What's the channel's priority now? Not reacting passively to cyber attacks but doing everything possible to stop them happening, urges Steve Nice, Chief Security Technologist at Node4.
Let's not assume that it's the CEO's sole responsibility to ensure that castle walls are erected to protect against the ever present and growing threat of cyber attacks. We must acknowledge that there are degrees of responsibility - and the channel has a duty to educate end users and help build that wall, says Nice. "The channel needs to educate customers about the realities of this new security landscape," he said. "In a new open digital world data is no longer located purely in the data centre. The edge has pushed far into operational technology, cloud and mobile. In this environment organisations will need to define their acceptable level of risk and focus security resources where they are needed most."
Gartner predicts that by 2020, 60 per cent of enterprise information security budgets will be allocated for rapid detection and response approaches, up from below 30 per cent. This increase is a reflection of the transition towards cloud-based digital business which is having a significant impact on the security requirements for all organisations. And the opportunity for the channel is clear - to help customers keep pace with a rapidly evolving and increasingly complex threat landscape. But the way ahead is not so straightforward.
IT departments are under pressure to balance the need to protect their business with the requirement to keep it running. In this scenario, prioritising limited security staff and resources will become more important. Enter security as a service. "Customers are showing a preference for security products in an ‘as-a-service' format," said Nice. "Node4's Managed Security Service offers channel partners a market ready security solution designed to help end users identify and prioritise threats so they can isolate risks and take preventative action as well as respond effectively to incidents when they occur."
Node4 has developed a Managed Security Service that addresses the security needs of the SME and mid-market sectors. Its service offers a Defence-in-Depth Security Strategy comprising all the components required to protect local, infrastructure and cloud resources with overlapping security tactics.
Nice also noted that mobile devices are emerging as the biggest threat as they become more powerful and ubiquitous. It is forecast that up to 25 per cent of corporate data traffic will flow directly from mobile devices to the cloud, bypassing enterprise security controls. "This means that organisations need to address cyber security risks in technologies and assets they don't necessarily own or control," added Nice. "This calls for a people-centric approach to security which gives each person more autonomy in how they access information and use devices."
By far the biggest internal threat is the human element. Not through malicious attacks, but through errors made by employees. "This will come as no surprise to any IT manager that has had to deal with the fallout from a lost laptop or company phone," said Nice. "The more devices we have, the higher the chance of this happening."
In an increasingly connected world, clicking the wrong website link, for example, or exposing company data on an unsecured area of the cloud is all too easy. Furthermore, there was a time when leaving sensitive printouts on a train or in a taxi was a bad enough risk. Today, all of a company's data might be stored on a single micro SD card and easily misplaced.
"The human error vector carries with it more risk than ever before," added Nice. "There is a huge opportunity for the channel to play a more consultative role with their customers, highlighting the reality of today's security environment and helping them to develop policies that mitigate risk for employees, be that in the workplace, a home office or on a train."
The key to good security is having the right system continuously monitoring the threat environment and managing security risks. Organisations will be looking to outsource a large part of this function to a managed security provider, simply because the cost of keeping abreast of the evolving landscape will be prohibitive to all but the largest organisations. But despite the cold cyber facts, adequate security budget decisions will only be made where there is a full understanding of the threats and risks at board level.
"CEOs will become more aware that a lack of effective cyber security measures will pose a real threat to their organisation," commented Nice. "Gartner has already predicted that by 2020, 60 per cent of digital business will suffer major service failures due to the inability of IT security teams to fully manage digital risks. More business leaders will be asking themselves if they can afford not to have the right levels of protection in place."
One of the channel's most important roles is to educate the end user, emphasised Nice. "We recently carried out research into the IT priorities of the mid-market in which 63 per cent of IT decision makers say that security is a top priority, but most of them have inadequate security in place," he commented. "And while 74 per cent have anti-virus protection, just over half have data encryption and only a third have intrusion detection. It is down to the channel to educate customers about the scale of the security threat in a cloud-based digital world."