BUSINESS SECURITY SERVICES
MANAGED CYBERSECURITY SOLUTIONS
First Call believes good decisions start with a good education. We’ve put together good information that’s easy to understand and digest. Still have questions? Reach out to a sales rep.
TABLE OF CONTENTS
Are Cybersecurity Threats Real?
What is NIST?
Are Any Industries More At Risk Than Others?
Do I Need Cyber Insurance?
If I Am in The Cloud Am I Safe?
Cybersecurity Product Options
Cybersecurity In-House or Outsourced?
How Much Does Cybersecurity Cost?
IS THIS REALLY HAPPENING?
ARE COMPANIES GETTING BREACHED?
A construction company in Maine, Patco Construction, had $590,000 transfered away after intruders infiltrated their systems. Some of that money was recovered, however on-going legal suits between Patco and their banks lasted for years after the incident which caused further strain on the business.
In another incident, Wright & Filippis, a health-care company, was involved in a cybersecurity incident that involved patient personal health information (PHI) but they were unsure what happened to it or how it was used. Aside from the unknown consequences of leaked PHI, Wright & Filippis was required by law to disclose this information so those potential affected could take the appropriate actions.
In both cases, the damage to each business’s reputation and operations were significant.
Montana organizations are coming to us for help. Real dollars are being stolen, entire server and workstation fleets are being held hostage by ransomware, reportable data breaches, organizations having to disconnect their business from the internet for days and weeks.
The ramifications are real and extensive. Make the investment today in cyberseurity solutions.
Our goal is to break conventional thinking that Advanced Cybersecurity as being too hard or too technical or too expensive. Advanced Cybersecurity boils down to having the right people, the right processes and the right tools in place.
Those people, processes and tools are in place to Identify, Protect, Detect, Resond and Recover, otherwise know as the 5 Pillars of the NIST Cybersecurity Framework (more on that below).
NIST is one type of cybersecurity standard. Depending on your industry, the type of comliance regulation will vary. For example, in the Healthcare industry, the Health Insurance Portability & Accountability Act has created another set of standards for those organizations collecting patient information.
Other highly regulated industries aside from Healthcare include: Government, schools, hospitality and banking. Acheiving and maintaining compliance is required by law.
The last group of businesses that seek out advanced cybersecurity solutions are those that value their reputation and overall business health. These businesses have seen what cyber incidents have done to competitors and understand these events can be business killers.
WHAT IS NIST?
Explain what they mean by a
Oftentimes, when people think of cybersecurity, they think of hackers and attacks. Although that is a significant piece of the cybersecurity puzzle, it is only one piece. To understand the whole cybersecurity picture, let’s look at the NIST Framework.
NIST, the National Institute of Standards and Technology, was tagged by the Federal powers that be to establish guidelines for organizations not already regulated by other frameworks to manage cyber risk. They developed 5 pillars to encompass the cybersecurity ecosystem.
The 5 Pillars of the NIST cybersecurity framework:
Identify: Where are your security vulnerabilities?
Protect: What safeguards are in place?
Detect: How will you know about an incident?
Respond: How will your team react to an incident?
Recover: How will you restore capabilities or data?
Our Cybersecurity Solutions Advisor will work with you to create a plan to address the 5 pillars of the NIST framework above. The goal of our advanced cybersecurity offering is to have the people, processes and tools in place to create, refine and mange those 5 pillars.
ARE ANY INDUSTRIES MORE AT RISK THAN OTHERS?
The short answer is yes. The value of the data, the cost of downtime, or the trust factors associated with the relationships they manage cause some organizations to face higher risks. Most of these organizations already have regulatory bodies and/or frameworks: HIPAA, CMMC, FERPA, CJIS
Industries facing higher risk include:
That said there are other factors to consider beyond industry.
Size: the more employees an organization has the greater the risk controls needed and the greater the impact should an incident occur. An organization with 20 – 50 employees needs to have a strategy, 50-100 employees the depth and complexity will increase, 100-200 same thing, and so on.
Assets and asset value: This is where all frameworks start with questions about your data, their value, and impact on your business should they be affected.
In our experience, any organization using computers, email, and the internet has risks. Everyone needs fundamental protections in place, what we refer to as blocking and tackling. As you grow larger or simply have great risk due to your industry, regulations, or asset value you must go beyond the blocking and tackling to advanced cybersecurity measures.
DO I NEED CYBER INSURANCE?
The reason cybersecurity insurance exists is because real risk is on the rise and enough people wanted to transfer some of the risk to an insurance carrier. If you are in a high-risk industry, your employee count is rising and your dependency on data/IT is increasing cyber insurance is a must-have.
When shopping for coverage be thinking about what risk you are looking to transfer to the carrier.
Here are a couple of examples…
A rural electric co-op might want cyber terrorism coverage because they are worried about State actors taking down the electrical grid they manage.
Banks & Credit Unions
A bank or credit union should be thinking about full response and remediation services as undoubtedly forensics, call center services, public relations services, and costs will all be required.
The average company might simply be concerned with extortion/ransom payments and recovery services.
A medical facility should consider regulatory defense and penalty coverages to avoid having to pay the legal defense fees and penalties in the event of a patient privacy records breach.
Get advice from your cyber security consultant. (hint even a basic risk assessment will help steer you)
Work with your insurance agency. Always avoid competing carriers or duplicate policy coverages.
CYBERSECURITY IN THE CLOUD
If I am in the cloud am I safe?
Safe means you have cybersecurity protections in place, you can detect issues and recover in the event of a successful attack.
