Small to medium sized businesses are more frequently becoming targets for cyber-attacks, due to them often not prioritising their IT security compared to larger organisations.
The trouble is that corporates have more money to put into their security – they are able to employ in-house IT security specialists, invest in security infrastructure, have regular consultations; but what is happening more frequently these days, is organisations outsourcing their IT security entirely. Traditionally this option has been reserved for larger scale organisations – but there has been an increasing movement to adapt outsourced IT security services to fit the needs of the SMB market.
One of the big ways that this is happening is with Managed Service Providers (MSPs) extending their services to include managed security services. This is making it much easier for businesses to protect themselves from cyber-attacks.
What Managed Security Services do MSP’s provide?
The first thing that will happen when you have an MSP build your security is that they will do an in-depth analysis of your network – which should be achieved via a network monitoring tool.
This will generate a comprehensive report detailing your level of cyber risk, an analysis of potential legal risks (pertaining to regulations such as GDPR), and any business-critical security issues you may have.
Once the MSP has this, they will discuss the implications with you, and together, you will decide on what managed security services and steps you must take to increase your cyber security.
Cyber Essentials Accreditation
This is a UK Government-backed scheme meant to establish the basic controls an organisation has in place to reduce cyber threats. It is a foundation level certificate, meaning that is the minimum requirement for an organisation.
An MSP should have gone through this accreditation themselves already, and they will support you while you work to get it too. During the application process, an organisation must fill out an online self-assessment questionnaire; upon passing this questionnaire they will be awarded the certification, along with branding for their business. The certification lasts for 12 months.
The scheme also offers a higher level of certificate called the Cyber Essentials Plus for a higher price. Engaging an MSP is definitely recommend for Cyber Essentials Plus, as it requires a third party audit and an on-site assessment.
ISO 27001 Accreditation
This is an international standard for information security. It details the requirements for an information security management system (ISMS) which must be met by a business for them to receive this accreditation. The requirements involve how to examine an organisations information security risks, with consideration to their vulnerabilities, potential threats; and the impacts that any vulnerabilities or threats will have.
The ISO 27001 standard also requires that a comprehensive array of security controls and are implemented for the organisation – the controls will be designed to meet the specific requirements of the organisation based on the assessment of their risks and vulnerabilities. Finally, for the long-term, the ISO 27001 standard requires that an overarching management process be implemented for the organisation. This is to ensure that the array of security controls continually meets the organisation’s needs – if their security needs change, so will the controls.
An MSP that is ISO 27001 accredited is considered highly trustworthy, because it means their approach to information security management is ongoing and continually changing to meet their client’s specific needs.
E3 and E5 Security
As a Microsoft Partner, TechQuarters also offers licensing for Microsoft 365 and can make recommendations also based around security. For our customers, we recommend either the E3 plan or the E5 plan which offer different levels of security. The Microsoft 365 E3 plan offers the following:
- Azure Active Directory Premium P1 – With this you will get identity management for both on-premises and remote users, and it works with both local and cloud-based applications. You will get basic conditional access security.
- Microsoft Advanced Threat Analytics – An on-premises platform that helps protect your enterprise from multiple types of cyber-attacks and insider threats. With this an organisation can identify suspicious activities and advanced attacks on premises.
- Microsoft Endpoint Manager – Mobile Device Management and App Management to protect corporate apps and data on any device.
- Azure Information Protection Premium P1 – Encryption for all files and storage locations. Cloud-based file tracking.
The Microsoft 365 E5 plan offers all the features listed above and goes one step further with security. You also get Advanced Threat Protection – this includes protection against zero-day threat and malware; and you will get Advanced Security Management, giving you enhanced visibility and control of your security settings, and security for Cloud applications. The E5 license is particularly suited for organisations in the Financial sectors, or Gambling industries.
An MSP should also be delivering a standardised array of technology solutions and controls that can be tailored to fit each use case.
These solutions may involve things like AI-powered monitoring tools, which may detect if a user appears to be logging in from multiple locations at once; or if company data is being shared to an application that is not permitted for use by the company. Monitoring is an excellent way of detecting potential data leaks and threats.
Multi-factor authentication is a policy that can be applied across an organisation, which involves each login requiring approval via a code or link sent to the user, in addition to them entering their password. Take the previous example of a user appearing to log in from multiple locations – if MFA is in place, you can be sure that attempts to access a user’s account by someone other than the user will fail.
Another solution MSPs should use is applying security standards to data leaving the business. For example, a permissions policy can be put in place for any emails that leave the business; meaning that emails sent to external parties may be accessible for a certain period of time, after which they will permanently delete themselves.
