramifications to a data breach.
  • Would you lose business if you had to declare a data breach to all customers and suppliers?
    You have an obligation to advise others if you experience a data breach. What reputational damage would such a breach create, and what may happen as a result.
  • What is your level of liability, and how are you protected?
    It's possible that directors may soon be liable for negligence around cyber security. Additionally, insurance companies are providing little leeway for businesses that are caught out.

The above questions and others like it are all about understanding exposure and risk. Ultimately its these elements that should inform what 'secure' is to you. The standard of 'secure' should be driven by the commercial impact to the business, rather than some arbitrary level of security as defined by the IT industry. If your provider is unable to have this conversation on a commercial level, you have a major gap in your security strategy that is either falling short, or wasting money.

 

Separating the Wheat from the Chaff

In either case, there are those who operate an effective security practice, and those that say they do security with their clients. The latter is far more common as Managed Service Providers (MSPs) look to create addons and low cost features to add to their subscription offerings in an effort to make them appear more valuable and appealing.

Whilst this technically passes the test for 'doing security', it commonly does very little in the modern world towards making an environment secure.

The most commons security features or addons provided by MSPs:

  • Managed Anti Virus
  • Managed Spam Filtering
  • Managed Backup
  • Managed Updates and Security Patches

Whilst these are all essential components of a robust security strategy, simply having them does not ensure any real level of success in regard to cyber security. These features are common predominately since they are all low touch, automated processes provided by the remote monitoring and management systems that MSPs employ.

This is the functional equivalent of putting on a jacket and helmet before riding a motorbike. It will provide the comfort of feeling safe, but ignores all the other variables of safety such as weather conditions, the riders ability, the roadworthiness of the bike, adherence to speed limits, etc. All of which are just as important albeit much more difficult and costly to control.

Some of the hallmarks of an MSP that is truly providing an effective security practice include:

  • Security Standards and Policies that are regularly reviewed and implemented.
  • Processes & regular audits designed to ensure that essential security software (as above) is not only operating correctly, but that their configuration remains consistent with changing policies and best practices.
  • Cyber security training & regular testing of users for potential vulnerabilities.
  • Compliance checks, configuration management and routine reporting of key findings.
  • Strategy & Advisory around key decisions to bring security in line with requirements.

Ultimately if you decide that security is important to you, ie. it represents a big enough risk to justify investing in it, you need to understand the difference in the above to avoid wasting your money on false assumptions.

You shouldn't need to become an expert in cyber security to get the results you require. Your provider should be meeting you on your level to have these discussions.

Like any specialised field, you may not understand all that they do, but you can recognise a mature and competent person/provider in their field when you see them. You can recognise them by the way that they work, the logic of their processes, and ultimately the clarity and insight they are able to provide you regardless of your knowledge in the matter.

This is what great customer service and value is made of, and is likely a cornerstone in your business as it relates to your product or service.

 

Summary

The gap between good and bad is as broad as that of good to great. If you're not getting great clarity and results in regard to cyber security, you really need to assess your needs and consider that you may need to make a change.

Ignorance is not bliss in the realm of cyber security. Likewise, it's important to keep a good balance between security, functionality and costs.

If your unable to have this conversation with your provider, are intimidated by the topic or would just like an outsider's perspective; we would be happy to have a brief chat to get you pointed in the right direction.

Simply give us a call or book a time directly here https://calendly.com/ray-sweeney

 

 

Sales
Support
Email
Sensible Business Solutions © 2022 All Right Reserved
Privacy Policy
magnifiercrossmenuchevron-down