Cyber 101: Security Should Be Like the Electric Company

This issue’s reader question

“There’s so much Cybersecurity information available out there and so many things we seem to have to do on every device every day. Is there any way to reduce the amount of stuff my business has to know, or am I stuck hiring  security professionals and stretching the HR budget beyond its limits?”

At SKOUT, we hear this quite a lot. The good news is that you don’t have to learn everything or hire a team of people; just cover the basics and let a solid cybersecurity partner handle the rest.

Cybersecurity for the majority of businesses is something that can be outsourced easily and effectively – without needing to increase headcount or break the bank to pay for it.  In fact for small, mid-sized, and even many enterprise organizations, security should work a lot like your local electric company.  You need a limited amount of knowledge, but you rely on them to handle the rest.  Let’s look further into that analogy.

Your electric company expects that you know some basic things.  You need to know the voltage of your house – are you running on 110 (US) or 220 (EU) voltage at the power outlet?  You’ll need to know what kind of plugs you require to fit in the outlets in your house or when you have visitors from outside your area. Of course, it’s good to know that your appliances are safe and manufactured well so that they don’t damage your house or your family; and you need to know when they should be replaced. You may need to know what kind of fuses or circuit breakers you have, and where in your home they are located so you can address blown fuses and tripped circuits. Beyond that, however, you really don’t need to know about the overall system of municipal power generation or distribution.

The electric company is responsible for generating the actual power, and maintaining the systems and physical lines that deliver it from wherever it’s generated into your home. They monitor the entire system to make sure that sufficient power is generated to meet customer needs, and also to detect if anything within the system is starting to go wrong. They also know how to correct things that do go wrong, and to advise you on how to correct issues within your house if you call them and ask. They can even recommend the right professionals to assist you with in-home re-wiring and other tasks that they don’t do themselves and you may need help with.

Cybersecurity should work the same way. You and your company should have staff that understands how your own technology works, how to keep it updated, and how to manage the basics like setting up two-factor logins through the service providers (Microsoft Office 365, G-Suite, SalesForce, etc.) that you use.  You should know what WiFi networks you have set up, and who is allowed to access them. You also need policies for Bring Your Own Device and other company-specific issues.  Beyond that, you can offload security to a 3rd-party to handle the rest.

Your cybersecurity partner should be monitoring your systems and networks continuously (and, of course, their own) to look for any signs of abnormal or anomalous activities.  They should be monitoring your anti-malware systems and making sure company equipment has this protection set up and is updated regularly. For cloud-based systems like Office 365 they should be looking for strange login patterns or anyone attempting to overcome security controls put in place, and they should be monitoring the overall pattern of spam, phishing, and fraud emails your employees are receiving.  Of course, if you need direct assistance with security concerns they should be ready to assist directly; and also to recommend the right professionals to assist with anything they don’t offer in-house.  

It’s not required – or even necessary – that you have a full cybersecurity team on staff and on the payroll. First, finding the right people is a difficult process in the current security job market; and secondly you may not have the budget to handle that much additional headcount at premium salary rates. Your team should be able to handle the basics, and your cybersecurity partner should be managing everything else for you – just like your electric company manages everything from their generators to the power drop in your home.  Well, actually, your cybersecurity partner should be a bit more reliable than most utility companies…

Your dose of alphabet soup: MSP – Managed Service Provider – these are companies that specialize in a particular type of services offering and provide everything from procurement to production deployment and regular maintenance.