The last few years have put SMBs in a precarious position, and it doesn’t appear as though their situation will ease any time soon. Current inflation rates and a looming recession have forced many to tighten their belts and reevaluate how their budgets are distributed across different departments.
In the wake of several years of unprecedented cyberattacks and breaches – years in which nearly half of all breaches were against companies with less than 1,000 employees – it’s somewhat mindboggling to hear that 44% of SMB IT leaders are expecting their security budgets to be cut, according to JumpCloud’s latest report.
Knowing that smaller security budgets dramatically increase operational risk but are a reality that needs to be accommodated, decision-makers are grappling with what to do.
What options do SMBs have?
Skilled and seasoned cybersecurity specialists are in high demand and short supply, so bringing one in-house is cost-prohibitive. You could hire less costly, less experienced specialists. Although that brings more hands to the table, their lack of expertise and real-world practice might not be the right tradeoff.
Shuffling your tech stack and looking for less expensive tools is another option, but that has inherent risks too. Unless you are incredibly well-versed in security solutions, the sheer number of options on the market will be overwhelming and confusing. The chances of selecting the wrong tools are high, and the in-house team might lack the skills to properly configure or work with them effectively, opening the company up to even more vulnerabilities.
Another choice is partnering with a managed service security provider (MSSP). MSSPs can fill many voids by providing your business with the security expertise it needs and a portfolio of tried and tested security tools.
What to consider when selecting an MSSP?
Choosing the right MSSP for your business is not a decision to be taken lightly. You will entrust that MSSP with your business, data, and reputation. If they fail at their job, your company could fall victim to a cyber incident or worse, as 75% of SMBs would have to shut their doors following a ransomware attack. The stakes are high.
So, what criteria should you consider when evaluating a potential partnership? In this post we’ll explore two important criteria when choosing an MSSP; be sure to check out the second blog post next week to learn about two more criteria that shouldn’t be overlooked.
Do they have the right expertise and experience?
Expertise and experience are never something you want to overlook or discount. You should feel confident that your chosen MSSP has the skills and knowledge to protect your unique business. You should ensure that the MSSP has extensive experience working with other companies in your industry and they know about any industry-specific or geographic-related laws and regulations.
The MSSP should be able to explain what measures they take to protect your data and IT infrastructure. Ask them about their own vetting processes for the solutions they use, and don’t hesitate to dig deeper to find out how familiar they are with the products they sell. Question them about how their solutions hold up against known threats and what strategies they have in place to handle emerging threats. Just as you are doing your due diligence by investigating them, they should have done the same when selecting their tech stack, and you need to know that they did.
What are the shared responsibilities between the MSSP and its customers?
Not all MSSPs offer the same services. You need to know what kind of involvement and support you need from an MSSP and seek out one that matches. Some might provide A-Z management for all IT-related work, while others will help you choose the right tools but leave all the day-to-day management and monitoring up to you. If you have a small team that can handle some but not all of your security work, look for an MSSP that can fill the gaps and complement your team rather than one with an all-or-nothing approach.
When partnering with an MSSP, be honest and upfront about your team’s abilities and ensure that you and the MSSP clearly understand how responsibilities are divided. Otherwise, you could be looking at a security disaster if you believe the MSSP is handling a particular aspect and they operate thinking the opposite is true.
Verify the MSSP’s internal capabilities
Established MSSPs care about their reputations, so they won’t lie to you about their credentials or infrastructure. However, verifying what they tell you is in your best interest.
Certifications: At the very least, an MSSP should have ISO27001 and SOC 2 certifications. While an MSSP’s staff isn’t required to have specific accreditations, the most reputable ones will have employees that hold industry-recognized IT security certifications such as:
- Certified Information Systems Security Professional (CISSP)
- Certified Information Security Manager (CISM)
- SANS GIAC Security Essentials (GSEC)
- Certified Ethical Hacker (CEH)
- CompTIA Security+
- Certified Information Systems Auditor (CISA)
- GIAC Certified Incident Handler (GCIH)
Availability, global reach, and redundancy
Downtime can cause irreparable damage to your business, so you should confirm that the MSSP you choose offers high availability in line with industry standards (99.9% or 99.99%). Even with the best-laid plans, an MSSP can’t prevent a catastrophic event such as a natural disaster, but they should have other strategies in place to ensure you maintain business continuity. Inquire about the MSSP’s geographic redundancy, and confirm that the MSSP has globally distributed servers so that if an emergency happens or one location fails, another one can keep your business running without interruption.
What other factors should be assessed?
We wish we could tell you those are the only aspects of an MSSP that should be evaluated, but we’d be doing you quite a disservice. There are several additional yet vital considerations to keep in mind before committing to an MSSP, and they are so consequential that they deserve in-depth exploration.
Stay tuned for part two of this post, where we’ll delve into them.