“Because IT implements some security measures, it has led to the misconception that IT handles all aspects of cyber security. Many people think, ‘My IT person takes care of that,’ but that’s simply not the case,” stated Irwin.
He compared this misunderstanding to how tax accountants and lawyers specialize in different areas, noting that just as tax accountants don’t focus on estate planning, not all IT professionals are adept in cyber security. Specialization is crucial in these sectors.
According to Irwin, while Managed Service Providers (MSPs) excel in foundational cyber security tasks such as antivirus software, patching, firewalls, and network segmentation, they often lack depth in risk assessment and identifying critical assets. “When I inquire about risk assessments or identifying key assets, many MSPs respond with confusion,” he remarked.
Irwin emphasized that without a clear understanding of what needs protection, these providers struggle to allocate appropriate budgets for systems, controls, and processes. This often leads to insufficient security measures for their clients.
Identifying the Challenge
Sometimes, clients themselves do not prioritize cyber security, noted Fabri. Matt Tett, Managing Director of Enex TestLab, added that many small businesses lack the bandwidth to manage their own security and often defer to MSPs for this responsibility.
Businesses striving to comply with governance, risk, and compliance face significant challenges, including educating themselves on essential questions regarding data management. Tett advised that small to medium enterprises should inquire about who manages their data, where it is stored, and how it is protected. “The pillars of good security are confidentiality, integrity, and availability,” he stated. Understanding these areas is vital for service consumers to ensure they aren’t misled by sales rhetoric.
Shifting Responsibilities
End users must recognize their role in security as well. Tett explained consumers often choose products based solely on price, risking inadequate services. “If you offer a lower-tier service, customers may prioritize saving money over adequate protection,” he said.
Tett drew a parallel to vehicle safety features, suggesting clients consider the implications of reduced safety measures on their overall security. “Customers must be made aware that security remains their responsibility,” he advised.
Finding the Right Partnership
Fabri indicated that not all MSPs have a comprehensive grasp of cyber security. Some charge clients excessively for frameworks like ISO 27001 without delivering adequate compliance. This has led to clients facing serious issues and ultimately needing better support.
Legal obligations concerning data protection exist; for instance, Australian Privacy Principles dictate that organizations must securely dispose of personal data no longer in use, highlighting the importance of responsible data management.
The Need for Regulation
Fabri expressed that effective regulation is necessary for both MSPs and cyber security providers to increase accountability. He noted that while the industry lacks specific regulations, professionals in cyber security face stringent requirements.
Tett added that while regulation is vital, it should not be aimless. He emphasized the importance of clear, enforceable guidelines in understandable language. Effective legislation can lead to better protection and accountability.
Collaborative Cyber Security
Ultimately, total assurance in cyber security is unattainable. Tett argued that consumers must take charge of their security while recognizing the role of managed service providers. “Education and training are critical for effective security measures, as each player in this ecosystem has distinct responsibilities,” he explained.
Both Irwin and Tett stressed the necessity of MSPs recognizing the broader cyber landscape. They need to understand their limitations while ensuring clients appreciate that cyber security transcends regular IT practices, functioning as a fundamental layer across the entire technology spectrum.
