Following the highly publicized data breaches of the past couple of years, many Canadian organizations are beginning to accept that their in-house cyber-security measures perhaps aren’t as effective as they once thought. After all, if Target, Sony and the CRA can be hacked, how can organizations with a fraction of the cyber-security budget feel safe? It turns out that many don’t.
A study by IDC Canada found that 48 per cent of Canadian organizations are more concerned about cyber security today than one year ago. While many would like to be doing more to insulate themselves, most simply don’t have the budget, according to the study.
“Just under one quarter of Canadian organizations still believe that their organization is fully prepared to stop a data breach, despite the fact that we continue to see large organizations with substantial security budgets experience breaches,” says IDC Canada infrastructure solutions analyst Kevin Lonergan.
As a result, Lonergan says many are now turning to managed security service providers (MSSPs) as a way of outsourcing IT security. By doing so, they can enjoy round-the-clock resources and dedicated security staff for a fraction of the cost of keeping those services in-house.
“Canada is very heavily weighted toward mid-sized organizations, and it’s hard to pay for enough security staff to have them working 24/7 and available in case there’s a breach or a threat. That’s a really big problem,” he says. “You can find the most expensive, next-generation firewalls in the world, but if they’re not configured properly, if they don’t have the right rules set up, if they’re not flagging the right events, just throwing up a bunch of false positives, then they’re no good.”
While organizations have a need for IT security staff, Lonergan says talent in the field is expensive, difficult to find and even more difficult to hold onto, especially for small and medium-sized businesses.
“If you’re an SMB shop, you don’t really want to invest in a separate security team when your budget is so tight that you’re struggling with just IT in general,” he says. “Even if you have a security team, the threat landscape is evolving very quickly, and trying to keep up with that is very challenging.”
That’s not to say in-house IT staff should be concerned for their job security, says Lonergan. Instead, he believes that when cyber security is outsourced, in-house teams are able to dedicate their time to more valuable tasks, as opposed to troubleshooting.
And, because they specialize in IT security, MSSPs can afford higher salaries and thus attract better talent than most organizations can currently afford.
Lonergan adds that when choosing an MSSP, organizations should consider their budget, the types of services they require and, for those handling sensitive data that can’t leave the country, which providers are based locally.
“There was an overconfidence in Canadian organizations, and it’s good to see that people are moving to a managed model,” he says. “I’m not saying that all organizations are unable to secure themselves, but when you do see these large organizations get breached, every organization should be thinking twice about security.”
Image courtesy of Free Digital Photos