Today, network and data protection isn’t just about the technology. Sure, the solutions are a necessary component of the IT security equation—when properly designed and configured, they identify system vulnerabilities and block potential threats. Unfortunately, that’s usually what happens after an implementation where the “wheels come off the bus.” While IT security spending is expected to hit $140 billion by the end of the decade, many of today’s breaches are a direct result of human failure. Whether it's inexperience or just downright negligence, some employees (and even managers) simply fail to adhere to security best practices in the workplace.
What does that mean for channel companies? Opportunity to expand technological solutions, for one. But it goes much deeper. MSPs should be expanding their support and consulting options, and offer security-focused best-practice training. Businesses need their help all the way down to changing end user behaviors.
Those are just a couple ways channel companies can help stem the estimated $2 trillion in annual protection-related losses that businesses are expected to shoulder in the coming decade. The 2112 Group’s Larry Walsh and a group of expert security practitioners took the conversation a lot deeper during a panel discussion at the IT Security Community meeting at AMM 2016.
The respected channel researcher and journalist set the stage with some background on the topic. “First off, we have to admit there’s a security problem. I left Information Security magazine years go thinking that problem had been solved. It’s been at the top of the list for 20 years…and it looks the exact same today. The number of security breaches increased 97 percent last year and we’re being inundated by a flood of malware.”
The early part of the group discussion established some high-level recommendations. One is that businesses should consider their in-house IT security staff to be more foundational in nature today. They should identify the gaps (and bring in others to do it for them) and partner with other professionals with those high-level skills to deliver total protection.
MSPs should become elements of their business, extensions of their network and data protection team. Another recommendation from the panel was to bring in specialized support from time to time. MSPs may be generalists, even in the security space, and could benefit from having a “black hat” type company audit their efforts. Challenge the systems and practices, including sending out fake phishing messages to end users to test best practices in action.
The one thing most organizations have to realize is that the game changes constantly. What should MSPs answer when someone asks if their company is completely secure from outside (or even inside) intrusions? No! Threats evolve constantly and it’s unlikely that businesses will ever be able to confidently say their systems are 100 percent protected.
That was the consensus of from the security panelist discussion, though they all had their unique perspectives and recommendations, including:
Doug Erickson, vice president of WW Partner Sales at Pulse Secure
-
"The questions we get, as a vendor, are deep. If I were in your shoes, I would spend time sorting through the alphabet soup of security companies and partner with those who can answer the hard questions and help support your customers’ protection needs."
-
"As an industry, we’ve made security scary. Even the icons we use can be intimidating to end users. They see brick walls and other images that make the afraid. They need people to guide them through security and ensure it's not so scary."
-
"We talk about enabling business. Don’t just take away their unsafe file sharing application, find them viable and safer alternatives."
-
"Remember, the endpoint is the new perimeter. The normal IT guy doesn’t expect the unusual, so the partner who can point out potential vulnerabilities and offer solutions will be invaluable."
Erin Jacobs, founding partner of Urbane Security
-
"We see a lot of people coming in that had implemented products and had no business doing so. It’s often about the configurations and 9 out of 10 times it’s a disgruntled employee who caused an issue. Finding someone who can go deep into security is difficult."
-
"We constantly put new protocols in place and people are still avoiding them. We’re still having discussions about passwords and basic protection measures today. Use the assessment tools you have at your disposal and show them the things they can easily fix first."
-
"Consider that not everyone is willing to invest. One rather large retailer is more interested in paying fines today than addressing its major security vulnerabilities. It’s scary to think about."
-
"Even if your clients have internal IT teams, there is no reason you can’t recommend fixes. Make friends with their in-house people and nudge them along when you need to."
Mark Sollazo, president, CEO and co-founder of SynerComm, Inc.
-
"Customers usually have enough tools today, but they often aren’t optimized. How many are actually using their firewall for application controls? In effect, they have a Corvette and never drive it more than 40 MPH. Customers love when you can take what they have and make it better."
-
"The best form of security is teaching people what to do when a situation occurs. When combined with staffing issues, retraining, retaining and unavailability of staff, they need help. Employees put their companies at great risk, so training them on security measures is an invaluable opportunity."
-
"Companies want a relationship with an integrator or local company more than a vendor today."
-
"Caring about security begins at the C-level. The reseller community has struggled servicing the people at that level and it’s a gap that continues to widen. MSPs need to come up with creative ways and share best practices to get their teams higher in the food chain to influence executive behaviors. Business leaders need a better understanding of the real problem, and that’s our job."