2016 is a scary time for those who rely on the internet and computer systems, especially for small business owners and managers without their own IT teams. From the e-commerce reliant retailer to the small manufacturer with a mobile sales team, it’s difficult to succeed without some sort of network connection today. The reality is we have become tremendously dependent on technology over the past two to three decades. For businesses, that reliance has become both a blessing and a curse. Systems have to be online and operational 24/7 and downtime is no longer just an inconvenience ̶ it’s a profit sucking problem requiring prompt responses and effective solutions.
Combined with a growing number of regulatory compliance requirements, that helps explain why security has become a top priority for business leaders today. In fact, across the 12 countries covered in the latest CompTIA International Trends in Cybersecurity report, nearly 8 out of 10 managers responsible for network and data protection expect it to become an even greater urgency over the next two years.
That’s good news and bad news for solution providers. Despite the growing number of channel firms offering basic data and network protection today, it’s simply not enough to just counter the basic threats today. Security has to move from a line item in the portfolio to a more highly advanced, proactive management service. Protection has to be tailored to meet the unique threats and activities of each client today to be truly effective. And, even then, there are no guarantees (nor, I stress, should there be).
In fact, to keep pace with the rapidly growing number of threats, providers need to either become advanced security specialists themselves or work with others who can deliver those services. And while that seems simple enough, it’s a whole new approach for many channel firms. Advanced security starts and ends with each individual client. It’s a true consulting focus that can be best summarized with six best practices.
- Understand that one size does not fit all - No two businesses operate the exact same way and the compliance issue and threats they face can be quite unique and complex. That’s as true in the SMB space as it is in the enterprise, and the channel firms that can assess and address the specific protection needs of their individual clients will fare much better in today’s competitive environment. Realize that your company’s true value add will comes from understanding and tailoring IT security programs. It’s not just about installing AV and firewalls (though those are important).
- Develop a comprehensive threat assessment process for your clients - this involves extensive engagement with client IT teams, managers and even end users. Every access point on their network infrastructure will have to be evaluated and protected in some manner. That includes the human factor. Of all the vulnerabilities, people play a major role in business security breaches, especially in companies that store high-value information such as credit card and personal data.
There are a number of assessment tools available in the channel, including the CompTIA IT Security Assessment Wizard, a straightforward, three-page questionnaire intended to help build a profile of the interaction between your business and one of your clients.
- Evaluate your current capabilities – what security services are you currently offering? Start from the known (the present portfolio) followed by a thorough appraisal of your team’s unused skills (certifications) and tools you may already have at your disposal. If you match that “inventory” with the security needs of your specific clientele, it should be fairly easy to identify the gaps. The question is, how much are you willing to invest to build out the practice (see #6)?
- Minimize the human factor - providers have to remember that 100% protection should always be a goal, but with people involved in carrying out policies, it is impossible to guarantee. There is no ‘bulletproof’ security program for your clients. Even if you identify every potential threat and implement every conceivable protection measure, humans are still a liability. That’s why providers should never make guarantees to their customers when it comes to security. Their responsibilities are numerous and many even offer end user training, but no one can ensure that every employee of each client company adheres to that organization’s specific security rules. No solution provider should ever guarantee protection of their customers’ data and infrastructure. If you have, rush out and find a really good liability attorney.
The human factor is why approximately 9 in 10 businesses use security training today to assess or improve their employees’ knowledge and awareness. With an ever-increasing number of threats and scams, businesses have to take a more proactive approach. Malware detection only goes so far, and the best way to slow down or even counter a hacker is to take away the easiest access points. It’s a primary reason why hackers are investing so much time and effort into phishing attacks. People are easier to dupe than well-protected networks and machines.
- Develop an advanced security portfolio - like any channel practice, solution providers have to cater their offerings to their specific clientele. The challenge for small channel firms is figuring out what their clients need and what quality services they can provide ̶ either on their own or with a partner. That may require a fair amount of industry research and a thorough self-evaluation of capabilities and limitations. There are no shortcuts, but help is available to those who are seriously looking for new options to boost their protection expertise (a true value-add).
Your customers may not know they actually need advanced security services, let alone be clamoring for it. Since many small business managers may have no clue as to what that entails, simply asking them a “yes/no” question about their interest in it won’t do. Start off by educating them on the threats organizations like their face and the measures a security expert could employ to offer them greater protection. That may include intermediate measures such as encryption, policy development and e-cycling. Or more advanced security options like pen (penetration) testing, intrusion detection and mitigation, and auditing.
- Partner and collaborate - with the rising threats, each solution provider has to design a security portfolio that addresses the specific needs of their own customers. Compliance-heavy organizations (i.e. medical facilities, banks, retailers) require a higher level of support than companies with “lower valued” data and less regulation. Does it make sense from both financial and liability perspectives to offer auditing services yourself, or would it be more cost-effective to partner with an existing specialist? The good news is there are a host of advanced security practitioners willing and able to offer that support.
While some solution providers have shifted their entire focus to security, most simply build out and enhance the services they offer as new service and partnership opportunities arise. It really depends on your own particular ambitions and market demand. Either way, with concerns over data protection growing, the potential opportunities are there for the taking. The question is “are you ready, willing and able to take them?”
