Cyber Security Consulting and Managed Security Services
A cybersecurity event not only stops time, it also stops everything else as you wheel around to figure out: what happened, how bad is the damage and what can we do about it.
There is so much that has been written about cybersecurity. It is a high priority topic in the media, industry sectors and for government. Organizations know they need to be concerned.
IS THIS REALLY HAPPENING?
ARE COMPANIES GETTING BREACHED?
Yes. Only the big public stuff gets reported in the news which is why there seems a disconnect between the amount of emphasis put on this versus what we know about in our community.
Private organizations have user accounts breached all the time due to bad password requirements. Remote desktop servers are set up incorrectly and easily exploited via the web. Office 365 environments and mailboxes are constantly attacked. Users click on emails and websites they should not. These things regularly turn into a crisis but are not reported. No one wants to report they are in a crisis. We have seen firsthand Montana organizations coming to us for help. Real dollars being stolen, entire server and workstations fleets being held hostage by ransomware, reportable data breaches, organizations having to disconnect their business from the internet for days and weeks.
The simple answer is that there is money in successfully attacking nearly any organization. It is challenging, interesting and it pays the people who are involved with the work. It is also low risk given the low probability of being caught, tried, and convicted.
For most organizations with 20 to 200 employees it is unclear what organizations should be doing tactically.
You may be reading this because you would like to talk to an expert or a cyber security consultant.
You likely have questions like:
WHAT IS NIST?
Explain what they mean by a
NIST stands for the National Institute of Standards and Technology. NIST was tagged by the Federal powers that be to establish guidelines for organizations already not regulated by other frameworks could leverage to manage cyber risk.
The core of the NIST cyber security framework:
Our advice: these frameworks can be overwhelming but an experienced provider or cybersecurity agency will know within an hour of conversation and investigation: do you have the blocking and tackling you need in place or not? A qualified consultant will be able to explain the process, costs, and tools for establishing the controls you need and how to maintain both protections and recovery capabilities over time.
ARE ANY INDUSTRIES MORE AT RISK THAN OTHERS?
The short answer is yes. Banking, finance, health care, manufacturing, government, education, criminal justice all have higher risk either because of the value of the data, the cost of downtime, or the trust factors associated with the relationships they manage. Most of these organizations already have regulatory bodies and/or frameworks: HIPAA, CMMC, FERPA, CJIS
That said there are other factors to consider beyond industry.
Size: the more employees an organization has the greater the risk controls needed and the greater the impact should an incident occur. An organization with 20 – 50 employees needs to have a strategy, 50-100 employees the depth and complexity will increase, 100-200 same thing, and so on.
Assets and asset value: This is where all frameworks start with questions about your data, their value, and impact on your business should they be affected.
In our experience, any organization using computers, email, and the internet has risks. Everyone needs fundamental protections in place, what we refer to as blocking and tackling. As you grow larger or simply have great risk due to your industry, regulations, or asset value you must go beyond the blocking and tackling to advanced cybersecurity measures.
DO I NEED CYBER INSURANCE?
The reason insurance exists is because real risk is on the rise and enough people wanted to transfer some of the risk to an insurance carrier. If you are in a high-risk industry, your employee count is rising and your dependency on data/IT is increasing cyber insurance is a must-have.
When shopping for coverage be thinking about what risk you are looking to transfer to the carrier.
Here are a couple of examples…
A medical facility should consider regulatory defense and penalty coverages to avoid having to pay the legal defense fees and penalties in the event of a patient privacy records breach.
Get advice from your cyber security consultant. (hint even a basic risk assessment will help steer you)
Work with your insurance agency. Always avoid competing carriers or duplicate policy coverages.
CYBERSECURITY IN THE CLOUD
If I am in the cloud am I safe?
Safe means you have protections in place, you can detect issues and recover in the event of a successful attack.
Microsoft 365 is a common cloud platform. Just because you are on Microsoft 365 does not mean you are safe. There are tools native to the platform that can be leveraged for protection, detection, and recovery. There are also a variety of 3rd party tools available. Platforms like Microsoft 365 need people, process, procedures, tools and behavior to achieve cybersecurity.
Being on the cloud in and of itself does not make you safe. Make sure anyone helping you manage cybersecurity can help you build good cyber security posture in the cloud.
CYBERSECURITY PRODUCT OPTIONS
What kinds of products and services are out there to help us?
