With news of data leaks, ransomware attacks, and even blackmail hitting companies every day, it’s more important than ever to take cybersecurity seriously and engage an outside firm to safeguard your business. Here’s what to expect:
One of the first things to consider, even before narrowing down scope and price, is if the cybersecurity firm understands your vertical markets and their specific risks. “If I’m in manufacturing and I try to hire an MSP that solely focuses on medical facilities, I’m probably going to get a misalignment of the solutions that I need to protect my organization,” said Jim Peterson, principal solution advisor at IT automation software firm ConnectWise. “Every business has different cybersecurity risks depending on their industry, the type of data they have, the type of access that they need to that data, their tolerance for risk, their geography, the type of computer systems they use. There are so many variables.”
A good MSP (managed service provider) will be honest about how well they understand your industry and your business’s needs. “We can’t be everything to everybody,” said Scott Willeford, technology vice president at Texas dealership DOCUmation. But he strongly recommends that a business owner look into hiring an outside firm for cybersecurity work, even if their in-house IT team is strong. “It’s about having the humility to look outside of your own internal walls. Are you the smartest person in the room? Then you’re limited to just you.”
Whoever you hire, don’t expect a reputable cybersecurity firm to just rubber stamp the precautions you’ve already put into place. Threat actors are more sophisticated than ever, often using AI tools to crack passwords and quickly gain access to systems. The stakes are high, and costly, with ransoms sometimes reaching into the millions. For an outside firm, it isn’t just your security at stake, but their own reputation and liability. Once they assess threat exposures, they may set certain expectations before they’ll agree to work with you.
Lauren Hanna, president of 30-year-old Cleveland dealer Blue Technologies, thinks of this initial conversation with clients as a way to set the “cybersecurity baseline.” “These are the minimum requirements that every organization needs to have, like how everyone has locks on their doors for physical security,” she said. “Someone could still break a window, someone could pick a lock, but this is going to be the baseline.”
Typical baseline cybersecurity includes things like partitioned access, preventing most workers from accessing company data that isn’t relevant to their job, or multi-factor authentication, requiring users to enter a code sent via text or a key fob in addition to their account name and password. The baseline keeps rising because, as every consultant we spoke to said, “it’s an arms race.” Hackers never stop inventing new ways to break in, so security consultants can never stop developing new ways to stop them.
The Liability Blame Game
“Twenty years ago, people would buy cyber insurance because that would solve whatever they needed, and they’d say oh, we’re done, and they just kind of turned a blind eye.” observed Willeford. There’s no set-it-and-forget-it solution to cybersecurity anymore. These days, insurance companies are some of the most vocal advocates for enhanced security measures, because they’re the ones who have to pay out when security measures fail.
“Cybersecurity comes in three phases,” explained Peterson. “We have our external defense, we have our internal defense, and then we have our ability to recover. Cybersecurity insurance falls solidly in that ability to recover.”
Hanna added, “We’ve actually seen a big shift in the past 12 months in that these insurance companies are hiring a ton of talent to do forensic IT. They’re hiring people to prove you didn’t have a backup in place, that you didn’t have MFA, that you weren’t doing cybersecurity awareness training.”
The gap between the precautions your insurance company expects you to take and what you’re actually doing can be very costly, even to the point of getting your policy canceled. Compliance is essential, particularly with cybersecurity training. Any workers with access to sensitive systems, even just basic email, need regular training in how to spot phishing attempts, how to avoid downloading malicious files, or refrain from clicking fraudulent links, and this training needs to be updated regularly so everyone knows about the latest developments in an ever-changing threat landscape. It’s a lot like patching software. The time to do it is when new threats surface, even if that means updating more often than you’d like.
Cybersecurity consultants often work closely with cybersecurity insurance companies, sometimes even partnering together to provide packaged services. Insurance companies can be valuable resources in the latest ways to harden your systems against threats, because they have a vested interest in making sure their clients are as protected as possible.
“It’s twofold. They’re protecting us so we don’t have a claim, but if we don’t respond in a timely manner, they also have cause not to provide us the insurance money,” said Willeford.
Hiring Expertise
Much like a small business owner has to hire workers with talents he or she doesn’t have in order to grow, outsourcing the time-consuming and high-stakes labor of staying on top of cybersecurity developments is a good investment for companies that value their time. As rapidly as things are evolving, it may not even be possible for a non-specialist to stay up to date.
“Typically, the small business is 18 months to 24 months behind the current technology that they need to protect in today’s threats,” Peterson said. “They’re just constantly evolving and changing and most business owners don’t spend their time reading about cybersecurity challenges.”
Internal teams can often be overly focused on the compliance side of things as well, especially when insurance is involved. That can lead to tunnel vision, and a reduction in threat readiness.
“If you’re just chasing that checkbox for a certification, you’re not thinking about the real implication of what’s happening,” said Willeford. “That’s our constant back and forth. Are we doing the right thing to protect us with the right budget and the right resources?”
West Reading, PA-based Fraser Advanced Information Systems is among the dealers who prefer the term “co-managed IT services.” A collaborative, hybrid approach, co-managing IT allows busy small and mid-size business owners and IT managers to partner with an MSP to support their internal IT staff. “It’s a flexible way to fill skill gaps, scale support and keep the business secure and productive,” according to Heather Trone, the marketing director at Fraser, which serves the tri-state area of Eastern and Central Pennsylvania and Western New Jersey, as well as parts of metropolitan New York.
Staff at small and mid-size businesses tend to wear many hats. “Maybe you’re stretched thin keeping systems running, dealing with support tickets or tackling security challenges with limited resources,” Trone wrote. “That’s where co-managed IT services can make a big difference.”
Clients maintain control of their core infrastructure and strategic direction, while the MSP handles areas where they need extra support—”think help desk services, security monitoring, data backups or cloud management,” explained Trone. “This setup isn’t about replacing your team but amplifying their impact,” she told prospects.
Finally, cybersecurity prospects shouldn’t think that being a small business is any protection. Hackers don’t discriminate. “Everyone thinks ‘they’re not going to steal my data.’ I’m not worried about that,” warns Peterson. “If they can get into your email system, they can impersonate you and then steal money from vendors and clients. It’s not just you that you’re protecting, it’s your whole world.”
The irony is that success can attract the not-so-nice guys. “The very fact is that if you become successful, you’re more visible to the bad actors,” Willeford said. “They’re seeking to destroy, and you have to continue to expand and protect yourself.”
For clients, Hanna concludes, “it’s not going to be comfortable at first. It’s going to be uncomfortable. We’re not here to displace your IT team, we’re here to be an extension of them. But, to do that, we have to poke holes in what they’ve built. My team’s job is to come in here and find a way in.”
Better to deal with the disruption and discomfort of a cybersecurity firm breaking into your system than the chaos of an actual hacker. No one who gets hacked ever wishes they spent less on security, and these days, anyone can get hacked.
