The bane of an IT decision makers’ (and by extension those above them) existence is the need to balance convenience versus risk.

If you’re on the Internet, you’re susceptible to attack.  If you have incoming and outgoing email, and humans using it, they are prone to mistakes.  Opening the wrong attachment or following the wrong link, or being coerced into divulging information through electronic means.  You want employees to be happy and loyal to the interests of the company, so you allow them access to Facebook.  You put a policy in place to say when they can do it, or you consider disallowing it if it becomes a problem.

But how do you quantify acceptable risk when it comes to deciding where this line should be drawn?  In other words, how much risk is acceptable?

A strong case can be made for the argument that if you’re struggling to answer this in a cut and dried manner, conservative business wins the day.  Initial outlay for a well-planned, well-managed solution is nothing by comparison to the costs of not doing so and operating your business from a Disaster Recovery site or service.  If you think it’s not financially convenient to have one of those either, then read on.

Intel Security’s Tackling Attack Detection and Incident Response report, which surveyed IT Security Consultants, found that respondents investigated more than 1.5 incidents per week on average last year.  Aside from “poor integration between security components”, the group results provided startling food for thought.

28% of incidents required external forensic security investigators. Only qualified security consultants have the skills of security analysts, detailed information about IT assets and advanced security analytics knowledge that many companies still have yet to master.  And this is only in the ‘how’ and ‘what’ stage of damage control.

Causes of these attacks were back-tracked to the following roots:

38% users lack knowledge about cybersecurity risks

32% modern malware increasingly difficult to detect

30% increased use of social networking

29% sophisticated social engineering attacks

Assuming your IT Manager or CIO has better things to do with their time than play with firewall policies down to the application layer, outsourcing firewall management can provide real benefit to an organization who doesn’t have a full time security department. Outsourcing is much more cost effective than paying for that talent (if you can find such talent in the first place).  The keys to security outsourcing are that first and foremost it must have full visibility of the managed components.  If you put your full trust in an organisation and they don’t let you see what’s happening, you are at their mercy for detection, escalations and notification processes.  Several points of failure when your business and its reputation is at stake.

The other key is flexibility.  There are many configurations of IT departments, some with in-house skilled operators and some without.  A one-size-fits-all approach to security benefits few.  You may have the skills to submit a full-spec policy document, or you may require some guidance by the supplier.  They must cater for any knowledge level or no knowledge at all to be effective.  The end result comes back to a tailored solution that fits the requirements of the organisation, and of course must be first understood and qualified properly by the outsourcer.

A top-notch organization can help you place the line between convenience and risk, and keep you from accidentally tripping over it.  Ask us how.