Small businesses here in Colorado and across the world have a choice to make regarding how they face the increasingly difficult challenge of securing their computers, accounts and data.
Cyber-based threats are becoming more advanced and prolific at a time when regulation and compliance requirements are increasingly restrictive, and the workers that companies need to attract, are drawn to positions that allow them to work remotely, from multiple different kinds of devices – at least on occasion.
At the same time, the cost of downtime and data loss is on a parabolic upswing coinciding with our reliance on technology. Often these costs are not considered ahead of time. Things like loss of productivity, missed deadlines, loss of reputation, cost of recovery and legal liability too often end up being more than a small business is prepared for.
Among the options available for organizations who want to mitigate the potential losses from these risks, one strategy is to try to use in-house staff who are neither trained nor experienced in evaluating or preventing cyber-based threats. Let’s just say we don’t recommend that choice so that we can move on and spend our time evaluating valid choices for those who are serious about preventing potential losses to their business.
Below are some of the pros and cons of trying to meet this challenge internally, by hiring staff and investing in software tools, vs opting to outsource the service, to an organization that already has trained staff, plus configured software and existing vendor relationships.
Option 1 - hiring an in-house IT security expert or small team
• Some companies feel that an internal person or team, who is on their payroll and subject to employee policies, should be more trustworthy than an outside vendor.
• Onsite staff can respond to physical problems more quickly. An outsourced provider would likely have to take time to dispatch a technician to your office in order to resolve network cabling issues, physical disk problems, power connections, etc., which can reduce mean times to recovery for such incidents.
• An internal IT security expert or small team should be able to get to know your network and applications more intimately than an outsourced provider that is handling dozens or hundreds of other clients.
• Costs - not all small companies can afford to have a permanent cyber security team on the premises. Experts in this area won’t be cheap. In the happy event your business is not under serious attack, you may find yourself thinking that you are paying too much for too little work.
• Motivation - It is fair to say that an in-house expert may not feel constantly challenged on the job. In this line of work, job changes are more common than in other sectors and the job is performed by highly skilled individuals who probably have a lot of offers waiting for them. So, there is the risk of not finding a good, motivated employee in the first place, or you may find it’s hard to keep such an expert on the job for a long period of time.
• Time – Cyber-security maturity is not something any expert or small team can achieve overnight. It can take years to develop and get good at managing vendor relationships, configure all of the software tools and automations that an outsourced provider would already have largely reconfigured.
• Knowledge loss - Some of that intimate knowledge we discussed as a “pro,” can go away when a senior expert leaves the organization.
Option 2 - outsourcing to a cyber security provider
• Costs - an outside company can either charge for some specific services as one-time fees, or they can offer ongoing protection for a monthly fee. In any case, it’s likely to cost less than having a permanent team do the job.
• Resources - you don’t have to worry about the resources needed to do the job. Obviously, a specialized company will have access to tools, resources and collective general knowledge than an in-house team or expert.
• Time – for reasons already mentioned, an outsourced team with their existing tools and resources, should be capable to helping your company achieve a more advanced state of security maturity than an internal person or small team.
• Experience - an outside company will have faced a lot more threats and security issues during its’ history of dealing with various customers. When stuff hits the fan, that experience can be the difference between performing a 2 hour cleanup versus days of downtime to recover your entire Windows Server cluster from backup.
• Availability - will the outsourced company be available in time of need? That may
well depend on the type of contract you have with them. If you reach out to a cyber security
company for the first time only when you’re in trouble, you might face a problem of availability. On the other hand, if you have a permanent deal with a company, then they should be as ready to help you as the in-house team.
• Trust - some companies feel like they lose too much control if they were to elect to go with an outside company. This is a concern that can be alleviated by making sure you shop around for a group that is a good fit for your needs, and define those expectations and clearly communicate your wishes ahead of time. Most of the time, you can find a group of experts who can/will provide methods to assure that you can securely maintain the flexibility and access that you desire.
Of course, there are also companies that end up taking sort of a hybrid approach, such as having an in-house employee for daily processes and personnel security training, while seeking outside solutions to provide various layers of monitoring and defense to a managed cyber security company.
With awareness of the potential issues, businesses who choose to outsource can manage contracts and vendor relationships to ensure proper documentation and adherence to the company’s standards – however they wish to define them. By the same token, groups that are determined to keep as much as possible in-house, can manage policies and expectations to deliver desired outcomes.
It should also be said that we’re talking about cyber-security here as opposed to IT support. Often the two get confused or the roles intermingled, but it’s important to understand that the two are diametrically opposed functions that don’t mix well together. To understand why, realize that IT support’s function is to make things work – usually as quickly as possible. Often that means opening access rights or permissions, or completely disabling security features that are getting in the way, which is inherently one of the biggest threats to your security posture. Essentially, you don’t want to put your IT support into a position where they’re expected to have to police themselves as well as everyone else; it is a recipe for disaster every time.
Any way you go about it, don’t assume you don’t need security or that you can take care of it yourself. You might be able to learn to handle some of the basics, but in case of a more serious breach, chances are you will end up paying a lot more than the cost of one of the options above. At the very least, do yourself a favor and bring in a fractional CISO on occasion and bring in consultants to perform regular security audits.