Microsoft 365 is a common cloud platform. Just because you are on Microsoft 365 does not mean you are safe. There are tools native to the platform that can be leveraged for protection, detection, and recovery. There are also a variety of 3rd party tools available. Platforms like Microsoft 365 need people, process, procedures, tools and behavior to achieve cybersecurity.
Being on the cloud in and of itself does not make you safe. Make sure anyone helping you manage cybersecurity can help you build good cyber security posture in the cloud.
CYBERSECURITY PRODUCT OPTIONS
What kinds of products and services are out there to help us?
Too many. That is part of the problem because organizations begin to drown in the options. Example: There are 50+ antivirus options just for Microsoft Windows!
Beyond the issue of there being too many options in the marketplace is organizations take a symptom-based approach. This often leads to a mish mash of vendors, solutions, and expenses. The right way is to choose an approach geared towards addressing gaps in a cyber security framework.
What is the main benefit in defining your approach and layering that against a framework? It is easier to see the gaps and address the ones you care about.
When you address the problem in a framework you are thinking about cost, automation, and integrations as your driving principles, not which of the 50 antivirus programs is better.
When considering cybersecurity services define what roles you need. Does it make better sense to source those in-house or via a 3rd party?
3rd party organizations like First Call have already done this work and packaged products, services, and costs together that address the gaps, integrations and automations needed to make it cost effective.
Can I do manageD
or should I outsource?
Organizations with 20-200 employees are typically outsourcing cybersecurity services based on the following factors:
1. IT labor shortage. (especially acute in cybersecurity fields)
2. Their existing IT people (whether in house or outsourced) are focused on user needs, application support, uptime and traditional infrastructure projects and management.
3. Building a mature cyber security practice takes knowledge, time, and resources. Organizations do not have the time to allow for the services to take shape and become fully operational. They need production ready solutions now.
4. They need something that will scale, flex, and change as their internal factors change and the threats evolve. 3rd party services are typically more agile and up to date than in house shops.
5. Much of the work involved in managing cybersecurity risk requires soft skills as you are dealing with users and their behaviors. Most traditional IT shops do not have the soft skills required to help influence and manage behavior across the internet, email, working remote, personal devices etc.
Different Solutions for Different Roles
IT Directors looking to add depth to their bench and an influx of resources to their team are ideal for our Co-Managed Cybersecurity offerings. We are not a replacement, only an addition to an already crucial part of your organization. First call becomes the “Robin” to your “Batman.” Learn more about our solutions to join forces.
Business Owners & C-Level Executives
Business owners and C-Level executives need a dependable partner to take cybersecurity off their plates. Whether it’s maintaining compliance, dealing with cybersecurity questionnaires, maintaining a reputable businesss or protecting data loss, you need something that works! Learn more about our solutions tailored to business owners and C-Level executives.
HOW MUCH DOES CYBERSECURITY SERVICES COST?
Managed Service Providers, Cybersecurity Agencies and Managed Security Service Providers are going to have packaged services ranging from $10 per user per month to $200. Many of the solutions out there are designed for enterprise or medium businesses (more than 200 employees) so be sure to engaged with vendors focused on smaller organizations with smaller budgets in mind. First Call’s services can range between $10 and $40 per user per month depending on the size and scale of the organization and the services involved.
Organizations can also invest in a standalone risk assessments. Costs vary but what you will find is with consultants it will be higher because that is where they are making their money – in the assessment, not in the ongoing services to maintain an organization’s security posture.
Leaders need to manage the risks affordably and many organizations with less than 200 employees struggle with this because many of the tools, services and providers are priced for larger organizations. Keep it simple: what will the blocking and tackling cost us? What advanced services do we need and how much does that cost? Perform this exercise all while keeping in mind the threat is real and organization can no longer afford to do little or nothing.
The higher the price the more:
gaps their approach addresses.
professional services that are bundled in.
hours of coverage involved.
risk they are inheriting when an incident requires response and recovery services.
What Blocking and tackling Should all organizations with more than 20 employees have in place?
Here is a quick check list of the cybersecurity protections we would recommend for any industry/organization at a minimum if you have more than 20 employees commonly using the internet/technology in their work.
While this may look like a lot some of the services are likely bundled into technology you already have. Others you likely need to add or at least beef up to establish alignment.
VPNs for remote workers and sites
Internet content filtering
Basic password hygiene practices/controls
Multi factor authentication
Wifi Password protection
Basic Windows Patch Management
Basic Annual Security Gap Audit
Encrypted Backups (preferably Cloud based)
What about advanced managed cyber security services for organizations with more risk and sophisticated needs?
For organizations with advanced protection needs First Call recommends everything in the above list and some additional services provided by 3rd party cyber security companies like First Call. Any cyber security consultant will highlight human error/user behavior as the number one security gap. Given that fact, more controls are needed as well as security awareness training and testing.
Dark Web Monitoring Services
Security Awareness Training and Testing
Phish Testing and Reporting
Password Managers either user based or centrally managed
Managed Detection and Response (MDR)
Security Policies and End User Agreements
Advanced Breach Detection
Security Log Auditing
Annual Security Gap Audit
The above services should be professionally onboarded and managed to ensure security is not a snapshot / point in time service but rather an ongoing managed service.
Small and midsize organizations are sure they are dependent on IT, data, and their software applications. They also know that they need to protect themselves and be able to recover should an incident occur.
First Call offers Cyber Security Consulting and Managed Security Services and would be happy to learn more about your current approach and help you find affordable approaches to managing the risk.