Maintaining effective cyber security is more important than ever. New threats emerge daily, and attackers are becoming more sophisticated in the ways they leverage attacks to extract what they want from vulnerable companies. Ransomware attacks are no longer the isolated events they used to be (although attacks targeting high-profile companies still make national headlines); and, for companies that do not take adequate measures to protect their networks and data, it is really only a matter of time until something goes very, very wrong.
But, let’s assume that you are already sold on the importance of maintaining an effective cyber security program. What you need to know is: Where do you go for help? Can you purchase a solution from your IT company? Or, are there other (and better) options available?
While many CIOs and CTOs assume that they can rely on their company’s IT vendors to meet their cybersecurity needs, this generally is not the case. In fact, as we discuss in greater detail below, there are several reasons why you should never use your company’s IT vendor for cybersecurity matters.
In most cases, the issue is not that IT vendors have conflicts of interest or present direct risks themselves. Rather, the concern is that IT vendors often don’t know what they don’t know when it comes to cyber security—and this means that they (and their customers) end up making decisions based on incomplete information. With the potential for severe consequences in the event of a breach, this is not a risk that most companies can afford to take.
Here’s Why Not to Trust Your Company’s IT Vendor When It Comes to Cyber Security
So, why shouldn’t you take the easy way out and use your company’s existing IT vendor for cyber security? Here are five key reasons not to trust your company’s IT vendor when it comes to cyber security:
Reason #1: Most IT Vendors Provide Off-the-Shelf Solutions
Whether they are willing to admit it or not, the vast majority of IT vendors simply resell off-the-shelf solutions. Some may repackage white-label products as their own, but ultimately these are the same products that they (and their competitors) sell to companies of all sizes in all different industries.
Is this necessarily a bad thing? In a word, “Yes.” While off-the-shelf products were sufficient for many small to mid-size companies in the 2000s, this is no longer the case today. Companies’ unique operations, systems, networks, and data all present unique risks, and this means companies have unique cyber security needs.
Additionally, companies are increasingly facing legal and regulatory obligations in the area of cyber security as well. These obligations exist at the state, federal, and international levels; and, while some obligations apply broadly (i.e. the European Union’s General Data Protection Regulation (GDPR)—which applies to many U.S. companies), many are industry-specific. If an IT vendor isn’t aware of your company’s obligations, as most IT vendors are not, it simply won’t be capable of recommending a cyber security solution that meets your company’s needs.
This isn’t meant to cast aspersions on IT vendors as an industry. Rather it is simply meant to help CIOs and CTOs understand the limits of their vendors’ capabilities. Cyber security is an area of high specialization, and the vast majority of IT vendors simply do not devote (or do they have) the resources required in order to provide their customers with appropriate custom-tailored cyber security recommendations.
Reason #2: Most IT Vendors Don’t Specialize in Cyber Security
This last point is worth expanding upon a bit more. Most people, including most CIOs and CTOs, lump cyber security under the IT umbrella. While this fundamentally makes sense, it also overlooks the extraordinary pace of innovation in the cyber security arena over the past several years. While cyber security protects companies’ IT systems, it is no longer simply an IT function. Today, cyber security is a function all on its own, and knowing how to recommend and implement effective cyber security protocols requires specialized skills and expertise.
A good IT vendor will be able to tell you everything you need to know about building and maintaining your company’s infrastructure. It will be able to recommend hardware, software, and managed services that are adequate to meet your company’s needs. It will be able to help your company implement appropriate applications on an enterprise-wide scale, and it will be able to assist with installing updates, patches, and expansions on an as-needed basis.
But, what it will not be able to do is help make sure your company’s infrastructure is secure. This simply isn’t your IT vendor’s role. Unfortunately, some IT vendors will try to be “helpful” by going beyond their expertise to recommend cyber security applications. While these efforts are usually well-intentioned (if not a bit self-serving), they are also usually uninformed. This would be a bit like a family medicine doctor providing advice regarding cancer treatment. The advice might be in the right general ballpark, but it will not be adequate or appropriately tailored to the patient’s (or customer’s) needs.
Reason #3: Establishing Cyber Security Involves Much More than Installing an Anti-Malware Application
This brings us to our next point: Contrary to popular belief, establishing cyber security is not simply a matter of installing anti-malware applications on your company’s servers, laptops, and mobile devices. Establishing and maintaining cybersecurity requires a strategic and broad-based approach that includes not only software, but also physical security, access management, training, and the security of employees’ personal devices (which will inevitably be used for business purposes to varying degrees)—among other components. Typically, IT vendors do not provide solutions in these other areas.
Far too many companies place too much trust in their anti-malware applications. In many cases, this is because their owners and executives lack a clear understanding of the risks they face and the solutions they need to implement. Oftentimes, this is because they go to their IT vendors for help. When an IT vendor offers an off-the-shelf product and nothing more, this suggests that the product itself is adequate. This, in turn, creates a false sense of security, and this leads to inaction that puts companies’ networks and data at risk.
Reason #4: You Will Need Advice and Recommendations On an Ongoing Basis
While relying on an IT vendor to provide cyber security advice may be a one-time mistake, it is not a short-term problem. To the contrary, inadequate cyber security is an issue that only gets worse with time. The more outdated a cyber security “program” becomes, or the more a company grows without addressing its growing cyber security needs, the greater the risk becomes of a massive cyber security breach. In fact, given today’s cyber environment, it is likely only a matter of time until something goes catastrophicallywrong.
Maintaining an effective cyber security program requires constant effort. It also requires advice and recommendations from true cyber security professionals on an ongoing basis. While your account manager might check in periodically when your company’s IT vendor has new products to sell, this does not count as “cyber security management.” Instead, CIOs and CTOs need to work with professionals who understand their companies’ needs and risks, and who can provide custom-tailored advice and recommendations in real time.
Reason #5: Most IT Vendors Are Not Equipped to Assist with Breach Response and Ensuing Litigation
Finally, even with an effective cyber security program in place, there is still the possibility that something will go wrong. If companies like T-Mobile and TD Bank experience data breaches, there is no reason for CIOs and CTOs of smaller companies to assume that their networks and data are immune—no matter how much effort they put into protecting them. While it would be nice if this were the case, it simply isn’t realistic.
When a company experiences a cyber security incident, effective breach response is crucial. The company must also immediately begin preparing for the possibility of breach-related litigation. Once again, this falls outside of IT vendors’ wheelhouses (and understandably so). However, if an IT vendor is unaware of the scope of the risks involved, it may attempt to provide assistance not realizing that it is allowing the company to fall farther into a hole. Following a breach, any unnecessary delays can be extremely costly, and they can make it much more difficult to assert a successful defense in federal enforcement litigation and/or in private civil lawsuits seeking damages.
In short, IT vendors simply are not equipped to provide the cyber security solutions companies need in 2021. It is incumbent upon CIOs and CTOs to accept this reality, and to ensure that they are making informed decisions with regard to what is necessary to protect their companies’ technological and financial assets.
Speak with a Senior Cyber Security Consultant at Corporate Investigation Consulting
If you have questions about what it takes to implement an effective cyber security program, we encourage you to get in touch. To speak with a senior cyber security consultant at Corporate Investigation Consulting, please call 866-352-9324 or inquire online today.