Implementing cybersecurity is like shopping for clothes – everything has to fit. As a managed service provider, how can you ensure the best fit for your customer?
It looks so good on the rack, but when you try it on – ouch! The style, color and fabric are fine, but when it comes to the fit, it feels like it was made for the wrong body. Overlong sleeves that flap about, narrow shoulders so you can’t twist, and the waist in the wrong place. In the business world, this happens when a company occupies an office space that doesn’t match its size or needs. It may be too small or too large, lack meeting rooms or not even have restrooms for night shift personnel. The business may have to pay for a car park that’s too big, or there’s not enough network capacity for business tasks.
In the same breath, a company can feel this way about how it approaches cybersecurity. It may struggle to recognize what’s needed to keep the business secure and be using a service or solution that isn’t fit for purpose. In this scenario, it’s paramount that security service providers understand and respond to specific business demands when offering protection to their customers.
What level of protection works best?
With small companies, made up of several dozen employees, and larger businesses both having similar core cybersecurity functions, it’s possible to become confused about what level of protection would work best. The only way to understand a company’s cybersecurity needs, when the company itself is unclear about what it wants, is to evaluate how the business works and the maturity of its IT. This helps identity the specific tools and level of customization that would suit them best.
Imagine a small company that makes and sells its own brand of clothes locally and has an office of 50 people. The business is rapidly growing: over the past two years, the number of employees has nearly doubled. Several people are responsible for the purchase of fabrics, as well as sales of ready-made clothes to stores, but they’re almost never in the office as they work remotely or at different sites.
In such a company, IT is often outsourced to an external IT administrator remotely providing IT and cybersecurity system maintenance. Along with the installation of office applications and the purchase of corporate PCs, it manages protection by installing a security solution to new devices, checking for program updates and ensuring that protection is always active. The company doesn’t need in-depth incident analysis and tuning of user access rights for different services. Its infrastructure may include one server rack or even no on-premises servers at all, with everything stored in the cloud.
And there’s plenty more reasons for clients to move their IT delivery to managed services providers (MSPs): according to Forrester, 28 percent of companies with 100 or more employees that purchased SaaS (software-as-a-service) from an MSP indicate “customer service, support, and experience” was a top purchase driver for choosing this option (source: Forrester Analytics, Global Business Technographics® Security Survey, 2019).
Finding the right fit
This local clothing brand could be any other kind of small- to medium-sized business: an advertising agency, a consulting firm or a small publishing house. Regardless of what they do, the approach is the same: to manage cybersecurity in such companies, service providers need to offer an inexpensive, compact solution from the cloud which requires minimum resources for installation and management, but at the same time provides protection across all devices – from office desktops to mobile phones and tablets of remote-working employees.
Let’s examine what a larger firm, with a well-established IT infrastructure, expects and needs from cybersecurity. For example, an online retailer stores and processes a large amount of sensitive data, and uses a variety of CRM, ERP and customer service systems. For servicing such a complex environment there should be an internal IT department and a dedicated cybersecurity administrator, or an entire team – either internal or from a service provider – to protect it.
In such organizations, the attack surface is much wider. They use more applications than smaller businesses, increasing the likelihood that they will become vulnerable, as well as more devices that could be compromised by malicious software infecting the network. Working with many contractors and partners also increases the infrastructure’s vulnerability to supply chain attacks. The task of a cybersecurity manager, whether it’s an internal specialist or service provider, is to enable protection against malware on each device. They must also configure it in a way that ensures all employees have access to necessary services, depending on their role. Finally, administrators need detailed reports on the state of the system and, in the event of an incident, they should be able to quickly detect it, analyze and respond to it.
What are the risks of data breaches?
Any downtime caused by an incident or data breach can cost a company money, customer loyalty and reputation. Medium-sized companies are at risk of losing up to $US 120,000 as a result of a data breach, a big part of which will go towards resolving reputational damage, as well as paying compensation and fines. While 100 percent protection against cyber-incidents cannot be guaranteed by any information security company, the use of specialist protective tools can minimize the damage and consequences of an incident.
We can safely assume a small business is unlikely to be overpaying for a more expensive security service. But a large company seeking to save money and using a product which doesn’t meet its needs will quickly realize the error of its ways. To make the right service choice for their customers, providers need to look at the maturity of clients’ cybersecurity function, which commonly correlates with the size and maturity of the entire business.
Weodeo it our way
We talked about it with one managed service company from France — Weodeo. Its owner, Philippe Aymonod, said: “Smaller businesses are aware of the importance of IT security, and they face many of the same cyberthreats as large enterprises. But they don’t have the same resources to deal with them. Consequently, they expect their partner to act as a security advisor that will be able to offer them simple and efficient security, with no impact on their productivity.”
“We evaluate our customers’ protection level according to several parameters: the company’s awareness level regarding security and the threat landscape; the customers’ infrastructure complexity; any specificity related to their business, equipment and potential upcoming strategy adjustments.”
Small businesses expect their partner to act as a security advisor that will be able to offer them simple and efficient security, with no impact on their productivity.
It’s equally important that service providers identify their own goals and resources, such as infrastructure, human resources and technical skills. For example, if providers work only with cloud services (‘born in the cloud’ MSPs) or look to speed up deployment to new customers and easily manage all clients through a single console, they’ll work best with cybersecurity delivered as a service that can be overseen through a cloud-hosted console.
On the flip side, providers who have developed their own infrastructure can choose an on-premises managed solution and focus on customers who have more mature IT infrastructures and demand more granular protection. It’s a good opportunity to provide flexible services for more demanding customers, maintain service level agreements (SLAs) and be an expert in the eyes of the customer. In this case, the service company also needs to have appropriate talent in the team to manage advanced protection.
Which approach is best?
There are advantages to both approaches. Providers delivering cloud security can focus on wider cloud services and extend their portfolio to include SMBs who are consuming SaaS services at a growing rate. MSPs working with medium-sized businesses and have their own infrastructure can use their resources to develop advanced and scaled security services.
While you could say that any kind of cybersecurity protection is better than nothing, if it doesn’t meet the company’s needs, surely it makes sense to change to a solution that’s a custom fit?