Small Businesses Need Cyber Security
and Risk Management

 
 

How to Select the Best Cyber Security Company

When it comes to cyber attacks, no company or industry is exempt or immune. Which means having effective security and risk management solutions to protect against attacks and safeguard data is crucial to operating a business in today’s digitally connected world.

Top Reasons a Business Outsources Cyber Security and Risk Management

A company may choose to outsource a portion or all of it’s IT security and threat management to a managed security service provider (MSSP) or to a cyber security firm that only provides cyber security services.

A MSSP is an IT service provider that provides cyber security monitoring and management, such as virus and spam blocking, intrusion detection, firewalls and virtual private network (VPN) management.

Outsourcing has become a standard practice for business large and small as developing and managing a successful security program requires time and expertise. Employing in-house cyber security staff can be expensive where outsourcing becomes a more-cost effective option for a variety of reasons.

Businesses typically outsource when they:

  • Lack in-house capabilities and expertise to manage the wide variety of security threats and adequately protect their networked systems 24/7 365 days of the year.
  • Have in-house IT staff with day-to-day operational responsibilities that do not have time to spend on security infrastructure or managing the company’s risk.
  • Do not have the resources to stay up-to-date with current threats let alone emerging sophisticated attacks.
  • Are overwhelmed with product and solution options to fully discern what they need to protect all aspects of their business.
  • Are overwhelmed by the volume and complexity of threats and risks to confidently manage it all.
  • Need help understanding current state and potential future risks to implement a holistic security strategy that will evolve with their business.

So what should you look for in a cyber security and risk management partner?

Below we will:

  1. Review key components of cyber security and risk mitigation
  2. Cover the fundamentals of cyber security company capabilities
  3. Describe what to look for in a cyber security company

What is Cyber Security?

Cyber security (also known as IT security) comprises technologies, processes and controls that are designed to protect systems, networks and data from cyber attacks. Cyber security includes guarding against attacks, managing existing threats and detecting potential breaches.

Effective Cyber Security:

  • Reduces the risk of cyber attacks
  • Protects systems, networks and technologies from unauthorized exploitation
  • Prevents unwanted third parties from accessing sensitive information
  • Protects against disruption of services
  • Maintains productivity by reducing down time from computer viruses
  • Monitors overall safety to provide peace of mind

Effective cyber security protects, monitors, providers controls and ensure business continuity.

Why is it Important to Address Cyber Security Threats?

To avoid compromised data whether it is your company’s or your customers. Compromised data can mean stolen information or data that has been altered which could cripple business operations.

To avoid any kind of expense or financial impact. Recovery of data can be costly or even result in the devastation of the business - especially if the data cannot be recovered.

To avoid damage to the company’s reputation. You work hard to establish your brand and build a reputable, customer centric business. The last thing you need is to have your reputation tarnished by a security breach.

To avoid weakened client trust. A data breach and loss of information can weaken the relationship with clients and any potential new customers.

To avoid an legal ramifications. Data breaches must be reported and customers must be notified of details related to the security breach, including if their information has been compromised.

By partnering with the right MSSP or risk management firm, companies can avoid the nightmares and embarrassment associated with a data breach.

What Services Do Cyber Security Companies Offer?

The field of cyber security has expanded over the past few years at an accelerated rate and will continue to grow and become more complex as new threats emerge and attackers evolve their methods.

Cyber security solutions, services and products have had to keep pace with the ever-changing threat landscape creating a multitude of options for businesses to choose from. Third-party security firms help businesses determine the right mix of solutions and technologies matching them up to the client’s needs to provide both a proactive and reactive approach - all aimed at preventing incidents, minimizing vulnerabilities and minimizing damage.

Security best practices for any business include:

  1. Employee awareness and training
  2. Anti-malware
  3. Anti-virus
  4. Firewalls
  5. Keeping software up-to-date
  6. Proper back-up and storage
  7. Proper identity and access management

Most Common Types of Cyber Security Threats Include:

Phishing

Phishing is an increasingly common threat typically executed by an attacker through email. To the recipient, email communication will appear to have come from a trusted source. The attacker is hoping the user will click on embedded links or attachments to gain access to sensitive data or install malware on the user’s device.

Malware

Malware, otherwise known as malicious software, is any software that is harmful and attempts to infect a digital device. Examples include; viruses, worms, trojan horses and spyware. Hackers use malware to lock you out of your systems, steal money, and extract personal information. Anti-virus is one basic malware protection that should be used on all devices.