Having standardized solutions such as these means an MSP will have a really in-depth understanding of the tech and will therefore be able to identify potential security risks more effectively and fill such gaps.
The Importance of Compliance
The need for data security is not just in case of cyber-attacks, but for the rules and regulations businesses must comply with. In fact, data compliance has become so important in recent years that it is almost indistinguishable from cyber security. Therefore, from the outset of an MSP-Client relationship, there should be an understand of all the compliance regulations that apply to the client business – as that will help dictate what managed security services they should be recommending. Then going forward, an MSP should ensure that any changes made to a business’ systems do not violate any of their security policies.
Yes, even though we have left the EU, General Data Protection Regulation still applies to your organisation – we have a blog explaining GDPR post-Brexit. GDPR is primarily concerned with the protection of personal and consumer data, in particular, Personal Identifiable Information (PPI). There are two important definitions in GDPR one must know:
- Data Controller – the person or organisation that determines why and how personal data is processed.
- Data Processor – whoever performs the data processing on the controller’s behalf.
GDPR requires all Data Controllers to: 1) have the consent of subjects before processing their data; 2) provide subjects with the right to delete or transfer their data from the Controller’s systems; 3) provide data breach notifications to the data subject(s), and the Information Commissioner’s Office, as quickly as possible; 4) take specific actions to protect subjects’ data at rest and data in motion – including but not limited to appointing data protection officers, and performing regular data protection impact assessments to identify potential risks.
As an example, our GDPR services begin with performing an audit of your network – there are tools that can be used to locate all the PPI a company has of their customers, even if they are held in multiple places. We will make sure that all GDPR-compliant data that you hold is centralised and stored in a secure repository. From there we’ll advise you on how to technically protect your data with encryption policies, conditional access, restrictions on certain applications, and external sharing policies.
We can also assign you a GDPR consultant to look at your existing protocols, the adoption of data protection practices, and even train managers and users on following processes. As well as all this, going forward we provide regular reporting of the data you hold – again these records will be stored for a set period of time, in centralised location for security purposes, and so that it can be accessed by relevant parties only.
Healthcare Sector Compliance
In this sector you have much more Personal Identifiable Information than most other sectors. As well as GDPR, Healthcare organisations must carefully consider the Data Protection Act and – for private providers also operating in the US – the Health Insurance Portability and Accountability Act (HIPAA). These are all essential to protect client privacy.
Mobile devices such as phones, tablets and laptops are common source of data leaks. The best way to circumvent this is by using a Mobile Device Management (MDM) software.
Using MDM software will drastically enhance the security level of your device. Using MDM software, we can segregate company data on a device, to prevent it mixing with personal data, which would risk it leaking out of the company. We can also restrict access to any applications that might pose risks or create vulnerabilities to data on the device. A range of data usage controls and security policies can also be applied to a mobile device. We would also implement logging and monitoring of company data usage on mobile devices, to help identify sources of leaks when they happen. At TechQuarters, we use Microsoft Endpoint Manager (formerly Intune).
Some of the other ways we at TechQuarters help secure PII for Healthcare organisations is by updating equipment. We have found that outdated equipment is more common in hospitals and medical centres; and first step in improving their security is provisioning them with new devices that support better security.
Financial Sector Compliance
At its core, the data security and compliance regulations of the Financial sector revolves around the encryption of data at rest – meaning that even when data is not moving from one location to another (such as when it is stored on a hard disk) it remains encrypted. It is also required that Personal Identifiable Information (PII) is processed and protected in the right way – this may involve classifying sensitive and non-sensitive data categories, creating access and privilege models, and the use of monitoring to identify sources of data leaks when they happen. And of course, compliance regulations also require time limits be placed on the retention of data.
How we help in our own way
Here at TechQuarters, as well as everything we’ve spoke about above, we have our own ways of helping our customers with security. As mentioned, we always make sure our customers are working with up-to-date software and hardware – but we don’t stop there. Once a customer has been provisioned with new technology, we help with the adoption of the tech on a user level with our platform, the 365 Cloud Academy. The Cloud Academy is our tutorial platform that provides videos on all the Microsoft applications one uses on a daily basis; it shows people how to use applications more efficiently, and in a more integrated way.
But, specifically in the realm of security, we offer user training on the principles of user safety – e.g. how to spot a scam email, how to create strong passwords, or best practices for safe web browsing. Our ‘Best Practice Security’ Playlist is on the 365 Cloud Academy and is available to all of our customers.
So that was an in-depth review of many of the possible managed security services an MSP could be utilised to provide your business! If any of these seem of interest to you, please do get in contact with us on the details below.