<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1678611822423757&amp;ev=PageView&amp;noscript=1">

Are MSSPs a Good Security Solution for Small Businesses?

Alex Jablokow| December 06 2017

| security


An increasingly popular alternative is hiring a managed security service provider (MSSP). What is it and how can it help keep your business secure?

Small to medium-sized businesses (SMBs) suffer from an increasing number of security breaches. They don’t make the news the way large ones like the recent Equifax breach do, but are a significant business risk.

The Problem of Recruiting Security Staff

Security is increasingly a significant part of a company’s budget. Large companies spend up to nine percent of their overall IT budget on security , and this number is likely to continue to increase.

According to CyberSeek, in 2017 there are 780,000 employed in cybersecurity positions in the US—with 350,000 positions unfilled. The number of empty positions is expected to grow significantly in the coming years. Further statistics on cybersecurity employment shortfalls can be found at CSO online.

SMBs must compete with large deep-pocketed companies for this pool of talent.

The MSSP Option

An increasingly popular alternative is hiring a managed security service provider (MSSP). Some companies try to extend their contract with the managed services provider (MSP) that already manages their desktop, antivirus software, backups, and other routine operations. But security encompasses a variety of specialties not generally found on the staff of an MSP.

MSSPs do two core things:

• Monitor, manage, and mitigate security events
• Manage devices

Under these simple headings are a wide range of services, including protecting against malware, responding to incidents, controlling the risks that come with bring your own device (BYOD), scanning for vulnerabilities, and mitigating distributed denial of service (DDoS) attacks.

Issues in Choosing an MSSP

Companies have long outsourcing functions that are not part of their core business. But a key core competency still has to be understanding and making good decisions about things that affect that business. Even if you don’t provide your own security services, you have to understand the business implications. Not knowing the essentials before considering MSSP offerings can lead to inadequate coverage, excess costs, and reportable breaches.

Related: Infrastructure Compliance: IT Vendor Or In-House?

Various industries, such as healthcare, retail, or ecommerce, have their own specific security issues, and benefit from an MSSP that has deep experience in their area. The solution must fit with your business model. And the MSSP must be familiar with the jargon and acronyms specific to that industry when communicating with your own users.

Other Things an MSSP Can Bring to the Table

Many companies must be able to demonstrate a robust monitoring and response capability to regulators. SMBs may not have the requirement themselves, but they often work with or supply larger companies that do, and must demonstrate that same capability.

A good MSSP that operates in your industry should have a sense of what the current security issues are, and be ahead of events. If another client has been affected by a new vulnerability, they can notify their other clients of this new problem before it affects them too. 

How to Make a Choice

Sit down, work out your requirements, and make them clear enough that you can tell if a vendor meets each one. This is a useful exercise in any event—how well do you understand what constitutes adequate computer security for your business?

On the other side, this will keep your understanding of your needs to a realistic level. Don’t pay for a level of service far beyond what is required. It can be hard for a vendor to refuse to provide you with services they know you won’t use. They need to meet payroll too.

Your Responsibilities

network monitoring free trial

It’s standard business jargon to call a relationship with a vendor a “partnership”—but with an MSSP, it’s actually true. The MSSP must always be in the loop on any changes, on either the technical or business sides, that may affect their operations. The relationship is never "set and forget".

Your own employees must continue to be educated on security issues. Many data breaches are the result of employees’ opening phishing emails, malicious employee behavior, or lost or stolen equipment. There is only so much an MSSP can do to mitigate the consequences of those.

All relationships have their bumps, and this one is particularly intimate. Have a dispute resolution process in place in case of disagreement.

Get Full Value From Your Investment

If this security benefits your customers, be ready to let them know about it. Many organizations provide value that they don’t let others know about, and IT security may seem resolutely unsexy...but it is increasingly important as a differentiator, particular in the wake of any high-profile data breach.

Topics: security

Leave a Reply

Your email address will not be published. Required fields are marked *


Alex Jablokow is a freelance writer who specializes in technical and healthcare business. He blogs about the Internet of Things, software, inertial guidance systems, and other topics for business clients. Sturdy Words, his freelance content business, is at www.sturdywords.com.

Free Trials

Getting started has never been easier. Download a trial today.

Download Free Trials

Contact Us

Let us know how we can help you. Focus on what matters. 

Send us a note

Subscribe to our Blog

Let’s stay in touch! Register to receive our blog updates.