Outsourcing Security Concerns for SMBs
As a small or medium business (SMB) owner or company, it is hard to understand what security is needed and how to get that security operational. Business owners today are faced with news of data breach after data breach affecting well-known companies in various sectors. In many of these reports, small niche service organizations are utilized for larger corporations and the breach usually hits the smaller company hard, forcing them to go out of business once the costs are tallied.
Even large enterprise corporations have a difficult time hiring good security talent, so what do the medium sized business owners do? Given how difficult it is to interview security talent (you should be well versed in security to interview technical security candidates efficiently), chances are you will get candidates who actually know very little about security or have a narrow security skillset. Most employees at an SMB wear more than one hat until the business reaches a certain size. This requires most businesses to hire well-rounded security folks, who can patch systems, harden systems, run vulnerability scans, and then understand how to secure what these scans find.
It is important to hire technical people with a few years of networking and security experience, as the experience component cannot be skipped. A candidate could go to school for security and graduate, having never actually managed a real network, patched hardware or software, or performed real-life troubleshooting. Finding people with a few years of networking and security is not that difficult today, but you must consider the degrees and complexity of their experience and be cognizant that personalities are also in the mix. You need to determine the right talent mix for your potential candidate, find and hire them, and then nurture that talent as your business grows.
I have been hiring technical and security talent for about 20-years now. Good talent is not cheap, potentially paying $42-50k for someone touting 2-3 years of hands-on experience with networking and security. Certifications and formal schooling are not something I typically look at. If they have hands-on experience and can give me good explanations, I will hire them. Training your staff and keeping them current can cost several thousand $$ annually. On top of this, you will need to invest in some tools that automate patching or vulnerability scanning on your network. Security tools run the gamut, they have initial costs anywhere from free (beware the time and investment to get them functional) to 10’s of thousands for medium-sized and smaller businesses.
You must invest in both people and tools. An individual can start hardening your business from attack, by scanning, patching, and providing sound recommendations to make you more secure. This provides your security only during physical working hours. With that, you have basic defense down and now need to add in logging, some degree of analysis, and reporting to document your compliance with PCI, SOC2, or other regulation. Due care and due diligence needs to be showcased to your customers and insurers.
In order to protect yourself outside of your normal business hours, I suggest you investigate paying for some mix of security as a service. Managed services are a growing market. These services are other small or medium businesses with technical or security backgrounds that partner with you to manage your technical network and devices, provide break/fix services, provide management of security tools, or manage detect and response (SOC) as a service.
Managed services bring a lot of value to the SMB space. They take a lot of stress off your security person or team, allowing them to focus and work on real problems. When you buy into a monthly service, it provides you tools to secure and monitor your business with technical staff 24-7.
Managed service providers (MSPs) are usually firms that help you buy, install, and manage technology – anything from your servers to your desktops, laptops, printers and backups. They may do training and help with break/fix needs. These are subscription-based or monthly services with some things extra. They may also sell firewalls and some security services. My caution is that not all MSP are equal and some add security sales or services. You need to determine what they really understand, as they may be really good at installs, troubleshooting, and managing your network; however, that does not necessarily make them security pros.
Managed Security Service Providers (MSSPs) are security firms that live and breathe security. They can resell you almost any security tool and run a portion or the entire security function. They manage teams of security professionals with different skills and expertise. MSSPs have entire teams and manage hundreds of clients or more, so they offer the value of automation, scale, and knowledge that is hard to get unless you are a large enterprise with your own team and millions of dollars invested. They also have established contacts with vendors and tools to get fast support when troubles arise.
As the preferred model, MSSPs often partner with MSPs to offer a full range of security services. Traditionally, the MSSP will host and manage the security tools for you and you pay them a monthly fee for them to take care of everything else, 24-7. This provides a broad value because they can handle a lot of low-level things that local security folks often struggle to keep up with (log analysis, remediation, patching are among the top of the list). Many MSSPs can give you a full security offering for your business that is cheaper than you could build and staff on your own. You can run the numbers yourself and consider the capital and operational benefit aspects versus monthly bill. They also provide assurance that service level agreements and most compliance issues are solved.
Managed Detection and Response (MDR) services are more complex, but rising in popularity. MDR services are fairly specialized, as they are focused on 24-7-365 investigations, threat hunting, and alerting with prioritization. In other words, they provide the functions of a security operations center as they investigate and alert your business when they see attacks or vulnerabilities with the added benefit of threat hunting. Threat hunting is the practice of running specialized tools on your businesses network that look for attackers, attackers tools, or footprints to follow. Their primary job is to root out bad actors or tools already on your network. MDRs are usually included with a good MSSP offering; however, they are usually not offered by MSPs because of the resources they require.
Smart MSPs are partnering with either MDRs or MSSPs to bring more value to their customer and provide one central way to bill for all the business’s technology and security. The services provided by MSSPs and MDRs are a necessity today if you are a small to medium business and do not have any security staff. Even if you have a small technical staff, MSSPs add security and take care of the noise (too many alerts , some not valid) that often side-tracks small security teams.
Managed service providers may not be perfect for everyone and you need to research the best fit for your business. Reach out on social sites to local security executives – most all of us will take time out of our day to help advise a small to medium business owner or meet with them over lunch to help them talk through the best security for their business. We know most of the MSP, MSSP, MDR and security vendors out there. Now go build a security culture for your business!
About Insite Data Services
IDS data application hosting services combines secure and cost-effective core banking applications, enterprise-class servers and storage, and proven virtualization technology. IDS hosts all of the bank’s servers in secure data centers that use state of the art security systems including identity verification and biometric scanning. Insite Data Services also offers IDS On-Time, a full-service solution dedicated to back-office bank processing. These operations experts allow partnered banks to focus on their most important asset, their customers. For more information visit www.insitedataservices.com.