5 Reasons You Shouldn't Trust Your Cyber Defense to Your IT Vendor or Service Provider
Let me preface this article by saying that I mean no disrespect to IT vendors or managed-service providers (MSPs). For many organizations, these firms are a huge help, economically feasible and do help businesses figure out technical solutions to their problems. In addition to your traditional IT services, many IT vendors or service providers provide basic security services as part of their normal engagement with customers. Many may even offer a separate, more comprehensive security offering for an increased cost.
But if you do use one of these services for your business, consider getting another set of eyes to examine your cyber defenses. Below are five reasons not to fully trust your cyber defenses to an IT vendor or MSP.
1. Tools are a double-edged sword
Behind every good cybersecurity defense is a toolset to make it happen: antivirus, data protection, email defense, backups and more. Often, IT vendors and MSPs tend to use the same tools across many clients because it’s what they know and are used to. Unfortunately, if the tools they regularly use aren’t that great, then as a client of theirs, you suffer the consequences. This is especially true if you are purchasing licenses for these security tools directly from the IT vendor or MSP. If they stand to make money by selling you a product, then they aren't really putting your best interests first in selecting the best possible tool. Tools are also a double-edged sword because on one hand they are supposed to help your business, but on the other, solely relying on them for your defense would be a huge mistake. There is much more to a good cyber defense than simply installing some tools and hoping for the best.
2. Security can become an afterthought
I might be generalizing a bit with this one, however, in my opinion, IT vendors and MSPs tend to be focused mostly on technology stability, performance, ease of use and cost savings. Even though there is a place for all those things, security becomes an afterthought or something to be “bolted on” later. In the current digital environment, security should be at the center of technology with all of the above items built around it. Since general IT vendors and MSPs are not security consultants or dedicated security professionals, their mindset will never be equal to that of somebody who focuses solely on cyber defense.
3. They generally have a security "recipe"
The ultimate goal of any cybersecurity effort is to lower the risk of becoming a victim of a cyber attack. No amount of effort will ever reduce the risk to zero, but managing the risk and mitigating it where we can is definitely doable. In my experience, IT vendors and MSPs do not approach cyber defense from a risk perspective. They generally have a security “recipe” to provide you by way of the tools they deploy, as mentioned above. Install these tools and you’re now done with “doing security.” It doesn’t really work that way, unfortunately. Each business is different and often requires a custom effort to adequately address cyber risk. Worth mentioning in this category is the importance of reducing your risk to ransomware and destructive malware. Not all preventative tools and measures are created equally when dealing with these threats, so don’t cut corners and simply go with what your IT vendor has offered you.
4. Many lack the necessary experience
The truth is that attackers have gotten more sophisticated over the years, especially in areas such as phishing and business-email compromise. Nigerian prince scam emails that are easy to spot are not the only nefarious emails your business may encounter. Many IT vendors and MSPs simply lack the experience and expertise to adequately shore up a business's cyber defenses. It’s not that they aren’t good at what they do, or that they are lacking in other technology-delivery areas; it’s just that security is often not their focus or prime objective.
5. Everyone has bias
This is the old saying, “Don’t put all your eggs in one basket.” Of course, MSPs and vendors will tell you their security solutions are the best. Maybe they use “military-grade encryption” or “artificial intelligence,” or pepper their marketing material with “best in class” or other snazzy buzzwords. Okay, if that is the case, then it should pass a third-party review with flying colors. Everyone has bias (including me, of course), but gathering an independent second or third opinion is a prudent move given what is on the line if your cyber defenses fail.
There is definitely a place for MSPs and IT vendors in your overall technology strategy, especially if you don’t have a robust internal team to take care of tech problems for you. With or without an internal team, it’s always a wise decision to seek third-party counsel for a reality check and an independent peek at your cyber defenses.