How SMEs can select the right cybersecurity partner

By Pete Bowers, below, COO, NormCyber

Many small and medium-sized enterprises today may understandably feel like they’ve drawn the short straw when it comes to cybersecurity provision. Requiring enterprise-grade protection but lacking the resources – be that time, money, labour or in-house expertise – to make it a reality, these organisations often turn to managed service providers (MSPs), only to be left wanting more bang for their buck.

SMEs are now rightfully asking: is there a middle-ground, where the budget, the need and cybersecurity provisions can all align?

To make their cybersecurity investments go further, SMEs need to rethink how they select their cybersecurity partners. Rather than following the crowd, they must start by evaluating their own needs first.

Drawing the short straw

SMEs feel the pressure to excel and grow, but they can feel frustrated by the lack of change when bringing an MSP on board. Their frustrations mainly stem from MSPs’ predisposition to ‘mark their own homework’ and stick to generalist areas of expertise, rather than offering a more comprehensive cybersecurity setup. MSPs tend to apply a conventional IT-based approach to business matters, focusing on migrating systems to the cloud and maintaining the status quo.

This lack of thinking outside the box isn’t going unnoticed by SMEs, who are demanding comprehensive security features, nor is it going unnoticed by the cyber criminals who are exploiting zero-day vulnerabilities and social engineering attacks with more sophistication than ever before. Nothing pleases them more than a sense of complacency, where businesses change little about their cybersecurity posture.

SMEs must focus on their PPTs

In order to stay cyber resilient, SMEs must look beyond IT efficacy and apply joined-up thinking across three equally important areas: people, processes and technology (PPT). These three pillars are a fundamental part of a business’ cybersecurity posture, and will help SMEs work out what they need from a partner in the first place.

Perhaps staff lack the awareness to spot social engineering, or maybe the business is not up-to-date with data compliance standards, leaving it open to hefty fines by regulators in the event of a data breach. Or perhaps the business just hasn’t got the funds to invest in the technology to track threats and repel them properly. Once an SME knows its limitations and the issues at play internally, it can start to look for the right kind of help externally.

MSSPs as an alternative for SMEs

By contrast to typical MSPs, Managed Security Services Providers (MSSPs) are highly specialised to address the PPT trifecta.

Crucially, MSSPs have one key objective: To continually protect their customers and if the inevitable happens, respond rapidly to ensure any impact is minimised. This can only be achieved by employing specialised individuals who have the appropriate experience in knowing what to look for, have exposure to global threat intelligence, and do the same day in, day out, 24*7, 365 days per year.

Beyond offering a range of cybersecurity services such as Security Operation Centre (SOC) services, phishing awareness training and penetration testing, modern MSSPs also provide access to data protection lawyers who can help organisations put in place the right policies and procedures to deal with the fallout from a potential attack. This capability will be invaluable as the UK charts a new course in GDPR legislation, and particularly as SMEs scale.

MSSPs provide this breadth and depth of cybersecurity and data protection skills and expertise at a time when SMEs feel overstretched and even desensitised to the cyber threat landscape. In fact, the Government’s new Cyber Security Breaches Survey shows the share of micro-businesses saying cybersecurity is a high priority fell from 80 percent in 2022 to 68 percent this year, and a lack of improvement in cyber resilience across the board is likely due to “senior managers in smaller organisations viewing cybersecurity as less of a priority in the current economic climate”.

SMEs finally get bang for their buck

SMEs need to take a proactive approach to selecting the right cybersecurity partner that meets their unique requirements. A solid understanding of their PPT criteria is a great starting point, which will give them a clearer sense of which partners to seek. Only this way can SMEs ensure that their cybersecurity investments go further and that their business is well-protected against emerging cyber threats.