With the many pressures facing smaller businesses, trying to reduce expenditure is always at the forefront of the company mind, but sometimes this leads to taking a shortcut that can have drastic consequences. I typically see this when companies start to think that information security begins and ends with IT, and believe that their third-party IT support company who looks after the purchasing of devices, setting up email addresses and installing anti-virus, can equally well assist with preventing, investigating and recovering from a data breach.
While there are some support companies that can do this, there is a reason most cyber security companies do not offer IT support as a service. If a breach occurred, they would be marking their own homework, and would they really hold their hands up and say ‘that was our fault’? Of course not! It would be easier to blame someone else and get more money thrown at it. In most cases, this will be done incorrectly, with bad advice and poor, expensive outcomes due to not having suitably qualified professionals engaged.
Add to that the fact that an IT company doesn’t have the experience in dealing with the complex legal, regulatory, and contractual issues that information security often has to navigate, and it’s clear that depending on IT support to perform this vital function is the wrong way to go.
A couple of accounts of breaches I have heard over the past few weeks cement my opinion that having a dedicated information security function or partner is becoming more integral to mitigating, investigating and responding to a data breach.
One business suffered a data breach where the attacker gained full control of the company’s email accounts, trying to get multiple fake invoices paid after sending a successful phishing email. It was only caught when the person in accounts wanted to check they were paying with the correct card. The IT support company who assisted with this suggested the breached company change their email passwords, utilise multi-factor authentication on all email accounts, let the staff know what had happened and inform the ICO. To be fair all is this is technically correct, but just the tip of the breach response iceberg.
I asked if the breached account used the same username and password combination anywhere else, shock shock they did but no asking of this by the IT support company; I asked if their customers and suppliers had been notified since full access to all emails and contacts was gained by the attacker, again it was a no; the final question I asked was apart from what their IT support did, were there any other updates or suggestions to policies,
procedures, solutions or training by IT support? A long silence followed by a slightly worried no.
IT support is NOT information security!!
If you are unable to afford a dedicated internal resource, I would suggest utilising the skills and expertise of a security professional in the role of virtual CISO / CIO / ISO. This service could be as little as annual meetings with senior managers, alongside quarterly reviews and phone assistance when required. Having this resource means a company should be able to have an up to date and understood incident response plan, improve the level of security, both with regards to systems and personnel and have a trusted expert they can call upon with confidence.
For small businesses, this is the most efficient and cost-effective way to increase security maturity.
If you want to discuss this in more detail get in touch.