The prospect of a security breach is a fact of business life. Just consider a couple examples from recent months: a simple phishing attack conned a payroll employee at Arizona-based supermarket chain Sprouts Farmers Market into sending every employee’s W-2 tax record to an unknown destination and ransomware crippled the Los Angeles, Calif.-based Hollywood Presbyterian Hospital’s IT infrastructure for a couple of weeks. Companies of all kinds and all sizes are potentially under siege by cyber-criminals and malicious intruders.
To no one’s surprise, it’s a major problem for businesses and organizations everywhere – and things are getting much worse.
A recent story in the Washington Post said that the Federal Bureau of Investigation (FBI) received 2,453 complaints about ransomware alone last year. The practice has extracted US$24.1 million in ransom from victims. The FBI claims an increasing number of victims are paying to get their files back, despite advice to the contrary, which only encourages the criminals to continue these activities.
In an ironic twist, even Verizon, which produces a well-regarded annual security report, was recently hacked because of a flaw in its enterprise client portal. According to eWeek, an online media outlet, information on an estimated 1.5 million enterprise customers was stolen; the hack was first reported on in March 2016, but Verizon did not provide specifics on the incident.
Bottom line: no one is safe
In this landscape, corporate IT staff frantically struggle to keep their heads above water. Not only do they need to focus on the multitude of technical issues and events that occur in keeping IT infrastructures and systems up and running, they also face the additional challenge of securing the network and systems, and supporting users who are increasingly bombarded by phishing emails and other malware.
The cost of doing nothing is significant. According to research firm Ponemon Institute’s 2015 State of Cyber Crime Report, the average company cost of cybercrime is more than $7 million (US) worldwide, with U.S. companies taking a US$15 million hit on average. And criminals are getting more inventive, often breaching a network and then waiting for months before initiating an attack to ensure that their malware is firmly entrenched, and that it will create a breach in the most valuable targets.
Canadian companies may be throwing money at the problem, but, according to IDC Canada, they are not investing in the right things that would mitigate risk and minimize the impact of breaches. In its 2016 ITC predictions, IDC said, “Security spending will surpass $2 billion in 2016, but Canadian businesses will still not be investing in all the right places. Organizations must take a holistic approach to designing a security strategy, and ensure that end-user security training is prioritized and implemented.” This means examining all facets from the technology to the human factor, not simply concentrating on the tech.
Furthermore, said Lars Goransson, general manager and group vice president at IDC Canada, “CIOs need to recalibrate IT organizations’ fundamental priorities (e.g., critical skills, strategic technologies, insource/outsource decisions) as IT infiltrates more of the enterprises’ products and services, instead of simply supporting the delivery of those offerings.”
Given the shortage of qualified security professionals, one of those critical decisions could be to engage a managed security services provider (MSSP).
“Managed security services continue to gain momentum in Canada and is expected to be the strongest performing security market over the next five years,” writes Kevin Lonergan, research analyst for infrastructure solutions at IDC Canada, and co-author of the IDC MarketScape research report Canadian Managed Security Services 2015 Vendor Assessment.
“The MSSPs operating in Canada can all provide managed security services, but what differentiates them is their value-add services and investments in next-generation technologies such as big data threat analytics and cloud identity management. The diverse MSSP landscape spanning telcos, consulting firms, and pure play providers ensure that Canadian organizations can find a provider that meets their specific needs and budgetary requirements,” Lonergan said.
So what can a MSSP do for you?
One huge benefit comes from the 24×7 monitoring, something many companies can’t afford to do for themselves. But for time-constrained IT departments, passing off day-to-day activities like proper firewall configuration and updating is also worth its weight in gold, as is patch management. It frees IT staff from the mundane, so they can innovate for the business.
MSSPs make sense of the security landscape, helping design, implement, and maintain an architecture that will protect their customers. A good MSSP understands compliance requirements, and can tailor its services to suit. And since the cost of acquiring that knowledge and training its staff can be amortized across many customers, it keeps the price of the service reasonable for all.
When something goes wrong – and it inevitably will – the MSSP has the advantage of both expertise and scale. The solution for, or prevention of, issues affecting one customer will be available for all. And while the MSSP, with its specialized personnel, sorts out the mess, customer IT can focus on other tasks.
IDC’s report validates this, saying its research shows that the number one reason customers engage an MSSP is because they themselves don’t have the in-house skills or resources to effectively manage, or even monitor the security threat environment across their own infrastructure.
That can mean one less headache for the CIO.