How are small and medium-sized Canadian business coping with the demands of today's cybersecurity landscape?
In our recently published CIRA Cybersecurity Survey, we made a conscious effort to focus on smaller businesses in Canada (up to 500 desktops). While the quality of cybersecurity data in Canada is slowly getting better, large enterprises tend to be overrepresented.
Large enterprises have the resources that give them a variety of cybersecurity options but when it comes to smaller organizations, some tough choices often need to be made. One of the key takeaways from our survey was the degree to which smaller businesses are outsourcing their cybersecurity needs. This makes sense since a recent report by Deloitte identified a shortage of skilled cybersecurity professionals in Canada.
For managed service providers (MSPs), this is good news and it reflects a trend we saw this summer at a major industry conference. If you aren't familiar, MSPs and their cousin, managed security service providers (MSSP) are a broad category of organizations supplying IT services ranging from individual desktop support for local business to staffing to more integrated and complex IT offerings. This entire segment is in the process of transforming in response to cloud (and hybrid cloud) computing to become a much closer business partner/integrator for the businesses they serve.
In reality, I have never heard a local business owner say, “I really need to call my guy at the MSP” because this isn't the language they speak. Local MSPs act as a bridge for non-technical people to get the services they need without having to understand the complexity of the solution or the delivery. This puts MSPs in a position of trust for thousands of small businesses, and makes them ideal partners to help Canada improve its cybersecurity readiness.
Outsourcing to cope with threats
In our survey, 34 per cent of respondents indicated that they outsource all or most of their cybersecurity to suppliers. The question is: how many of these businesses think their service includes cybersecurity protection when all they are paying for is the basic service? Should they expect that? Much like when you set up your aunt's iPad for her, when something goes wrong, even if it wasn't in your contract as head of family IT, it's now your problem. How many MSPs have customers that will bring a complex security problem to them even when they are paying the bare minimum? Maybe it's time that cybersecurity became the new base package.
The situation gets even more complicated when you discover (as our survey did) that only 52 per cent of small and medium-sized business provide basic cybersecurity training, and where 40 per cent have reported a cyber-attack in the last 12 months.
- How do you resource your cybersecurity
- 34% External suppliers/vendors - all or mostly outsourced
- 27% Internal resources - all or mostly insourced
- 33% Both equally
- 3% Neither - no resources devoted to cybersecurity
- 3% Don't know
The reliance on outside vendors is further underscored by the fact that 34 per cent of the surveyed businesses have no employees whose primary responsibility is cybersecurity. This presents an interesting opportunity for MSPs to provide both basic cybersecurity education and that can be managed cost-effectively and in a way that customers can understand.
The opportunity for MSPs is to package several commonly understood forms of security with some cloud-based security and training into a simple level of service for small businesses. This solution would include basic layers of endpoint, network, training and cloud security in a package that combines services from multiple different suppliers to provide a true defence-in-depth strategy.
Think of it as an MSSP-lite package; it could be structured a couple of ways:
- As an up-sell that providing layered security, basic reporting and training.
- As core infrastructure where those providing services simply include things like cloud-based DNS firewalls, traditional endpoint, and network services as part of their basic hourly rate.
The data shows that the threats are real and highlights the fact that no business, no matter how small, is immune from cybercrime. The opportunity for MSPs is to position their offerings as a way to ease the minds of technology weary small businesses owners. As the cost of hiring cybersecurity experts internally continues to grow, the value of being a trusted technology partner grows with it.