Newsletter & Blog

Cyber Support is as essential as IT Support (and is not the same thing)

An interesting discussion started by my old mate Ian Murphy on LinkedIn, was essentially trying to ask why the majority of business leaders out there hate security.  It’s interesting because there are as many opinions as the proverbial pebbles on a beach.  My take is not straight forward either.


I don’t for instance believe that people hate security.  Oh, I know that many people in IT support and development positions aren’t overly fond of it, seeing as it often makes their lives a little more complicated.  In my past, both Ian and I have had some interesting discussions with developers on major IT projects by which we were definitely seen as the bad guys, the ones who increase costs without demonstrating a return on investment.  And therein lies the nub of what I see as a major stumbling block to improving Cyber security throughout the economy.


According to recent research released by Barclaycard, 48 per cent of SMEs fell victim to at least one cyber attack last year and 10 per cent were targeted multiple times.  Yet It is particularly difficult to convince the SME community that Cyber security is an essential.  Oh, they know it is really, there’s this nagging feeling in the back of their mind that they should really be doing something, especially with the increasing burden of compliance provided by various industry specific standards as well as the more general ones such as Data Protection Act 2018/GDPR.  But the problem is that they are coming out of a pandemic and are also probably operating on tight margins.  Add to that the change in working practices that are becoming popular, and there’s a lot to be getting their heads around.


I real issue here is also that they often have built up a relationship with a local IT company who provides their hardware and software, their network and probably also their IT support, under contract.  These companies are generally known as VARs, ie Value Added Resellers, that means that they sell other peoples products with added services such as installation and ongoing support.  Now, before I get a ‘pile on’, there is nothing wrong with that as a business plan.  It’s a perfectly viable way of going to market and has been around a long time.  VARs are the mainstay of many software and hardware companies sales plans and I’ve worked with them often when working for HP, Symantec and others.


So why am I bringing this up?  Well, I do have an issue with these companies when they tell their customers that they’ve got security covered.  They do this because they have, as a rule, provided a firewall, anti malware on all the desktops and made sure that their end point firewalls are all switched on.  As part of their support package they, usually but not always, ensure that security updates are rolled out across the estate.  But they don’t go much further than that.  Now I know there are some that do, so if you work for one of those please don’t get upset, be happy that you are leading the pack.


Most of these companies don’t assess their clients risk, or even know that that’s a good thing to do, generally because in order to keep costs down, they don’t employ people skilled in risk assessment, and neither do they want to increase charges to their clients, without a definite advantage to themselves.  Again, I understand that. Business is business. But understanding the risk, informs you where the client needs protection and if you haven’t done that, then you are not providing your client with the protection they need and deserve.


So, how do you assess risk.  Threat + vulnerability = risk.  Not a difficult equation but it can be lengthy and manpower intensive to do, depending upon the size of the client, if you don’t have access to a tool that allows you to automate much of the problem.  Many risk assessment tools are not aimed at the SME market but there are an increasing number that are.  Here at H2 we use one and actually, just to show I’m not totally against VARs, we sell it too.


Another problem I can see raising its head above the parapet, is that there are some VARs out there who would like to get more involved with Cyber security.  Unfortunately for them, qualified resources are at a premium and as a result are gobbled up by the big boys in the Fortune 500 arena and paid the kind of salary that a VAR just can’t afford.  Sad but true.  So they are often left with those who may well, one day, be gobbled up themselves, but at this moment in time, they are short on experience to back up their qualifications.  The best way to assess them is that if they believe that technology solves the problem every time, then you know you’ve got a duffer.  The view that technology is everything, is of course one that a VAR likes, because selling technology is how they make their money.  A quote from Bruce Schneier, an eminent American scientist and information security thought leader:


If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.


So, what do I think should be happening out there?  The first thing I’d like to see is for VARs to admit that security isn’t their core business and to work with us pure security types in partnership, to enhance what is going on with their clients.  Stop viewing us as rivals who are there to steal your lunch and make you look foolish.  That’s in no-ones interest, not the VAR, not us, and certainly not the client.  Failing that, if you are an end user out there and you suspect you might not be getting the best advice and guidance from your local IT company, even though you have a good relationship with them, then again, give us a call and we can chat things through.  Even contracted direct to an end user, we will strive as hard as we can to work with them and not against them.  Of course I would say that, but please, trust me, I’m a security consultant!!