Ransomeware

Ransomeware is a simple form of malware (malicious software) that breaches security defenses locking down computer files using encryption. Hackers then demand a ransom to be paid, usually in crypto currency, in exchange for the digital keys to unlock the data. Of course, businesses are likely to pay for the release of their data – especially if they do not have a back of the information. It can be hard for a company to recover from such an attack. The FBI lists Ransomeware as one of the top threats for SMBs.

DoS/DDoS

Denial of Service (DoS) is when an application, network or system becomes unavailable to its legitimate users because it has been overwhelmed by an attacker’s malicious actions. The hacker bombards the target machine, network or website with a barrage of requests preventing use of the service.

Security Services and Solutions

Not all security providers offer the same levels of protection, so do not expect to find a one-size fits all solution. Security companies will have a menu of services or portfolio of capabilities with some being more comprehensive than others.

And while there are standard, essential security components that every company should employ, not every business requires the same amount of protection.

To achieve the greatest benefits from outsourcing security operations, first define specific company and unique business needs. Take the time to determine the information that needs to be protected, where it is stored and who has access to it. Then align necessary and required security and risk mitigation technologies accordingly.

The right match will be a company that helps at a strategic and tactical level including defining the overall strategy, asset discovery, conducting vulnerability assessments, intrusion detection, threat intelligence, deploying the right technologies, behavior monitoring and ensuring operational functionality. The right security company will address each aspect of your business to provide full protection.

Security Services

  • Security program strategy
  • Manage risk and compliance
  • Uncover and remediate digital threats and vulnerabilities; early detection is key
  • Respond to and manage incidents to recover information after a breach
  • Manage complex network and security environments
  • Provide cyber security training to reduce risk
  • Assist with security policies and procedures
  • Manage identity and access to data
  • Complete managed security services for around the clock coverage

Solutions

  • Cloud-based security will manage risks associated to cloud computing such as hosted email and web security.
  • Security intelligence and reporting to provide accurate, actionable insights into your business and threat landscape.
  • Third-party risk management to develop and manage risks associated to working with third parties.

Other Services, Solutions and Technologies

  • Network security
  • Endpoint security
  • Application security
  • Password management
  • Malware defense
  • Ransomeware defense
  • Anti-virus
  • Firewalls
  • Data storage
  • Device management
  • Website protection
  • Virtual Private Network (VPN)

The TechStak network includes IT and managed service providers (MSPs) as well as MSSPs that specialize in many cyber and risk management products, solutions and services.

Use the information from the above section to help you define the desired expertise and experience your looking for in a service provider.

Industry Specific Security Compliance and Risk Management

For regulated industries, a company may need to meet and follow specific security, regulatory and compliance requirements such as:

  • SOX - Sarbanes Oxley compliance for both Banking and Finance industries to protect investors and the general public from accounting errors and fraudulent practices
  • PCI DSS - Payment Card Industry Data Security Standards for any company that accepts credit cards
  • HIPPA - Health Insurance Portability and Accountability compliance for Healthcare privacy and security
  • GDPR - Europe’s General Data Protection Regulation; EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).
  • Public sector and federal services may require security clearance or need to demonstrate NIST (National Institute of Standards and Technology) compliance.
  • Other industries that are in the “trust” business, such as law firms and insurance agencies should also be able to demonstrate how they are addressing risk and protecting client data.

Key Questions to Ask A Cyber Security Company

General

  1. Do you have clients in my industry or with a similar business profile?
  2. Do you have other customers I can contact as a reference?
  3. What type of insurance do you have?
  4. Are your technology and solutions scalable as my business grows?
  5. What type of technology do you use?
  6. Will the same technologies be used to support my company?
  7. Get examples; Have you stopped any threats or deployed an remediation?

Customer Service, Support and Communication

  1. How do you measure your customer satisfaction?
  2. Do you use a ticketing system to prioritize issues?
  3. Which type of customer service model do you use; help-desk, dispatch, or a dedicated engineer?
  4. Will I have a designated day-to-day contact?
  5. Do you have live technicians that answer the phone?
  6. Can I expect to work with the same people, or is there high employee turnover?
  7. Will we receive regular security updates?
  8. Will we have onsite help, a tech or consultant in the office?
  9. Who should we call in case of a security breach?
  10. Who will respond if we have a high-grade or complex security breach?
  11. What is your response time for a security breach?
  12. How involved will your team be in managing the breach?

Skill Set

  1. Does your company encourage employees to stay up-to-date on training and certifications?
  2. What types of qualifications, certifications, and/or awards does your company have?
  3. What are your technical specialties?
  4. Are there specific technologies that you do not or cannot support?
  5. Do you use sub-contractors?

