How much risk do you want to keep in-house?
Not so long ago, as outsourcing, co-location facilities and cloud services began to take hold, risk managers and information security personnel scrambled to manage vendor cyber-security risks.
Everyone was afraid of what could happen to company data or operations in the hands of a third-party provider. Today, however, these vendors seem like a safe haven compared to the risks and costs associated with running an in-house data center and cyber-security program.
Attacks no longer require someone to click on a link or open an attachment. In the past year, large global companies have been hit by malware that exploited out-of-support equipment and unpatched software and crippled operations for weeks. Maersk, Merck and Federal Express were three of the most visible companies hit. Maersk’s chairman, Jim Hagemann Snabe, told World Economic Forum leaders that the company had to reinstall its “entire infrastructure,” consisting of 4,000 servers, 45,000 workstations and 2,500 applications. Business interruption losses at the companies ranged from $300 million to $670 million each.
In this environment, companies that have been scrimping on IT budgets and stalling on replacing legacy apps are now in the bull’s-eye. Why? Because hardware companies continually patch vulnerabilities and update their products and they eventually stop supporting older equipment. Even though the older servers may still run just fine, their known vulnerabilities can be exploited by criminals. Out-of-support software can be just as bad. CFOs know how expensive it can be to move to a new enterprise application, and business units are famous for refusing to give up favored legacy apps. These apps usually run on older versions of operating systems. Thus, companies end up with Windows XP or other out-of-support operating platforms that enable these legacy apps to be operational, but they bring risk to the organization in the process. The WannaCry malware that infected 230,000 computers in more than 150 countries exploited unpatched Windows systems, many of which were out-of-support.
Maintaining a cyber-security program requires a team of personnel with appropriate education, certifications and experience. Some companies have pinched pennies on security staff, and others simply cannot find suitable candidates to hire in this tight job market. Security architects and network engineers play an important in-house role in designing the system architecture and determining configuration settings and security controls that help protect the system and data. Without an adequately staffed team of IT and security personnel, critical activities either do not get completed on time or they are not performed at all. This includes patching of software, particularly non-Windows software, because these patches have to be specially applied outside of the regular Windows “push patch” cycle. Since patches fix vulnerabilities, every instance of unpatched software creates an opportunity for exploitation.
Security programs also require a suite of security tools, which often demand training and expertise to deploy and use them. When security tools are installed but the staff does not know how to use them, the license fees are wasted, and the ability to identify risks or attacks decreases. Logging, incident response, and backup and recovery are also commonly given less than full attention when resources are thin. The consequences can be particularly painful when an attack hits. Without logs, in many instances it is difficult to conduct an adequate forensic investigation. Tested backup and recovery plans are critical, particularly in attacks of ransomware that encrypt a company’s data or malware that zeroes out servers and computers.
Farm It Out
Handing off an organization’s hardware, software, network and staffing issues to a vendor is an increasingly attractive option. Major vendors today have sophisticated system architectures, hardware that is within vendor support, strong controls, a full security program, and highly experienced IT and security personnel. In addition, they generally have excellent physical security, good surveillance and monitoring systems, more-than-adequate HVAC systems, back-up generators and resilience in connectivity. Many cloud providers also offer a suite of services and tools to assist with incident response, logging, backup and recovery on the client side.
The trust a company places in a vendor hinges on the vendor’s reputation for protecting the client’s systems and data. Therefore, these service organizations devote considerable attention to securing their network, applications, data, people and processes. Most vendors have an annual security audit performed in line with standards from the American Institute of CPAs, which produces what is known as a SOC-2 report. According to the AICPA, “These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.”
Companies do not have to farm out all operations to vendors, however, as they may choose to keep their data centers and outsource just the security activities. Many companies that have their own data centers are looking to managed-security service providers to take on some of the load of the security program. These providers are capable of taking over most of the activities of an enterprise cyber-security program, enabling companies that choose to keep their IT operations to have robust security capabilities performed and maintained by a third party. These services are particularly attractive to small and midsize companies that use technology extensively and need to protect their data and systems but find it financially prohibitive to develop and maintain a strong enterprise security program.
Cloud offerings, such as Microsoft’s Office 365 and Azure environments, are enabling companies to free themselves from maintaining a data center. Software as a service (SaaS) and outsourced enterprise application providers are freeing organizations from patching and application maintenance.
Antares Capital—one of my clients—is an example of an organization that chose to move in a futuristic direction (in this case, after it was spun off by GE). Instead of taking legacy apps and aging equipment with it, its chief information officer, Mary Cecola, chose to stand up entirely new IT operations by leveraging the Microsoft Azure and Office 365 environments and utilizing enterprise applications that are SaaS or vendor hosted.
The organization now has all thin clients (monitors and keyboards without hard drives or memory) and a few closets with routers. All other infrastructure and equipment are owned by Microsoft and are in the Azure environment. Antares is able to properly manage operations with a smaller IT and security staff. The security team has established a security operations center that monitors system activity and interfaces with the vendors.
“We are sharing risk with our vendors, saving financial resources and better managing the risk of attack,” Cecola notes. “We hired excellent personnel with expertise in cloud and vendor environments and IT and security management and are now able to devote resources to the specific IT and security needs of the business while leaving a lot of the nitty-gritty technical activities and issues to the vendors. We developed an incident response plan and recovery strategy that dovetails with our vendors and leverages their capabilities. While my peers still struggle with many of the issues of in-house shops, going with the Azure cloud and SaaS providers was probably the best decision of my career.”
“We are sharing risk with our vendors, saving financial resources and better managing the risk of attack.”Mary Cecola, CIO, Antares Capital
Agents and brokers will serve their clients well if they help them examine the risks associated with their IT operations and discuss risk-transfer options, including the use of third-party providers.