Service Providers, How Well are You Securing Your Data?
For IT service providers, having a strong information security strategy in place cannot be an afterthought. All it takes is one significant data breach against your systems and you can basically forget about taking on any new clients any time soon.
Service providers are not only responsible for ensuring that their own data is secure, but that their customers’ data, and the consumers’ data they hold, is protected as well. While multiple organizations are involved in this chain, the real onus is on the service providers to raise the level of their security practices, especially as more businesses depend on them to manage their sensitive and confidential data.
‘Another hack’ is common language.
The recent rash of data breaches against some of the most well-known companies in the world shows how vulnerable many businesses are to attack, and how costly these intrusions can be for organizations. And to make matters more difficult for IT and security executives, conditions seem to be constantly changing in terms of threats.
As research firm Forrester pointed out in a January 2015 report, the threat landscape is rapidly mutating. “The security gap between new attack methods and traditional controls continues to grow in favor of the attackers,” the report says. “Hackers today are highly organized, well-funded crime syndicates, or in some cases, state-sponsored agents.”
Attacks overall are becoming more targeted, sophisticated and resourceful, Forrester says. On top of that, the costs of breaches vary widely and hit many areas of the business.
“Understand the different costs of breaches, and estimate damages to elevate security conversations with management,” the report says. “Consider response and notification, lost productivity, staff departures, legal action, regulatory fines, additional security and audit requirements, loss of customers, and other liabilities like downgraded credit risk ratings.”
Put your oxygen mask on first.
Upper management can no longer ignore the business implications of today’s threat landscape.
Fortunately, as a service provider there is a lot you can do to bolster your security posture in the face of these challenges. The first order of business should be to do a security maturity assessment to find the gaps, strengths and weaknesses in your IT infrastructure. If you can identify these gaps and fill in the holes, you can more likely stop hackers’ attempts to access your data and your customers’ data.
Forrester has developed a maturity model that provides functional explanations and evaluation criteria for all aspects of a complete information security organization. It provides the foundation for Forrester’s IT security and risk program assessment engagements and provides clients with a comprehensive self-assessment tool.
The Forrester Information Security Maturity Model (October 2014) provides a framework that describes all of the required functions and components of a comprehensive security program. With a three-tiered hierarchy, it also offers a methodology for evaluating the maturity of each component of the framework on a consistent and prescriptive maturity scale and for reporting the position to a level of detail that can be adjusted for different audiences.
Forrester suggests that companies set realistic targets then demonstrate growth and improvement. “CISOs often struggle to communicate the results of their efforts, including how they’ve provided a return on security investment,” the firm says. “This maturity model provides an objective framework with which to measure progress; by setting realistic targets, you should be able to demonstrate to senior management that you’re driving improvement toward an agreed-upon goal.”
Here’s more self-security for the service provider.
The 2015 Data Breach Investigations Report from Verizon includes some specific advice for service providers: “Secure your services, which means knowing where your services are and how they’re configured.” The report suggests that service providers block access to known botnet servers and patch systems to help stop malware from turning nodes “into hapless automatons of doom.”
To understand how your organization would react to a distributed denial of service (DDoS) attack, Verizon says, conduct regular drills and exercises to see where you need to shore up processes and possibly add technology or external mitigation services to help maintain or restore systems.
It’s also important to know how serious your vendor partners are when it comes to security products and services. Oftentimes a security breach can occur because of a weak link among a company’s third-party vendors. For example, in the well-publicized data breach against retailer Target in December 2013, hackers gained access to Target’s systems via network credentials that were stolen from a third-party HVAC vendor.
Because these types of vulnerabilities can happen, service providers need to stay on top of the vendors they do business with and/or recommend to clients. This is especially true with any cloud services, given the ongoing concerns among organizations about the security of data in the cloud. In addition to thoroughly vetting vendor partners, service providers need to include security assurances in any vendor contracts.
Also, be prepared to describe your information security program to prospective clients. Customers are going to want to know what types of security technologies and policies are in place, what sort of risk management program the company has, how it plans to respond to a DDoS or other type of attack, and what disaster recovery and business continuity plans have been deployed.
Security is a differentiator.
The actions a service provider takes to ensure strong security are not just important from the standpoint of protecting IT assets. They can actually serve as a competitive differentiator when companies are looking to choose their service provider partners.
Given the importance of applications and data to businesses today and the growing volume of threats, security preparedness has never been more important for service providers.
Get in touch with Insight at 1.800.INSIGHT to learn more about security. If you're still researching on your own, find answers to your pressing security questions and discover background information that will help you make a well-informed decision. Once you're ready, take the Forrester security assessment here.