The Case for Managed Security Services

Small businesses are under attack daily. Most don’t know it and need some sort of managed security services. Other small businesses assume they have protection because everything “works”.  Finding security experts for small businesses is difficult

The Small Business and Entrepreneurship Council estimated in 2016 that firms with fewer than 100 workers accounted for 98.2% of the workforce in firms with fewer than 20 were still a whopping 89%. The news is full of large organizations with much greater resources getting compromised. Small firms have many more skill and expertise limitations but are exposed to the same threats.

In fact, Ponemon Institute’s 2018 State of Cybersecurity in Small & Medium Size Businesses said threats increase and more firms experienced actual compromises but that 47% of respondents say they have no understanding of how to protect their firms against cyber security attacks. Are you seeing the increasing numbers but not sure what to do?

Basic Risk Management in Organizations

Frameworks help managed security providers protect against threats like ransomwareYou can never eliminate risk completely, only reduce to an acceptable level. As executives and asset / data owners work protect their information, they might be counting on IT “doers” instead of IT “thinkers” for advice. While an internal accountant can handle 95% of a small business financial needs, firms frequently turned to an external CPA or other financial expert for specific advice. Managed security service providers work in exactly the same way.

In early 2013, the President charged the National Institute of Standards and Technology (NIST) to help protect the nation’s critical infrastructure. By early 2014, their Cybersecurity Framework (NIST CSF) publication came out. We use the CSF to guide strategy and provide a process for protecting important data and assets. If your IT team does not reference NIST or a similar framework, you’re probably wasting dollars in resources on the wrong efforts.

The cyclical process described above summarizes the importance of looking stuff over before throwing a whole bunch of tools and technologies at security. Many technologists just recommend and buy the next security tool without contemplating the entire environment and what should have priority. Don’t Band-Aid based on threats like ransomware, crypto mining, advanced persistent threats (APTs), phishing attacks, be sure to follow the right process.

 

Don’t Have a False Sense of Cybersecurity

Organizations that work both “left of boom” and “right of boom” have the best cybersecurity successBecause the news is full of attacks that shut down entire organizations, small businesses sometimes assume no news is good news. Just depending on security protection is poor practice. Organizations should do things such as vulnerability scans, risk assessments or even just make sure they do background checks on their workforce. This is working “left of boom” because it is identifying potential issues before potential incident.

Working “right of boom” is part of the detection and response phases after your protection fails. The best antivirus might protect against 98% of known malware. This also means that might protect against 40% of known and unknown malware combined. Security protection tools will fail at some point in current averages estimate 68% of breaches took months or longer to discover. Having logging systems configured with the 24×7 team reviewing the alerts can help you provide an appropriate incident response and remediation. These are areas where the Fulcrum Group has offerings to fill in the gaps as a managed security services provider.

SPOT Managed Security Services

Compare basic managed services to managed security servicesOur managed security service works to fill the gap between the typical security basics are the foundation of protecting data but don’t quite treat the whole patient.

These cybersecurity additions specifically target the top concerns from threat intelligence sources to protect your network, servers, Office 365 and data repositories. According to the Verizon’s 2019 Data Breach Investigations Report (DBIR), outsiders were responsible for 73% of the cybersecurity attacks. That also means that insiders were also a threat so external protections should not be your only tools.

The point is normal computer support has edges that you may not be aware of. Help desks can only respond to issues after the fact. Regardless of whether an internal IT department or simply a Managed Service Provider, security services and monitoring are vastly different than standard network services and network monitoring.

Please use our checklist below to help you understand the security tools included in our own standard managed services offering, versus what is available as an add-on managed security service. Discuss with your current team or provider and asked them to share with you what security functions you have and don’t have today. Most firms can’t afford everything, so it takes time to identify the most important ones for you, get them configured correctly and then check up on the quality of your protection.

Don’t be a victim with a false sense of security, arm yourself with the details of where you are today.

What security is included in Managed Services?

2019 SPOT Managed ServicesIncluded
Automated hardware and software inventory listsYes
Tracking of system documentation, including passwordsYes
Periodic review of active user accountsYes
Periodic review of network share permissionsYes
Anti-malware Endpoint ProtectionYes
Web browser content filtering and DNS protectionYes
Configure firewalls for perimeter securityYes
Email protection (SPAM filter, encryption)Yes
Monthly patching of Windows updatesYes
Monthly updating of applets, like Acrobat ReaderYes
Daily review of server backupsYes
Quarterly device configuration backupsYes
Online end-user security awareness trainingYes
Assigned fractional CIO as Security OfficerYes

 

Managed Security Services are needed for some organizations

2019 SPOT Managed Security Services- Enhanced security IncludedAdd-ons
Additional password protection, using multi-factor authenticationYes
Additional password protection, identity access management enhancements such as single sign on, password managersYes
Additional password protection, analyzing deep web breachesYes
Additional data protection, managing BitLocker whole disk encryption  
Additional user training, simulating phishing attacks to test usersYes
Additional testing, application scan, wireless testing, otherYes
Additional testing, vulnerability scanning hosts and devicesYes
Additional testing, external penetration testYes
Additional testing, cybersecurity risk assessmentYes
Additional testing, micro cybersecurity assessment (lite)Yes
Additional monitoring, per site security log review sensor (SIEM)Yes
Additional monitoring, cloud monitoring of Office 365 securityYes
Additional monitoring, 24 x 7 Cyber Security Operations CenterYes

 

The Fulcrum Group also offers additional security tools and assessments to assist you in protecting your environment. Let us know if you need help with a third-party risk assessment, vulnerability scan or penetration testing of your systems. Or just reach out to us for advice on your cybersecurity insurance and how you answer the application form questions versus the security configured on your network.

About our Security Expertise

Since its founding in 2002, The Fulcrum Group has successfully performed IT projects for cities, covered entities, nonprofits, manufacturing, professional services and other organizations in the area. Security has been a component of the Fulcrum Group’s DNA. So much so, the founder earned the Certified Information Systems Security Professional (CISSP) designation in 2004.

The security certification from the International Information Systems Security Certification Consortium (ISC2) recognizes experienced security practitioners for their knowledge across a wider array of security practices, principles and requires ongoing continuing education credits to maintain. His organization has conducted risk assessments and provided security solutions in Dallas, Fort Worth, Denton, Grapevine, Addison and other cities. Local projects extended as far as Decatur on the west and Melissa in the East.