List: David Hood, MD at ANSecurity explains the 5 key questions and considerations businesses need to ask and answer before embarking on the search for a security vendor.
Last year, it seemed like we couldn’t get through a single week without hearing about yet another data loss. Breaches like TalkTalk and Ashley Madison, increases in insider threats both accidental and malicious, and the rise of BYOD and remote working as the new normal have all combined to create the perfect security storm for every organisation with data.
As a consequence, the security technology market has and continues to grow and evolve based on these new threats. The worldwide cyber security market is set to hit $101bn in 2018 according to Gartner. With that huge a market and the slew of solutions available, choosing the right security solution can be as confusing as the variety of threats organisations now face.
So what are the key questions organisations should ask when deciding on new security technologies?
1. Are you expecting to grow, expand, merge or acquire?
Almost all organisations, especially IT departments are tasked with doing more with less so costs will always need to be considered but it’s important not to consider them in isolation and not without thinking ahead. Every organisation will be different but if you can think about what you need right now and what you need in the short and medium term future, you can avoid some unexpected issues, and costs.
For example, if you’re a small start-up that is likely to quadruple in size in a year, you need to think about whether a potential security technology scales and if it does, what does the cost look like at scale? Many small businesses opt for software rather than hardware solutions but buying additional licenses, for example, can be an expensive business so providers who offer scalability and flexibility in terms of switching tariffs etc can be worth a small premium at the outset.
Most cloud and XaaS solutions offer great scalability and are often cheaper than on premise solutions but you need to consider the security implications and indeed the security record of your solutions provider and complete the due diligence of investigating what security provisions they have themselves as well as what back up and disaster recovery might be offered as part of that cloud security solution.
In addition, if you’re likely to get bought or buy or merge with another company, you might favour open technology that’s more compatible with other systems that you may need to integrate with at a later date.
2. Do you have a remote workforce?
Employees now expect to be able to access information from anywhere, anytime and from any device. So much so that BYOD has now become the norm. But even without the challenges of BYOD, organisations will always have senior team members who travel and are expected to work while they do so, and IT teams will need to give them remote access to systems and secure any data on their mobile devices.
There are two key considerations around securing remote workers. Firstly, you need to ensure that the remote access to data on your network is secure. For this you’ll need some sort of Network Access Control (NAC) solution. And secondly, you’ll need to secure any data stored on a mobile device because mobile devices by their very nature present a huge data loss risk in terms of the devices themselves being lost or stolen. To combat losing the data on these devices, there are geo-location technologies that will track the device, technologies that can disable or wipe the data remotely and of course, there are also encryption technologies to consider.
3. Do you have offices in different locations?
Many companies have more than one location and as such, they need to consider how information is going to be accessed and shared among those locations. The main decision here is whether to operate a ‘mother ship’ approach whereby the servers and databases reside at one location and all other locations connect to this either through a WAN or a Virtual Private Network (VPN) or to go with a fully cloud based approach.
There are still security risks with the cloud but not necessarily more than on-premise risks and there can be considerable cost savings to the often huge CapEx associated with on premise hardware. Of course, there are also firewalls to consider and how solutions like anti-virus will be managed depending on which solution is chosen.
4. What kind of regulations do you need to consider?
Depending on your location and industry, there may be strict compliance regulations that you need to adhere to that could impact what exact security solutions you choose. There are always compliance and regulations in sectors like banking, insurance, law etc, there is the HIPAA Act that protects the privacy and security of health information in the US and in Europe, the EU GDPR will come into force in just two years time which will see fines to the tune of 4% of global annual turnover doled out for data security breaches.
It’s imperative that any organisation does its due diligence not only about the regulations within their own industry now and in the near future but also the regulations within the industries they might wish to supply to. Otherwise, the benefits and features of the security solution you choose could be irrelevant very quickly.
5. Will one solution do or do I need a combination?
You should consider what exactly you need to protect and not be afraid of using more than one provider. To use the example of securing remote workers above, there’s no point securing your network if you’re not also going to secure any mobile devices that connect to it – you might find a provider to secure both or two that specialise in each, either is perfectly acceptable as a strategy, you just need to understand how they will interact and ensure you’re not giving the IT department double the work.
Security is a complicated and ever-expanding business and realistically, it’s unlikely that you will find just one provider that will look after all your firewalls, antivirus, mobile, network access and back up and disaster recovery solutions. Consultancies and managed service providers can help to either advise what solutions can work together or even take most of the problems of resource away by offering outsourced security management with SLAs.
Once you have security technologies in place, there will be onboarding and there should be ongoing educational activity so that all employees understand their responsibilities in using the security solutions correctly and handing data carefully to avoid breaches.
But, before everything, before you even google ‘security solutions’, there’s a lot of upfront thinking to be done and a lot of questions to be asked before you’re really in a position to make an informed decision about what you need.