Confusion and misunderstanding inhibit managed security service adoption
5 December 2013 | 0
More than half of Irish organisations would not consider purchasing security as a managed service from a Managed Service Security Provider (MSSP), but when asked why, revealed confusion and misunderstanding of what such services entail.
According to a survey carried by ComputerScope, in association with AirSpeed Telecom and Fortinet, 54% of respondents said that they would not purchase security as a service. However, when asked about inhibitors, more than a quarter (26%) cited data privacy issues, with a further 6% indicating that they had a lack of understanding of the capabilities of MSSPs, with nearly a quarter (23%) citing a lack of budget.
Peter Hendrick, technical director, AirSpeed Telecom, pointed out that there was nothing in data protection legislation that would prevent Irish organisations the use of such services.
“There is nothing in the European Data Protection Directives that strictly restrict the use of an MSSP to deliver the service,” said Hendrick. “The MSSP chosen needs to be selected carefully to ensure they are firstly meeting all the regulatory and data protection requirements and also adding value by delivering additional security by means of a larger specialised security team, broader product portfolio, customer reporting portals and also reducing costs by leveraging the MSSP’s existing investment in 24/7 managed Security Operations Centre (SOC) and removing the burden of security staff training and retention.”
The survey found that while more than half (53%) of respondents agreed that employees in the organisation are made highly aware of the risk of internet threats, more than a quarter (26%) were neutral on the issue and a fifth disagreed.
“More focus is needed to educate employees as this is perhaps the single greatest threat to any organisation, large or small,” warned Hendrick. “The last member of staff to leave the office won’t leave with the front door open as they know the risks associated with it. Employees want to do the right thing but need to be educated as to the risks associated with clicking the web link in an email from an unknown source or indeed a known source as a known associate’s email account may have been compromised and is sending malware links to all their contacts unknown to the third party.”
Another area of concern was that 17% of respondents said that employees within their organisation had unrestricted internet access, which Hendrick regards as a “high risk” approach.
“We have seen highly resourced and reputable sites such as the NBC online news site being infected and used to distribute malware to unsuspecting web surfers,” said Hendrick. “Google’s safe browsing technology is detecting up to 90,000 new web sites infected with malware. One Irish hosting company scanned by Google is reported as having 16% of its hosted web sites infected by malware.”
The survey also found that 40% of respondents did not have an explicit budget for dealing with security issues, with 7% saying they were unaware. This is of particular concern as research carried out by Deloitte and EMC this year found that the average cost of a cybercrime incident for Irish organisations was €135,000, with clean-up costs associated with a major security incident or cybercrime at an average of €29,954 per incident.
The results also highlighted shortcomings with current infrastructure monitoring capabilities. More than a third (37%) highlighted a lack of granularity as an issue with monitoring capabilities, with the same proportion saying that their current monitoring infrastructure was overly complex. A fifth said that the solutions were too expensive.
The survey was carried out among 166 IT professionals in November and the full results can be seen in the December issue of ComputerScope magazine.