Cybersecurity is a specialist discipline. And the number of specialists is far too low to be able to service every company in Germany. One alternative are Managed Security Services (MSS) providers. They can customize the necessary protective measures—provided that the customer has made the right preparations. What do company officers need to know about MSS?
The number of cybersecurity specialists is decidedly too small for the demand coming from medium-sized companies and major corporate groups. On top of that, medium-sized companies in particular are often unable to afford the specialist knowledge needed—to say nothing of the staff numbers needed for two-shift operation. And a further factor is the difficulty in attracting talents to regions outside the urban centres. But this is often where the company headquarters of these hidden champions are to be found. And these companies, in particular, are regularly the target for international data thieves.
One alternative to having an in-house team, for company managers, lies in Managed Security Services (MSS). These are services provided by an outsourcing provider such as 8com, Atox, Axians IT-Security, Bechtle or Netfox, and focussed on cybersecurity. Amongst the services typically offered are management of (web application) firewalls and antivirus solutions, logfile analysis, searching for network vulnerabilities, patch management, disaster management and filtering e-mails for spam and phishing. For the services typically sought by SMEs, the costs of this range from the low four-digits to the mid five-digit area. Naturally, though, there is no absolute upper limit.
A company’s own data protection requirements make a difference here: the lowest costs are incurred for services that the provider can deliver in a Cloud data centre, thanks to the scale effects for these services. For that to happen, though, all data traffic from the customer’s company network must be channeled to the Cloud and examined there for anomalies. There are fewer data security concerns, but considerably higher costs involved, if the service provider procures all the protection components specifically for the customer and runs them on-site in the customer’s data centre.
Depending on the protection required and the financing options, customers can combine the modules offered by the MSS provider. For this aspect, it is immaterial whether or not the provider is located on-site. Remote access is commonplace. But before booking the services, the company needs to know fundamentally what, and which data, actually needs protecting. And there’s only one way of achieving that: managers, IT specialists and representatives of the respective specialist departments need to get round a table together.
That’s the only way to learn which data is generated where within the company, and how critical that data is in each case for business operations. Thus, for example, the web server used solely for customer communications can get by with less protection than the fileserver used by the R&D department. However, this inventory-taking cannot be a one-day wonder—after all, the storage locations of critical data can change depending on business requirements.
Even if it is an uncomfortable truth—medium-sized companies can very likely protect their critical data better in many cases by hiring an MSS provider than by tackling this themselves and pitting themselves against highly-specialised cyber-criminals.
Managed Security Services was part of the theme worlds Data Protection and Integrated Risk Management at the Command Control 2018.