Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
Cybercrime can seem like a distant danger until it hits you, and it’s hitting harder and faster than ever.
The Australian Cyber Security Centre (ACSC) received almost 68,000 reports of cybercrime in 2021, a rise of nearly 13% from the previous financial year. Cybercrime affects businesses of all sizes in every sector.
To face this threat, every organisation needs cyber support, but what form should it take? Some companies rely on an in-house team, others hire third-party protection and some use a mix of both. But which option is right for you? It can be a difficult question to unpack, since every organisation is different and there are a tons of different cybersecurity models you could employ. Let’s take a look at how to get a better handle on the decision.
Cyberattackers are targeting every size of organisation
Some new businesses, particularly smaller ones, may think that cyberattackers have bigger fish to fry. It’s true that the average loss reported by company size was around $9000 for small businesses, compared to $33000 for medium-sized organisations and $19,000 for large organisations. But those sums will hit smaller companies harder, seeing as how those amounts represent a larger portion of their revenue. But what’s in it for the hackers? Why would they target the little guy?
Part of the problem is that every business collects data, and even apparently worthless information like “junk” passwords can be profitably sold on the dark web. Executives may think that such data is safe behind passwords and a network firewall, but trends such as increased employee use of personal devices, the Internet of Things (IoT) and the growth of ransomware mean your company is still at risk.
Remember, hackers are creatures of opportunity. If they come across your business, regardless of its size, and see something worth stealing, they will target you.
Even so, organisations in different sectors can face different types of cyber threats. If your company is involved in e-commerce you (and your customers) could be at risk from brand exploitation, while phishing emails are a danger for every company, regardless of sector. Depending on the kind of space your organisation operates in, without an experienced cybersecurity team you may also struggle to achieve industry compliance.
In this landscape, everyone needs a company-specific cybersecurity strategy, but many find their solution falls short – a survey of Australian businesses showed that 76% were hurt by their lack of cyber preparedness in 2021.
When you should keep cybersecurity in-house
There are many advantages to keeping your cybersecurity operation in-house. A team that’s embedded in your organisation will also be embedded in your company culture and aligned with your organisation’s aims. It will also know your industry inside-out, something that can be particularly important if you are in a specialist area.
You will also be able to manage your workforce directly, meaning you can reassign staff and have more control over the kind of people you hire. Communication speed should be quicker with an internal team, and there will be less concern about confidentiality. Another bonus is retaining specialised knowledge and skills in-house, supporting business continuity.
In-sourcing can also be a great choice for organisations that have special technical needs. Maybe they have a highly-specialised on-premise infrastructure, or the nature of their work needs a dedicated Security Operations Centre (SOC). Naturally, in-house teams are very resource-intensive, but they offer the most control over cybersecurity measures.
When you should consider outsourcing cybersecurity
Outsourcing cybersecurity to a Managed Services Provider, or MSP, can also be a good move for many companies, particularly for smaller firms that would rather not maintain a significant internal team. One of the biggest reasons is cost – with average annual salaries for skilled cyber workers soaring to $100,000+ a year, full-time analysts don’t come cheap. In contrast, MSPs let you choose your own price plan for the services you need. MSPs will also have the capacity to react to out-of-hours breaches, whereas a small in-house team may feel the strain if a crisis hits, or a key employee leaves. This option allows you to enjoy all the perks of top-end enterprise-level security without any of the associated overheads. Even better, you can quickly scale your MSP up or down as per your business needs. For smaller companies, this kind of flexibility can be a big advantage.
Most small and mid-sized companies tend to dump cybersecurity responsibilities on their existing IT team, who aren’t always trained or equipped to handle security. They can end up giving advice that isn’t fully formed, or neglecting the actual job you hired them to do. Cybersecurity is a highly specialised field, and needs people with the right training and expertise to do it effectively.
Your cybersecurity MSP, however, will be staffed with trained specialists. They’re likely to be fully certified in a range of tools (which means your team don’t have to jump through hoops to learn them), have access to more threat intelligence and be across compliance requirements as well.
External teams can also help you manage your cyber risk
The right external team will not just monitor day-to-day threats, but can assess distant dangers you may not be aware of. They can evaluate your processes and security protocols, review your training and assess your software environment. Such forward planning can build cyber resilience and limit your attack surface.
Since cybersecurity is their full time job, MSPs also stay ahead of the changing cybersecurity landscape. They should be across the latest ransomware and bugs, and be able to suggest solutions. They’ll have an awareness of the prevalent threats in your sector, and be able to guide you on the best way to manage them. The best MSPs will be able to talk about the impact of cybersecurity in commercial terms, and what those measures will mean for your business in terms of risks and benefits.
Building a cybersecurity solution that works for you
Your first step should be the appointment of an executive with responsibility for cybersecurity, whether they’re a CTO, CIO or CISO. They should ensure cybersecurity runs throughout your organisation, and will either manage an in-house team, or handle the relationship with a third-party MSP.
Of course, you’re not restricted to either in-house or outsourcing. Many organisations find a hybrid model works better for them, with some responsibilities handled in-house while others are assigned to an MSP. For example, many firms simply sign up for out-of-hours service, or tap into an external cybersecurity team for specialised support, while the internal IT team handles day-to-day tasks. Whatever you decide, you’ll need to ensure that any third party you choose understands your industry and compliance needs. Read contracts carefully, and be ready to ask about past incidents and how they were resolved. It’s a good idea to ask a prospective MSP about cybersecurity best practices in your industry, just to get a handle on how they approach things.
When’s the best time to onboard a cybersecurity team
With cybersecurity threats mounting, the obvious answer is “as soon as you have an IT department”. Modern businesses have to work with an army of external partners like suppliers, consultants, freelancers, many using their own devices and platforms, all of which need to be secured. On top of that, many employees are working remotely, so there’s an added element of cyber risk. Very few businesses can do it all in-house. But while outsourcing can be a great option for many companies, having at least one person on your in-house team who can stay on top of cybersecurity is essential. It's always wise to have someone in your organisation who understands cybersecurity, and knows how to work with MSPs as well as their own internal systems to make sure they’re always in sync.