5 cybersecurity procurement tips for any business

By Sean Marcil, managing partner at CirrusTel

In 2020, we had to send our employees home and figure out how they would be able to continue to perform their jobs, virtually, overnight. There was no time to go through the normal procurement cycle, do a proof of concept or truly vet a solution before it had to be placed into production. Even though it has been two years of running applications, equipment or solutions, there is a good chance you have a security gap, or concern, otherwise known as a vulnerability. Vulnerabilities can be devasting to businesses. Ninety percent of businesses without a business continuity and disaster recover (BCDR) plan go out of business ⁽¹⁾. Yes, your BCDR plan needs to be part of your cybersecurity plan.

Given the rate of change in technology, applications need constant attention and visibility; even in a zero trust environment. Here are five tips that can help you ensure your business is better protected against cybersecurity threats.

Tip #1: People first. Seventy percent of ransomware attacks start with phishing ⁽²⁾. No matter how great your managed service provider (MSP) is, or what technology you are using to protect against malicious attacks, it only takes one click or download to be compromised. Training your employees, once per year, and making them read a policy is not going to solve phishing. Employees can be tricked to click, especially when they are multitasking. All users in your environment need ongoing training, and coaching, coupled with phishing test emails. There are companies that can assist you in this area, such as KnowB4.

Tip #2: Utilize an MSP. Hiring, and maintaining, a skilled IT staff is challenging, at best, and it is becoming increasingly difficult to retain talented employees. The demand for skilled workers is extremely high and they are routinely contacted by recruiters for positions at better salaries and benefits. If your employee is overworked, overloaded and thus stressed out, the grass is going to look greener elsewhere. By complementing your team with an MSP, you can be more strategic and handle the projects that fit your team’s skillset and/or the “fun stuff.” Let the MSP deal with the tactical items. The MSP provides service for many customers, so they are aware of more threats, sooner, and are better equipped to handle them more efficiently.

Given the cost and risk of a ransomware attack, or data breach, the cost of retaining an MSP is worth it, as you will benefit from the economies of scale that the right MSP provides. According to the FBI, individuals lost $6.9 billion to cybercrime in 2021! ⁽³⁾

Tip #3: Do Annual Cybersecurity Assessments. The purpose of annual assessments is to understand gaps, risk exposure level, perform a health check to identify any vulnerabilities and determine if previously identified risks have been corrected. Some risks are inherent and cannot be avoided. Cyber Insurance is highly recommended and Insurance firms will be asking the questions that are a part of this assessment. Also, (i) we recommend that you do not use your MSP to perform the assessment so you have a check and balance in place. (ii) Free cybersecurity gap assessments exist and just because they are free does not mean they are cheap or useless.

Tip #4: Use Disaster Recovery as a Service (DRaaS). DRaaS is a cloud computing service model that allows an organization to back up its data and IT infrastructure in a third-party cloud computing environment and provide all the DR orchestration. This SaaS solution will allow you to regain access, and functionality, to IT infrastructure after an outage. You may feel more in control if you own the redundant equipment, applications and processes; but that does not mean your cybersecurity risk is lower. The right DRaaS solution, and there are many flavors, can empower your team to manage to a service level (SLA). Ensuring it is ready to use (if needed) and backup systems are functioning properly. Most importantly, the DRaaS design should be tailored to use at the rate your business needs. Not all businesses need the same DR plan. This may be an old analogy but some companies still use tape, how many times has the tape been put in, and backup started, only to find out that it failed.

Tip #5: Utilize an Agnostic, Trusted Advisor. Making timely and accurate decisions are paramount to the success of a business. Look for a trusted advisor that has the platform, and experience, to bring value to your team. Trusted advisors should have access to experienced third-party engineers, competitive intelligence, and be able to analyze the landscape of providers and MSP’s to provide you with a concise report and data so that any of your stakeholders will understand how you selected the end solution.

For more information, contact Sean Marcil: Phone (813) 775-2410 or via email [email protected]

References: