Managed Services and Cybersecurity:
the winning combination

Zero-day, vishing, zero-clic attacks, cryptolockers, ransomwares, are you familiar with these words? They represent the most common threats of 2020-2021.

Keeping up with threats, evolving technologies dedicated to cybersecurity and maintaining a solid and secure infrastructure is a major challenge for all companies today. A solution exists and is now a strong tendency: outsourcing to an MSP (Managed Services Provider).

Summary

Skills that are difficult to find, maintain and exercise internally

Ensuring the proper level of security for one’s IT infrastructure is today a time-consuming, costly and risky mission with an ever-changing level of complexity. Moreover, the size of the company is a critical element in the adoption of an Information Systems Security Policy. In its latest report, the Senate reveals that 79% of SMEs feel little or no concern about attacks. And yet, SMEs can become attack vectors for cybercriminals targeting SMEs and large companies. In addition, 10,000 companies in 2020 sought help from Cybermalveillance.gouv.fr – revealing an explosion of attacks in 1 year (+255%) according to the ANSSI. In its study, the Paris Chamber of Commerce and Industry also reveals that 80% of companies with a CISO have found an attack in 2020. And in this same study, 60% of companies that have suffered an attack go bankrupt within 6 months, all sizes included. Indeed, the increasing use of Cloud applications, of telecommuting and shadow IT have multiplied the risks facing with an international, structured, sophisticated and innovative cyber-criminal ecosystem.

It has therefore become impossible for CIOs that do not have the necessary internal resources to effectively protect themselves against cyber threats, to guarantee the security of their IT infrastructures for their business and partners. In this context, using a Managed Services Provider (MSP) allows you to have an expert who is constantly on the lookout for threats and market solutions thanks to 24/7 monitoring, effective governance. It also allows you to regain a high level of proactivity as well as a capacity to act in the face of threats.

A growing cyber threat

21 days is the average time it takes a French company to respond to a cyber attack, according to Deep Instinct, the publisher of Deep Learning Framework designed for cybersecurity. Companies do not always have the human and financial resources to proactively respond to new threats.

Methods, technologies and typologies of attacks are changing more and more rapidly today, particularly because of the support of certain states. Cybercriminal groups have access to more and more resources, so much so that we are now talking about cyberwarfare. The heavy investment required to keep IT teams’ cybersecurity skills up to date weakens and often renders inoperative cybersecurity management policies, which inevitably fail for companies that do not have the appropriate firepower.

Between labour shortage and extreme competition

81% of cybersecurity employees say they were approached directly by other companies while on the job, according to ANSSI in its cybersecurity market observatory. This extreme tension can be explained in part by the lack of manpower, but also by wage differentials that can be as much as double depending on the size of the company. Add to this the fact that 45% of employees have less than 5 years of experience, and we already perceive the difficulty for companies to have the necessary internal resources to effectively protect themselves against threats. It is a real war that companies and solution providers are waging to conquer talent and in particular the profiles of consultant engineers and security architects. As a proof, the graph below is a perfect illustration of the over-solicitation of cybersecurity profiles by recruiters, ranging from one to several times a day.

Figure 15

HR functions often little informed

Between imprecise offers and uncertain profiles, recruitment errors are becoming more and more common. According to the Information Systems Security Association (ISSA) and the Enterprise Strategy Group (ESG) report, more than 29% of employees surveyed felt that their HR department did not understand the skills needed to do the job. This vague understanding of profiles and issues can be explained by an underestimation of the criticality of cybersecurity posts on the part of directors. Like IT teams in general, teams dedicated to cybersecurity are still perceived as a cost center with a perception of risks and challenges that is still too disconnected from reality.

Adeline Lamy, HR manager at e-Qual, also points out the essential collaboration of top executives in the IT and cybersecurity teams. “We are a support function, our role is to provide our expertise on the candidate’s soft skills and to make an initial detection of profiles, but digging into the technical part is necessarily the responsibility of the IT department teams. This is our strength at e-Qual since Ronan de Kermadec (Director of Operations and member of the executive committee) is involved in each recruitment. In addition, we have instituted regular training cycles to keep updated the knowledge and skills required to manage all the tools implemented at our customers’ sites.”

Acquiring and retaining the right talents therefore requires a company structure that makes this possible. And this is where the problem lies today. The capacities of IT departments to support HR functions in the detection of relevant profiles are still insufficient, not to mention the fact that transversality in recruitment policies is still underdeveloped in many companies. This is a major challenge that HR departments are trying to address by setting up specialized divisions.

This structural vulnerability is a real boon for hackers who can take advantage of unaddressed issues such as software flaws that have been reported but not handled internally due to lack of competent personnel. We note indeed a very strong increase in cyber attacks in France. Here again, using an MSP can provide a significant advantage. Understanding the cybersecurity ecosystem within a company, having a clear view of the interactions between the various collaborators and knowing the areas of expertise required to effectively perform these functions is the essence of the MSP. To do this, MSP can rely on the ANSSI technical reference framework but must also monitor the market to have a precise mapping of the job market. This is in fact a differentiating point in choosing the right partner.

Delegate to better govern

Free your teams from time-consuming tasks

The increase in the number of attacks has led to an increase in the number of detection methods, resulting in untimely alerts. And the larger the company, the worse this situation becomes. According to a Trend Micro study published in May 2021 – which surveyed 2,303 decision makers in cybersecurity departments at companies with at least 250 employees – 51% of dedicated cybersecurity teams say they are overwhelmed by the volume of alerts. Sifting the wheat from the chaff is therefore tedious and time-consuming, while causing a critical level of stress due to the high risk of missing a real attack. According to another study by Vanson Bourne – a research institute specialized in IT, out of 800 IT security managers located in the United States and Great Britain, 88% experience significant stress.

Between the permanent cybercriminal threat, the insufficient mastery of SaaS solutions and of complex internal tools (XDR, SOC, SIEM) that are stacked, not to mention the lack of internal skills, IT teams are no longer able to assume their regalian security functions, nor their role as contributors to the business value. Guaranteeing a reliable, secure and efficient IT infrastructure for business applications to enable the company to produce serenely and efficiently, is the number one priority of an ISD (Information Systems Department). Regaining control of this core function is the very purpose of the managed service. Implementation of managed service can be considered at several levels, depending on the internal constraints requiring to offload all or part of the execution. This can range from the delegation of tasks with little added value (non-stop monitoring, first analysis of alerts and their criticality, first responses to incidents…), to the complete delegation (processing of alerts, “remediation”, crisis management, post-mortem analysis also called forensics).

Using managed services to manage cybersecurity is part of a major trend, as evidenced by the emergence of Soc-as-a-Service among many cybersecurity solution providers.

Controlling the externalities related to the integration of an innovative cybersecurity solution

Implementing innovative cybersecurity solutions, whether EPP or XDR, requires knowledge of their functionalities as well as their integration and deployment methods. Uncontrolled integration to respond urgently to a supposedly imminent threat will often result in undesirable effects, due to misjudgment of the solution’s performance, misconfiguration or lack of knowledge of how the solution works.

To serenely implement effective solutions adapted to the security constraints of your activity, it is essential to respect the following steps:

  • Conduct an audit of your infrastructure to know well the concerned scope
  • Have a precise description of application access requirements (people/machines involved, access level, authorized entry points, etc.)
  • Define your attack surface
  • Carry out a POC of the solution to test the functionalities thoroughly
  • Conduct a feasibility study based on the capacity of your teams to manage the new tools (available resources, training needs, etc.).

Using an MSP allows you to delegate these complex and sensitive issues to the right trusted third party. Indeed, a reliable MSP will have already tested the solution and will therefore have a real mastery of the solution (necessary configuration, installation time, functionality levels…). In addition, you will not have to manage licensing systems, which are often a factor of error in the operational maintenance of these solutions. Your responsibility lies in choosing the best partner to get the best operational and financial benefits from this collaboration.

