Small businesses hoping to bolster their IT security by enlisting the help of security-as-a-service providers need to be sure they choose carefully, one network-security software vendor has warned.
With high-profile security incidents continuing to proliferate and demand growing as a result, many SMBs were rushing to revisit their own security strategies as a preventive measure. Yet this, GFI Software communications director David Kelleher warned, wasn't the time to be rash.
“With so much demand and relatively little supply, the market is primed for a rise in specialty firms and independent consultants offering security as a service,” he said.
“These may be tempting, especially when the latest hacks are front page news, but small to medium sized organisations should think before they act.”
For example, he said, potential security-as-a-service providers needed to be weighed based on their actual capabilities rather than simply judging them based on their advertised capabilities.
This included avoiding the temptation to judge service providers based on the number of industry certifications they have; instead, SMBs need to look for consultants that have extensive experience working as skilled security specialists.
“Just because someone can pass a test doesn't mean they are a security expert,” Kelleher advised. “A lot of consultants may choose to hang their shingle out to meet rising demand, and may relatively new working for themselves, but they should have years of industry experience working for companies as security experts.”
“Ask questions, look at resumes, and be sure that the professionals providing your services truly are professional.”
This also included speaking with past and current customers before choosing a provider. “There are no silver bullets, quick fixes or easy outs here,” Kelleher advised.
“Security is a way of life and must be pervasive throughout all your information systems, from logons through drive encryption to application hardening and secure remote access. Make sure the consultant or firm you choose has practical experience with all of your systems.”
The high degree of individuality in customers' network environments meant that no two organisations have the same security requirements – which means that no two service-provider relationships are going to be the same either.
This variability meant SMBs should resist the urge to jump at fixed-fee arrangements, Kelleher said, since the actual security requirements of any organisation only become evident once a security specialist is already drilling down into it.
“Security is best when it is layered, and security assessments have to peel back the layers to truly understand what is going on,” he said. “Until you get three layers down, you won't know what to expect at the fourth layer – so expect it to cost what it costs.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.