The demand for firewall and malware prevention solutions hasn’t faltered. In fact, the number of devices protected by security applications will surely grow as long as the technological advances continue. Businesses have added scores of smartphones and tablets to their inventories over the past few years and, in many cases, those units are merely supplementing, not replacing, the PCs and laptops used for daily activities.
In the age of connectivity, security solutions will become more crucial than ever. The big problem, at least for MSPs and VARs, is these tools no longer help differentiate their businesses. Any individual or organizational IT team can go online, download and run these applications with little expertise. While the rank amateur may not get everything properly configured, chances are good that the technology will provide them some level of protection. At least from the technology side.
The issue, as well as the opportunity, for IT services providers is not the applications. It’s the people who can easily usurp security protocol, and the lack of policies that should highlight their responsibilities related to network and data protection. More often than not, it’s a lack of focus on the non-technical side of the equation that leads to breaches and subsequent fines from regulatory agencies.
The channel firms that are addressing the business need for more “soft skills” in IT security are profiting the most. They understand there is no such thing as an impenetrable defense. Today’s security professionals must work proactively with their clients to identify problem areas before attackers discover them. Continual network assessments and monitoring should be standard practice.
Ensuring that each end user has the knowledge, skills and mindset is just as crucial. The best protection is employee awareness and adherence to security protocol. For channel firms, that presents opportunities in policy development, ensuring clients have a set of written rules to disseminate to their workforce, as well as training.
Not just going over security requirements with a customer’s IT staff, but implementing a comprehensive program that covers all levels of their organization. The ultimate goal is to ensure an employee understands his or her responsibilities related to data and privacy protection from their first to last day on the job.
Compliance vs Security
Who is better positioned to offer that kind of continual oversight than managed services providers? In CompTIA’s recently released The Evolution of Security Skills report, just 33% of companies reported a very high level of security understanding within their organization. They often look to their technical support partners for help. Unfortunately, the help they receive is often more focused on the technology aspects of security than solving the business problems associated with data and network protection.
For example, complying with HIPAA and other government regulations and industry standards has little to do with antivirus applications and firewalls. Marc Haskelson, president and CEO of Compliancy Group recently explained to me that “a complete compliance solution includes multiple audits, full remediation planning, document and version control, and employee attestation. It’s not good enough to say everyone sat in on a compliance meeting, companies have to prove each person, in writing, legally agreed that they understood what the policies procedures and training were and are going to follow it.”
That’s not a responsibility most doctors’ offices want to take on without help. And other industries face similar compliance challenges. Local small banks and credit unions must adhere to the same standards as their larger counterparts.
What many fail to realize is the largest penalties for non-compliance have little to do with a breach. While the incident of a lost laptop leading to a hack catches the headlines, the fines are a result of not following standard protocol, such as not completing required compliance audits or following the proper procedures after the fact.
That distinction is crucial. Compliance specialists must differentiate between the technology and problem and the standard procedures. From performing regular backups and security audits, to knowing where and when to report breaches or similar incidents, IT services firms must understand what it takes to keep their clients out of trouble.
Training as a Service
Since a big part of compliance is procedural, employees have to know their upfront responsibilities as well as what to do if a security incident were to occur. What is the process and timeline for reporting a lost laptop? How do they avoid getting caught in an email phishing scheme, and what should they do if they get a ransomware message after opening a link? Their response is as important as prevention.
Those are also questions that IT security professionals are commonly being asked today. Some MSPs are building comprehensive compliance practices to handle everything their clients need, including training. Others partner with specialists more knowledgeable in a particular industry — or more comfortable working one on one with employees to ensure they follow best practices to prevent security lapses.
Training is no longer an option for most companies. Big or small, every business is accountable for how its people handle and protect client, patient or other employees’ information. In some cases, those companies will look to the channel for support and guidance. The VARs, MSPs and consultants with a thorough understanding of the complexities involved with security and compliance (two separate concerns), have a huge opportunity to differentiate their service offerings. That success starts with employee and end-user training.
Brian Sherman is Chief Content Officer at GetChanneled, a channel business development and marketing firm. He served previously as chief editor at Business Solutions magazine and senior director of industry alliances with Autotask. Contact Brian at Bsherman@getchanneled.com