By Gregory C. Grant
With the number of cyber attacks being launched every day and the success hackers are having against large, heavily guarded businesses, it’s no wonder cyber criminals are finding even more success at the small business level. As with most things in business, small business owners often find themselves struggling to compete with big companies for a variety of reasons, but most often it boils down to resources, whether human, capital, or other.
Now comes news that the Federal Government wants to pass legislation (the Data Security Act of 2015) that will demand that smaller companies adopt more stringent and expensive security technologies and policies. While having solid security technologies and preventative measures in place is good practice for any size business, the reality is that most cannot afford to invest, manage and properly maintain a heavily fortified Internet security and fraud prevention program, regardless of mandated rules and measures.
According to US Congressman John Carney’s website – “Consumers need to know that when they use their credit card to make a purchase, their personal information is secure. Our approach makes the rules of the road clear for everyone involved. All the relevant parties – the banks as well as the retailers – will have skin in the game when it comes to preventing and cleaning up after data breaches. We can’t afford to wait for another massive data breach to occur. Congress needs to take up our bill as soon as possible to make sure consumers are protected in the event of another breach.”
Take a look at the PCI DSS for a moment. It has been in effect for years and the businesses that struggle most are the small, independently owned establishments. PCI in and of itself offers a good set of standards, but for a small company that lives and breathes on slim margins, seasonal sales, or is just making ends meet, the idea of implementing a security policy, adding layered security technologies an so on, is simply not viable.
The basic problem is and has been that policy makers, whether government or private sector, tend to be self-serving in that they want to see security technologies adopted that they tend to provide. More often than not, they are very expensive to purchase and maintain and require experienced IT/Security personnel to manage them around the clock.
Representative Neugebauer states that “the standards we establish are scalable and well-tailored to avoid unnecessary burdens on small businesses.” The only way for a small business owner to avoid more burden is to look at outsourcing their security program – either all or some of it. Otherwise, there is no way, other than to pass huge costs on to consumers, for them to build and maintain a strong security program. It’s simple economics – something or someone has to absorb the higher costs of doing business.
The best position for a smaller company is to get ahead of any pending legislation and implement a simple but strong security program that doesn’t require any additional human resources, is low cost, and doesn’t require capital investments. That is, in short, what managed security services providers, or MSSP’s, bring to the table.
What is MMSP? Essentially a Managed Security Service Provider is an outsourced tech service that typically includes security measures, including round-the-clock monitoring and management of intrusion detection systems, firewalls, computer system and software management and upgrades, security reviews and audits, and emergency response when needed. But be warned, there are many flavors of managed security, and not all are designed for the small/independent business owner.
Just like any other business, many MSSP companies may attempt to upsell you additional services that you may or may not need. For example, if you do not have remote users in your business you’ll not need to subscribe to something like a VPN service or remote access login. Understand your business computing needs and focus on securing the information within your business, such as credit/debit, health and personal information. While a hacker may be able to cause you headaches through other means like a virus, if you are not protected by an MSSP you’re likely to survive that kind of an attack, as opposed to trying to recover from a malicious data loss where fines, penalties and fees are involved. Having a Managed Security Services Provider in your side will help protect your business from these kinds of attacks.
Here’s a short list of some things to look for when shopping for the right Managed Security Services Provider:
- What type of business do they specialize in servicing? Be careful of a provider that focuses its time and attention on larger customers, even though they have small business offerings. The last thing you want to do is get lost and have a bad service experience, especially if your business is under attack.
- Do they specialize in addressing regulatory compliance standards? If you accept credit/debit cards you must adhere to the PCI DSS standards already established. Look for a provider that offers “certified” (as opposed to only compliant) services, as these providers can offer a higher level of security and ensure that your business keeps its compliance intact.
- Ask for references. Don’t be afraid to ask to speak with several clients that have been with the provider for more than a year. You want to ensure that the honeymoon period is over and that the client has had time to experience any issues with the provider.
- Local support. While this may be a sensitive issue to address, it’s best to have security services support provided locally – meaning the US and Canada. It’s also critically important that the service provider host their services within the same geographic regions. While the Internet is global by nature, operating standards, personnel, etc, are not equal around the world.