New regulations and technologies are creating new challenges and concerns for companies delivering IT services and support.
A panel of experts delivered this sobering message on the state of cybersecurity to attendees at Monday’s meeting of the CompTIA IT Services and Support community. The session took place on the opening day of CompTIA ChannelCon 2013, the premier education and partnering event for the IT channel.
The panel noted that according to a recent survey, the number one issue keeping CIOs up at night is managing and securing mobile devices. Other concerns here include cloud-based file sharing; regulatory compliance; password and access management; and intrusion protection.
Meanwhile, in a world where BYOD is becoming commonplace, there’s no longer separation between corporate and personal information. “At what point do the employee’s privacy rights take precedence over the company’s rights?” asked Dan Liutikas, CompTIA’s chief legal officer. “If BYOD is giving IT departments a headache, it’s giving lawyers a heart attack.”
Many organizations want to offer their workers the BYOD option because of its expediency and efficiency, according to Chris Johnson, chief executive officer at Untangled Solutions.
“But they have no idea what the differences are between what devices they’ve issued and what devices have been brought in,” he added.
For IT channel companies interested in offering BYOD support services to customers, Johnson advised them to first consider what risks they’re willing to take on. That starts with a thorough review of what a customer wants and what you are able to provide. “When you go through the process, you might learn a whole lot about what you want to do or don’t have to do,” he said.
Regulatory issues also impact the business environment for IT services and support companies. One example is the Health Insurance Portability and Accountability Act (HIPAA). In 2009, privacy and compliance provisions of the law were expanded to include not only healthcare providers, insurance companies and others involved in the delivery of patient care but their “business associates” as well. That includes IT services and support companies that do business with health-related customers.
“If you maintain data, if it’s stored in one of your facilities, if you are a data center or an online backup service provider, you are a business associate,” said Mike Semel, president of Semel Consulting. “If you are handling hard drives that contain medical data, you have to have HIPAA specific policies and procedures, train your workers and make sure they are using HIPAA-compliant practices.”
The deadline for compliance with the expanded HIPAA provisions is September 23, 2013.
“If you haven’t done anything by now you may be in serious trouble,” Semel said, noting that some companies have been fined upwards of $1 million for violations such as lost laptops. “This is serious stuff.”
But the news coming out of the session wasn’t all bad. Though there are “costs and pain” associated with becoming compliant, there are also opportunities to make money.
“If you are providing services to customers who are regulated, you are providing compliance services,” said Semel. “You can charge more for services as a compliance service versus a technical service.”
The issue of cybersecurity is not confined to the IT industry. “There aren’t any boundaries in cyberspace,” said Ernest McDuffie, who leads the National Initiative for Cybersecurity Education for the National Institute of Standards and Technology. “Nobody can do it by themselves. It’s about public-private partnerships.”
McDuffie said the government is engaged in several initiatives to boost cybersecurity readiness – a national awareness campaign, formal education, professional training and creating new workforce structures are just a few examples.
“Cybersecurity work is really a team exercise [that includes] people with various intellectual backgrounds and skill-sets,” he concluded. “It’s not one person sitting alone in a basement or in the Moscow airport.”