To veer part of your responsability

Any failure to put in place measures and tools to prevent the theft of personal data is punishable under the GDPR. And the penalties can be severe, since they may include financial consequences and impact on the company’s reputation.  The most memorable striking French example is obviously the €250,000 fine imposed on Spartoo for failure to comply with the rules of the RGPD and particularly those concerning data protection. We can also note the Marriot hotel and the British Airways company hotel, both sentenced respectively to £18 and £20 million by the ICO (Information Commissioner’s Office).

Although these heavy fines are exceptional, the multiplication of laws around data protection and the multiplication of legal actions at the international level, significantly increase the financial impact of such negligence.

Beyond the protection of personal data, it is also necessary to take into account issues of crucial importance: the protection of data managed by your company, whether they belong to you or to your customers.

Consequences in terms of competitiveness are not to be taken lightly.

For most companies, assuming responsibility for the theft of know-how, image damage, operating losses, material or immaterial damages within the company or at customer’s premises, or also financial impact of data reconstruction or even payment of ransoms, is often unthinkable.

Another reason for explosion in the number of cyber attacks in 2020 and 2021 is that companies have not taken the human aspect of cybersecurity into account enough. To establish a clear security policy that can be understood by all employees, it is essential that it includes the following:

  • Segment the infrastructure to avoid or limit lateral attacks
  • Not to communicate passwords in clear text
  • Not discussing sensitive issues in a public and open space
  • Apply a privacy filter on screens that require it (laptops for example)
  • Do not connect to an unsecured network
  • Classify data

It is therefore a major task to follow all the directives and guidelines of the ANSSI, a task that too few companies can effectively implement today.

Using a managed service is therefore a way to better control this responsibility.

The MSP’s obligations to its clients

To be able to manage the cybersecurity of its customers an MSP must:

  • Have a specific insurance
  • Provide evidence of a mature Information Systems Security Policy (ISSP)
  • Clearly contractualize the transfer of responsibility
  • Meet its obligations as a knowledgeable person

Failure of the MSP on any of the above points can have dramatic consequences for both parties. Indeed, evaluating the financial impact of the degradation of its image is an almost impossible exercise for any company whose product is not this. Conversely, assuming the cost of an industrial customer’s business interruption can be insurmountable for most MSPs.

It is therefore essential that the “cybersecurity” insurance contract be well defined in terms of the amounts guaranteed, the responsibilities that may be incurred, the type of damage covered (material/immaterial and direct/indirect) and the scope of the MSP’s actions (crisis management/recovery and reconstruction of data/physical and/or immaterial repairs, etc.).

However, it is important to keep in mind that using an MSP with cybersecurity insurance does not relieve the client of all responsibility. Indeed, the MSP’s insurance will only cover incidents resulting from a breach of its contractually determined scope of responsibility. For example, if the incident is due to a technical problem caused by poor management of the client’s infrastructure or human error. In fact, if the incident results from a fault of the customer, its responsibility can be engaged, in particular when the customer’s insurance does not cover the foreseen risks, or when the customer did not take into account the recommendations of the MSP.

Doing this exercise also allows the client to verify the credibility of the partner.

To analyze the insured amounts is most interesting, but one must further compare the clauses of one’s insurance contract and check if  the following are covered:

  • Civil liability
  • Crisis management
  • Fines and penalties
  • Human errors
  • Operating loss
  • Cyber extortion
  • Fraud
  • Intellectual Property / Personal Life

In conclusion, the shortage of manpower combined with a permanent cyber threat weighs on the productivity of companies and may weaken their survival. Especially since insurance companies are not ready yet to guarantee compensation in case of an attack. Soc-as-a-service or the use of an MSP are proven solutions that are increasingly popular. The question remains how to choose the right provider, which is not an easy task.

Fortunately, more and more guides from official organizations, such as the ANSSI, as well as various initiatives such as cybermalveillance.gouv.fr listing reliable field providers exist. e-Qual is proud to be part of such initiatives and to be referenced by the ANSSI. In a next article, we will come back on the keys to choose your provider.

Sources