Cyber security is challenging for a small business to handle alone. Even large businesses’ cyber security teams can struggle with a shortage of available cyber security talent. Cyber security employment must grow by 89% worldwide to cover the demand for 3.12 million more professionals.
As if the shortage itself were not enough, rising employment costs mean small businesses in particular often ask more of their existing talent.
“If you’re a smaller employer, your IT team is probably quite stretched and staff are wearing a lot of hats to keep the business online,” said Philip Cousins, director and lead consultant for global cyber security for Royal Bank of Canada. In many cases, the IT director assumes the responsibilities of a security officer as well.
When forced to prioritize, smaller internal IT teams typically focus on “keeping the lights on” so that their company keeps running and generating revenue. However, from a cyber security perspective, making a company easier to operate often equates to less security. So, the challenge of protecting a small business against cyber risks intensifies even further.
Realizing that they cannot protect their company by themselves, many small businesses turn to cyber security firms for help. Following a deliberate process is crucial in picking the right firm.
1. Assess your needs
Many small businesses seek outside help for cyber security after they have been targeted in a cyber attack or they become aware of another company that has been hit. Owners worry about protecting their businesses and their customers.
A cyber security firm can confirm that a company’s internal team takes the proper precautions and identify any vulnerabilities that they should address. Determining where and why you need help is the first step in engaging external assistance.
Common reasons for hiring a cyber security firm include:
- Managing your firewall
- Maintaining antivirus software
- Detecting intrusions
- Assessing internal controls
- Providing identity and access management
- Training employees
- Blocking denial of service attacks
“You can get a holistic view into your gaps as an organization and where you should invest,” Cousins said. You also may be able to reduce capital expenses by outsourcing security equipment, he added.
Cyber security firms offer constant vigilance as well. “You probably don’t have the resources to stand up a 24/7 security operations center as a small business,” Cousins said.
2. Consider the expertise required
The types of cyber attacks are constantly evolving — and protection against one does not ensure protection against all.
Outsourcing cyber security allows business owners to protect themselves where they are most vulnerable. “You can tailor solutions to specific business risks that are right-sized rather than building a security team that is going to provide coverage for all things security,” Cousins said.
Specialties within cyber security include:
- Protection of sensitive client data
- Securing cloud services
- Reducing fraud risk of Point of Sale systems
- Developing security policies and standards
- Preventing phishing
- Forensic investigation
- Incident response
Small businesses benefit from engaging experts in their greatest needs. “You can be more nimble and effective by contracting out certain security aspects,” Cousins said.
3. Identify risks to mitigate
Every company should have a vendor risk management process whether it is for hiring a security provider or not, Cousins said. “You should have a repeatable, consistent, and preferably automated, process that you can run through that will provide you with a program by which you can manage the risk of getting a supplier to supply services to you.”
Such a process should include standard questions for prospective suppliers. In the case of cyber security, questions should focus on a vendor’s security. Cousins suggested questions like the following.
- How would you protect my data?
- Do you conduct penetration tests on your network/cloud?
- Can you share the reports from third-party audits or assessments?
- Do you have a 24/7 security operations center?
- If there is a breach of my data, how would you inform me about it?
The extent of the questioning depends on the risk that a business would incur by hiring a cyber security firm. “If you’re not providing any of your own data to this supplier or they don’t have access to it, that would be your lowest level of risk. Medium risk would involve the service provider having access to your data. And highest risk would be outsourcing data to a supplier and integrating internal systems with a supplier,” Cousins explained.
4. Determine a firm’s qualifications
A cyber security firm’s desired qualifications depend largely on the service that it would provide. Top certifications for cyber security professionals include Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and Cybersecurity Fundamentals Specialist (CFS).
Consultants should also have at least five years of experience and background in a company’s industry, Cousins said. They should be familiar with the type of systems that the company runs as well.
Cousins also recommends that a small business check third-party sources like the Gartner Magic Quadrant for information on prospective vendors. Results from a security audit, like a SOC 2 report that examines the effectiveness of a vendor’s controls, can also help a small business determine if a firm is qualified.
5. Do your due diligence
An extra phone call to a previous customer of a firm or an additional conversation with a peer who is familiar with their work could help a business owner confirm whether the vendor would be a good fit. “There’s a lot of informal chatting between execs in different organizations,” Cousins said.
Cousins also warns to watch for red flags like an overly aggressive sales approach. “You want to weed out actors not in your best interest,” he said. “Any vendor that leads with fear, uncertainty, and doubt is automatically questionable in my mind.”
Unscrupulous behaviour like scanning a small business’s network without permission and then offering to improve the company’s security based on the results should also give an owner pause, Cousins said. So too should “technobabble” that incessantly invokes buzz terms like “blockchain,” “machine learning,” or “AI.”
“There’s a lot of security vendors out there that are really claiming capabilities that they don’t have because those are the industry terms going around at that time,” Cousins said. “It’s over-promising but it’s also trying to baffle you with complicated stuff.”
If a vendor cannot communicate with you in layman’s terms, they probably have not approached your need from your perspective, which may indicate that they do not care enough to learn more about your business, Cousins said.
A small business has enough challenges without worrying about whether it has picked the right vendor. Working through a checklist when hiring a cyber security firm protects a small business against a big problem.
This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.