Implementation Process

  1. Do you have an onboarding and transition process?
  2. Do you conduct an audit or assessment before working with a new customer?
  3. How will you manage my current infrastructure?
  4. How will integrations of legacy systems be managed?
  5. How will you determine level of access rights for employees?
  6. Will we need to deploy new technologies? Will they integrate with what we have now?
  7. Will we need system updates to even get started with your company?
  8. What is the time frame to be fully protected?

Service Level Agreement

  1. Do you have standard service level agreements and service standards?
  2. What reporting should we expect to receive? What is the frequency?
  3. What type of invoicing should we expect?
  4. How is billing managed?

Cost Structure

  1. What are your service fees and structure? Do you have service level/pricing tiers?(break/fix, time blocks, subscription, other)
  2. How are support and maintenance services structured and handled?
  3. Do you have on-site trouble shooting? At what fee?
  4. Do you have after hours support? At what fee?

Security and Infrastructure

  1. Is there a guaranteed response time?
  2. Does your service automatically monitor for new security threats?
  3. Any restrictions over employees using their own devices?
  4. Is multi-factor authentication used to protect access?
  5. How are updates to systems, software, hardware conducted?
  6. What is your security policy for your business?
  7. What are the top cyber risks my company faces?

Data

  1. Is my data encrypted when it is stored?
  2. Who has access to my data?
  3. Is my data backed up and easily recoverable in case of emergency?
  4. What happens to my data if our contract ends?
  5. Do you have a disaster recovery protocol in place?
  6. If we have a breach, how will customer communication be managed?

How are Cyber Security Companies Different?

Experience

The best cyber security and risk management firms can demonstrate their work in the IT field. They will have years of experience on top of a portfolio of services that match their clients needs. They will be able to provide case studies as evidence of customer success and clearly articulate exactly how they help their clients backed by measurable results. By asking the right questions noted above you will be able to determine the right firm with a successful track record.

Skill Set

Security professionals may have vendor-specific certifications as well as certifications and training from an accredited institution. Top-rated security professionals will openly display their awards, recognitions and certifications. Ask to see them if not displayed on their website. Inquire about specific staff certifications and training.

Top IT security certifications include:

  • CompTIA Security+
  • CompTIA CSA+
  • GSEC: SANS GIAC Security Essentials
  • CISSP: Certified Information Security Manager
  • CCSP: Certified Cloud Security Professinal
  • GCIH: GIAC Certified Incident Handler

Types of Clients

Top-rated MSSPs and security agencies will have customers across various industries. To determine how familiar they are with you exact needs, ask for examples related to your industry such as have they worked with your type of data, systems and applications. Or have they worked with your competitors or other brands in your industry. However, be open to how they helped companies in similar industries with similar security needs.

Custom Solutions

While cyber security agencies and MSSPs like to provide packaged services that can easily be implemented and managed, leading firms will have the capability to provide custom solutions tailored to a businesses unique needs.

Qualities of Top-Rated Cyber Security and Risk Management Companies

Customer Satisfaction

The security company should be able to provide examples or stories of how they solved a customer’s issue or managed a customer’s project. Or how they successfully corrected a problem.

Reputation and References

Ask for active client references and reviews to gauge performance, responsiveness, reliability and expertise. Customer feedback should provide a view into how the firm operates and are they a good match for your organization.

Reporting

When outsourcing any service, especially one as complex as cyber security, your company will need visibility into what is being managed and what the results are. Leading cyber security agencies and MSSPs will have established reporting expectations to ensure transparency with their business customers.

Forward Thinking

Cyber criminals are always upping their game. The best cyber security firms will be knowledgeable of past, current and potential future threats as well as the technology solutions needed to combat such threats. To be effective, leading security experts must stay up-to-date on the latest trends and techniques being used by attackers.

Anatomy of Cyber Security Professionals

  • Understands the business (your business) they are protecting
  • Speaks in laymen terms to effectively communicate technical language - especially to help non-technical buyers and end-users understand
  • Up-to-date with the latest technologies, trends, and issues such as attacks and threats
  • Subject matter experts and proficient in solutions, services, processes
  • Highly collaborative to achieve goals and objectives
  • Continuous learner
  • Problem solver with an eye for detail
  • Trusted partner

Summary Points

There is a lot to consider when selecting the best cyber security partner for your business. Security service providers vary as wildly in quality and scope as do solutions and technologies.

Proper vetting will help businesses make confident cyber security and risk management partner decisions.

Businesses have a a lot to protect. We’ll help you find pre-vetted IT service providers who specifically work with SMBs and specialize in cyber security and risk management. You work with hand-selected experts, customized to your needs.

Learn how TechStak can help you get started.

Need Help or have questions? Request a Call