Too many businesses fall into the trap of letting their internal or outsourced IT resource manage their cyber security. At first, this may not seem like a trap at all; these are the IT experts, your managed services provider, and they know their stuff. Except, more often than not, they don’t. The predominant two layers most small to medium enterprises rely on for cyber defense were not designed to stop todays attacks; they’re obsolete and outdated—and your IT resource might not know this. Allowing your IT resource or managed services provider to also handle your cybersecurity is like allowing them to be their own judge and jury; you’re asking them to oversee themselves. Cybersecurity is outside of their job description, and you shouldn’t assume it is.

The role of an IT resource is primarily to take away the pains and inconveniences that come from working with technology. This can mean anything from buggy email servers, or getting a remote access solution implemented, to transitioning services to the cloud. Because their job is to take away the pain, and the expectation of them is to do so, something like cybersecurity wouldn’t be their first priority when their executive (with no IT knowledge) asks them to set up a Dropbox or some other unsecured file sharing application. When the IT resource is expected to make problems go away quickly and efficiently, they will do just that—at the risk of your organization. The mindset of an IT managed services provider and the mindset of a cybersecurity resource are completely different.

A cybersecurity expert would know that most organizations have two primary layers of security: a firewall and some form of antivirus. These two tools will scan the environment and look for compromises. This expert would also know that these tools are insufficient for dealing with the malware and ransomware that hackers use in the modern age; the average time that a malicious payload spends in an environment before being detected is 206 days. That means that the average, outdated security software most companies use allows malware to operate within their system for more than half a year. Your IT resource might not have the knowledge or the tools to properly address this threat, and it’s not fair to expect them to. It’s not their job. It’s ours.

We recommend that organizations maintain great relationships with their managed IT service provider, but also work with a dedicated IT security resource to fill in the gaps and shore up the defenses. Technology has advanced for everyone, and that means that modern hackers have advanced at the same rate as we have. Organizations need a security resource that can watch for a wide variety of threat indicators, things like credential access, lateral movement, data extraction, or data collection; things that can’t be measured or seen by a firewall or antivirus. Nobody can offer a completely bulletproof defense against the bad guys, but we can harden our defenses and make penetrating our clients’ defenses more trouble than it’s worth. The best way to do so (from a software security perspective) is with some kind of AI-assisted automated software that actively scans the environment and alerts you to threats.

All of this work is useless, however, if you don’t train your staff in basic IT security. If you look at access to your network as a door, then most companies use a basic lock and key—but that basic lock can be picked. Our job is to turn that door into a keycard/biometric access door, one that is much harder to break through. But all of that is pointless if your untrained staff holds the door for a hacker because of some form of a social engineering scam or phishing attack. Security needs to be a higher priority for your organization, both in the tools you use and the training you require. Let us help you fill the gaps.