Let’s be honest. For the garden-variety office environment end-user, the top of security can be daunting. While most Americans have heard of cybercriminals, many of them only have a cursory knowledge regarding how business systems are infiltrated and compromised. They’re told not to click on suspicious emails, but without security awareness training, the typical worker’s primary expertise is found in the line of business applications they use on a daily basis.
Herein lies the beauty of a true managed services proposition. Certainly, the tools play a vital role in developing a dealer’s value proposition, and not all tools are created equal. Many dealers go to great lengths (and expense) to ensure their managed IT and security components employ only top-of-line third-party solutions from the biggest technology players on the planet. But the advisory role furnished by service providers is the point of differentiation; the depth of experience and knowledge dealers have in a wide range of verticals, covering the full gamut of compliance requirements.
For Elevity, the managed IT division for Gordon Flesch Company of Madison, Wisconsin, the initial engagement entails an initial review of the client’s environment by its assessment and advisory team, notes Paul Hager, director of solutions. That process is then repeated on a quarterly basis.
“We often see clients who believe they are protected but are really lacking a comprehensive, layered approach to security,” Hager said. “Often the missing pieces are in the ongoing training/testing and human aspects, as well as failing to fully protect the main entry points—vulnerable identities and spear-phishing over email.”
The calendar may read 2020, but many end-users seem to be stuck in a circa-2000 time warp when it comes to blind spots. Keith Adams, vice president of IT for Les Olson Company of Salt Lake City, points out that users and passwords, and a lack of basic prevention systems or group policies to limit access to systems continue to plague clients.
“We regularly encounter environments where many users have rights and access far beyond their individual job function needs,” Adams said. “This is often a legacy problem that was initially not dealt with due to a perception of inconvenience. By having a conversation around the concept of WHEN, not IF there could be a user compromise event, we can promote concepts of change. While those conversations do not always result in an immediate adoption of change by the client, it sets the stage for future actions on their behalf.”
To illustrate a client’s vulnerabilities, Les Olson Company regularly produces scorecards to shed light on the areas of weakness within their environment. Adams notes that by highlighting areas of improvement that can be addressed, often with little to no monetary investment, the dealer can foster an environment where the client understands the policies, procedures and products that can yield optimal protection.
Knowing the Network
One of the first steps to providing security provisions for those properties on a client’s network is knowing what is on the client’s network. That may sound elementary, but beyond desktops, PCs, printers and other devices, but access systems, door readers and camera systems can also be common breach points in a network, according to Mike Burgard, CISO for Marco of St. Cloud, Minnesota. Those points have also served as the most common breach points in some of the nation’s largest public data breaches in recent years.
Vulnerability management is another major focal point in any security conversation, according to Burgard. “We’ve seen a lot of vulnerabilities in the news the last couple of years and wannacry was one of the big ones, leading to the largest Russian ransomware in history,” he said. “There was a passionate effort behind that scheme. It’s a three-year-old vulnerability and many organizations still haven’t patched it. You’re making it easy for the bad guys when you leave old, known things exposed on your network. Vulnerability management is important because it’s a really easy metric to report on and a good metric to show the overall effectiveness of the security program.”
The lack of any security awareness training component is perhaps the biggest blind spot for end-users, according to Scott Anderson, senior vice president of IT for Kelley Connect, headquartered in Kent, Washington. The dealer’s prime responsibility in an advisory role, he notes, is to point out all the risks and gaps in a client’s infrastructure.
“It’s our job to call out all the risks and determine what risks we can remediate, and which risks we are OK accepting,” Anderson added. “There are a lot of risks out there, so let’s prioritize them and see which ones would be bad for the organization, and which risks that are willing to accept. It’s a joint conversation with the client based on advising and determining exactly where they want to put their budget. Risk acceptance is an OK strategy, because at least then you know what your risks are.”