Security

How Small Businesses Can Stay Safe with Security as a Service

Security as a Service includes a range of options for protecting environments, from the comprehensive to the specific.

Doug Bonderud is an award-winning writer capable of bridging the gap between complex and conversational across technology, innovation and the human condition.

According to Microsoft, two years’ worth of digital transformation happened in just two months during the early days of the pandemic. The shift shows no signs of slowing: 97 percent of executives say the speed of their digital transformation has increased, and 79 percent say they’ve boosted budgets for transformation efforts.

And it’s not just enterprises — recent research from Flexera found that 53 percent of small and midsized businesses are spending an average of more than $1.2 million on cloud services each year. Increased adoption of and demand for cloud services, however, have created new concerns, as many organizations prioritized speed of deployment and ease of use over security.

To help protect cloud-based environments, small businesses need cloud-based solutions. This is the role of Security as a Service, which outsources security management to a third-party provider.

Merely making the shift to Security as a Service, however, doesn’t mean organizations are getting all they can out of it. Here’s how SMBs can effectively leverage service-driven security to improve overall protection.

Find out how nonprofits protect donor data in the cloud.

Here's how managed detection and response can enhance protection efforts

What Is Security as a Service?

Security as a Service is a cloud-based way to receive security services from a third-party provider or providers. According to security solutions provider Forcepoint, it’s an umbrella term that includes any number of services, including:

To find the right Security as a Service provider, businesses first must determine which services they would most benefit from. For example, says Rob Clyde, a board leadership fellow with the National Association of Corporate Directors, “are you doing complete outsourcing, or are you primarily looking for a service that will help you detect and respond?”

A comprehensive outsourcing might be a viable option for businesses that feel overwhelmed by the level of sophistication that modern threats represent, preferring to turn over their security operation to a third-party expert. In those cases, Clyde notes, businesses should be prepared to provide the partner with “a lot more access to various tools inside your environment” — meaning it’s vital that businesses find a partner they trust.

Other organizations may prefer a more pointed approach, accessing services to help fill a specific need. “This is where you have various tools connected up, while Security as a Service provides the monitoring and helps deal with any attacks that occur,” Clyde says.

The best place to start may be with a security assessment, such as a penetration test.

Click the banner below to explore a range of security services for small businesses.

What to Ask Potential Security Partners

If a provider seems like it could be a good fit for a partnership, the next step is asking the right questions.

“You’ll want to make sure the provider has taken the right care, especially on their back end, to protect data traffic,” says Clyde. “If you’re considering Security as a Service, you’re looking at outsourced security. The connections to your environment have one point of failure: your network. You need a vendor you can trust.”

He recommends asking potential partners questions such as:

What is your experience with penetration testing?
Can you provide a report from the penetration test you performed (with client identifiers redacted)?
What experience does your team have in securing small-business environments?
How many customers do you have whose businesses are similar to mine?
What certifications do your staff members hold?

Clyde also notes that no matter how good their answers are, businesses should be leery of providers that have limited experience offering Security as a Service solutions at scale.

PROTECT YOUR GADGETS: Learn to secure your Internet of Things devices.

How Do SMBs Hold Providers Accountable?

Provider promises only matter if they can be kept — and Security as a Service providers are only as good as their ability to adapt as security conditions change.

The first key to holding partners accountable is to ensure that well-crafted service-level agreements are in place.

“You need to look at the SLAs,” Clyde says. “You want tight SLAs. You want to make sure they meet your particular needs.”

These agreements should include details about recovery time and recovery point objectives, which are critical metrics for getting back up and running quickly after an incident, along with specifics about what happens if the Security as a Service provider can’t meet these targets. The ideal partner isn’t one adhering to the letter of your SLA after an attack, Clyde argues, but rather the one reaching out to help the business proactively mitigate the attack’s impacts.

Clyde also highlights the need for providers to be future-ready. “You have to look at the threat of things like quantum computing,” he says. “You have to consider Q-Day, which is when public key encryption will be broken by quantum computers. Think of it like the old Y2K days, only this time it’s Y2Q. SMBs need Security as a Service providers that are thinking about these challenges and how to handle them.”

Bookmark this page for more stories during National Cybersecurity Awareness Month.

FG Trade/Getty Images