IT companies have been in charge of small businesses’ computer networks for decades. The trust that owners have in their IT company is on the same level as the trust they have for their business attorney. This trust was earned gradually over the years of a stable and fruitful relationship. IT companies know that this hard-won trust can be quickly lost if there’s a cybersecurity breach.
Protecting clients from being hacked used to involve a fairly straightforward set of technical controls that kept customer computer networks secure and data backed up in the event of a system failure. To do this 10 years ago, an IT company needed to provide firewalls, antivirus, patch management, and data backup. Today, cyberattacks against small businesses rely almost exclusively on tricking employees into giving up credentials or deploying malware.
Today’s malware commonly defeats old-fashioned antivirus, destroys backups, and demands an exorbitant ransom to restore encrypted data that the business literally can’t live without. Attackers use cloud-based email services to perform reconnaissance and trick users into allowing wire transfer fraud to send tens and hundreds of thousands of dollars to irretrievable foreign accounts.
As a spokesperson from Cisco recently said, “Attackers don’t break in. They log in.”
Solving these new challenges requires more than a set of tools. Human capital (talent) and effective processes must be factored into the equation in order to provide adequate risk management. Talent, in particular, is hard to come by, with an estimated shortage of 3.5 million workers in cybersecurity by 2021.
IT companies who attempt to provide adequate cybersecurity risk management without the aid of specialists find out quickly that, while the cybersecurity market is brimming with the latest tools, there’s no talent to be had. Moreover, an efficient and effective process is something that takes a while to develop and mature.
IT companies are now looking for outside assistance to address these additional problems and mitigate risk for their clients.
IT companies understand that they must have effective people, process and tools in order to defend networks today. Given the talent shortage and advanced threats they and their clients face, many realize it’s time to bring in a partner. This means adjusting client expectations and potentially increasing costs as well as introducing a new player into the mix: a dedicated cybersecurity services partner.
This can be tricky with some clients, especially those who don’t understand how the cybersecurity landscape has changed over the last few years. One of the first hurdles that IT companies must get through in order to address the changing threat landscape is the perception that the IT company might be seen as inadequate. IT companies can find it difficult to explain that the four pillars of traditional IT Risk Management (firewalls, anti-virus, patch management, and backup) are no longer enough to mitigate the risk from today’s cybersecurity threats.
However, being transparent with clients about the nature of today’s cybersecurity requirements has always resulted in a positive response, says Chris Noles, CEO of Beyond Computer Solutions, an Atlanta-based IT company and partner of Ingalls Information Security.
Chris started having discussions with his small business clients last year about the need for more cybersecurity. “We grabbed sales collateral from several different cybersecurity vendors and created our own style of discussion topics based on some of the capabilities we now have access to,” says Chris. “We tell our clients, ‘Here’s what BCS is doing and what we are not doing, and what BCS is not doing but our partner is. Here are the best practices that you (the client) need today.’” Chris reports great results from these discussions and has been able to rely on his partners (including Ingalls Information Security) to manage cybersecurity risk while his firm focuses on supporting the client’s technology needs.
Here are talking points IT companies can use with their clients that help explain today’s cybersecurity threat landscape:
- Attackers are now tricking users into doing the hacking for them, and users need to be trained and tested to make sure they aren’t easily fooled into letting hackers into a small business’s network.
- Advanced malware can slip past antivirus defenses, and hackers can now “live off the land” to avoid detection.
- Hackers are very interested in email systems, which contain lots of information about how the business operates, especially how the business sends and receives money. Having Two-factor or Multi-Factor Authentication (MFA) helps tremendously.
- Once in, hackers spend enough time inside a business’s network to find out where the backups are located, destroy the backups, and then encrypt all of the business’s data before asking for a ransom in Bitcoin that can run between $500,000 and $5,000,000.
- In order to combat these advanced threats, businesses need proactive security controls that require expert cybersecurity professionals.
- IT companies are now partnering with dedicated cybersecurity services partners to gain access to the right talent and processes necessary to protect clients against these advanced threats.
These simple talking points allow IT companies to explain what’s going on with cybersecurity to their clients and why the company is partnering with advanced cybersecurity providers like Ingalls Information Security to deliver effective risk management to the clients.
If you’d like to discuss how Ingalls can help navigate this process, please contact us here. One of our cybersecurity experts will be more than happy to assist you and answer any questions you may have.