Too many. That is part of the problem because organizations begin to drown in the options. Example: There are 50+ antivirus options just for Microsoft Windows!
Beyond the issue of there being too many options in the marketplace is organizations take a symptom-based approach. This often leads to a mish mash of vendors, solutions, and expenses. The right way is to choose an approach geared towards addressing gaps in a cyber security framework.
What is the main benefit in defining your approach and layering that against a framework? It is easier to see the gaps and address the ones you care about.
When you address the problem in a framework you are thinking about cost, automation, and integrations as your driving principles, not which of the 50 antivirus programs is better.
When considering services define what roles you need. Does it make better sense to source those in-house or via a 3rd party?
3rd party organizations like First Call have already done this work and packaged products, services, and costs together that address the gaps, integrations and automations needed to make it cost effective.
Can I do manageD
cyber security inhouse
or should I outsource?
Organizations with 20-200 employees are typically outsourcing cybersecurity services based on the following factors:
1. IT labor shortage. (especially acute in cybersecurity fields)
2. Their existing IT people (whether in house or outsourced) are focused on user needs, application support, uptime and traditional infrastructure projects and management.
3. Building a mature cyber security practice takes knowledge, time, and resources. Organizations do not have the time to allow for the services to take shape and become fully operational. They need production ready solutions now.
4. They need something that will scale, flex, and change as their internal factors change and the threats evolve. 3rd party services are typically more agile and up to date than in house shops.
5. Much of work involved in managing the risk requires soft skills as you are dealing with users and their behaviors. Most traditional IT shops do not have the soft skills required to help influence and manage behavior across the internet, email, working remote, personal devices etc.
HOW MUCH DOES CYBERSECURITY SERVICES COST?
Managed Service Providers, Cybersecurity Agencies and Managed Security Service Providers are going to have packaged services ranging from $10 per user per month to $200. Many of the solutions out there are designed for enterprise or medium businesses (more than 200 employees) so be sure to engaged with vendors focused on smaller organizations with smaller budgets in mind. First Call’s services can range between $10 and $40 per user per month depending on the size and scale of the organization and the services involved.
Organizations can also invest in a standalone risk assessments. Costs vary but what you will find is with consultants it will be higher because that is where they are making their money – in the assessment, not in the ongoing services to maintain an organization’s security posture.
Leaders need to manage the risks affordably and many organizations with less than 200 employees struggle with this because many of the tools, services and providers are priced for larger organizations. Keep it simple: what will the blocking and tackling cost us? What advanced services do we need and how much does that cost? Perform this exercise all while keeping in mind the threat is real and organization can no longer afford to do little or nothing.
The higher the price the more:
gaps their approach addresses.
professional services that are bundled in.
hours of coverage involved.
risk they are inheriting when an incident requires response and recovery services.
What Blocking and tackling Should all organizations with more than 20 employees have in place?
Here is a quick check list of the protections we would recommend for any industry/organization at a minimum if you have more than 20 employees commonly using the internet/technology in their work.
While this may look like a lot some of the services are likely bundled into technology you already have. Others you likely need to add or at least beef up to establish alignment.
VPNs for remote workers and sites
Internet content filtering
Basic password hygiene practices/controls
Multi factor authentication
Wifi Password protection
Basic Windows Patch Management
Basic Annual Security Gap Audit
Encrypted Backups (preferably Cloud based)
What about advanced managed cyber security services for organizations with more risk and sophisticated needs?
For organizations with advanced protection needs First Call recommends everything in the above list and some additional services provided by 3rd party cyber security companies like First Call. Any cyber security consultant will highlight human error/user behavior as the number one security gap. Given that fact, more controls are needed as well as security awareness training and testing.
Dark Web Monitoring Services
Security Awareness Training and Testing
Phish Testing and Reporting
Password Managers either user based or centrally managed
Managed Detection and Response (MDR)
Security Policies and End User Agreements
Advanced Breach Detection
Security Log Auditing
Annual Security Gap Audit
The above services should be professionally onboarded and managed to ensure security is not a snapshot / point in time service but rather an ongoing managed service.
Small and midsize organizations are sure they are dependent on IT, data, and their software applications. They also know that they need to protect themselves and be able to recover should an incident occur.
First Call offers Cyber Security Consulting and Managed Security Services and would be happy to learn more about your current approach and help you find affordable approaches to managing the risk.