Imagine you are at home, relaxing with your favorite beverage and watching the TV when suddenly, you hear a sound. An unwelcome guest is roaming your property while your security guard is asleep at his (or her) station.
You get your best tools (and people) out to get rid of the intruder and close your doors with a sigh of relief. However, now your biggest worry is this: an intruder gained access to your building because the security guard was negligent. Which means, it can happen again! Now you have more than one unwelcome guest: the security guard and the security threat.
Now apply this same scenario to the applications you are trying so hard to safeguard.
Did you know Sony Picture’s 2014 hack attack cost the company $15m (£10.8m)!
Cyberattacks cost businesses around the world billions of dollars in terms of lost revenue and the resulting increase in IT spend in a seemingly futile attempt to step up their security game. If it happens to large, seemingly well secured organizations, it can happen to literally anyone.
Not just your average hacker
While the image of a genius teen hacker who is dead set on showing big corporations their place, is a popularly accepted one; in reality, it isn’t just outsiders or unscrupulous hackers that an organization has to worry about. According to a report by FTI Consulting, 60 per cent of compliance staff would consider taking data belonging to their employer under certain circumstances. Earlier this year, an investigation by Pwc also laid bare some harsh facts about senior managers getting involved in large-scale cyber attacks and hacking.
With all of these scary figures in context, you know that finding a cybersecurity firm to consult and help you secure your organization’s data and applications is beyond critical. However, we cannot sufficiently emphasize the importance of finding the right one.
Finding the right cybersecurity company
Before we go into aspects to be aware of in the process of selecting the right cybersecurity partner, let’s go back to a certain incident from earlier this year, that shook the world of cyber security up a fair bit.
Tiversa, a cybersecurity company had been faking hacks and fabricating data breaches, in order to extort prospective clients and pressure them to buy its services. The most intense instance being that of LabMD, who in the matters of 6 years of being embroiled in legal battle went from a booming 4.6 million dollar business to shutting down shop completely.
While the example stated is an extreme, doing your due diligence is critical. Below we list a few questions that you must consider and specifically ask your prospective vendor before you finalize them to be a partner in one of your most unsparing endeavors.
How well have they done so far?
When selecting a security company, first look at their past. How long have they been in business? What regional or international companies have they serviced? How happy are their customers with the firm’s stability and ability to do its job? What do you know of their integrity? The best indicator of future performance is past performance, which is why it’s so important to check and confirm references.
When evaluating a vendor, also take into considering certifications, track record and equally importantly, the credentials of its delivery team.
A few certifications to look out for would be:
- Certified Information System Security Professional (CISSP)
- ISC Certification
- GIAC Certified Intrusion Analyst (GCIA)
- SANS Certification
- EC-Council Certified Security Analyst (ECSAv4) Certification from EC-Council University.
- Certified Ethical Hacker (CEHv6) Ethical Hacking and Counter Measures Certification from ECCouncil University.
No prizes for guessing, but WeSecureApp has them all!
Are they all about ‘ideas’ or do they also execute?
Delivering custom solutions requires both service capabilities and experience in various areas. Cyber security partners that are in high demand for all the right reasons, do more than just advise and consult. They are actively involved in building shrewd solutions that will not just barricade you against cyber attack problems, but also greatly simplify your processes for security.
Are they providing you proof of vulnerabilities or attacks?
Going back to the Tiversa catastrophe, one thing is absolutely certain: any cyber security firm that offers to clean up your security messes, should be able to provide solid proof of any security breaches or attacks they say are happening. Not only will they take the word ‘breach’ seriously, but they will display integrity in providing you with evidence of the said breach.
Do they fit your organization’s unique needs?
We have discussed integrity, reputation and expertise already and it goes without saying, that firms not meeting these prerequisites should be flat out rejected without a second thought. But, if they meet the above criteria, there is yet another aspect to consider, do they meet the unique and exclusive needs of your organization – whether it be related to the web, cloud, mobile, WordPress, Magento and so on.
Do they make the effort to educate your team?
Cybersecurity is not a one man show and is most definitely not a one-vendor show either. Your team, which includes the entire staff – right from the compliance and security team, all the way to the management requires training in order to improve their approach and further their awareness of cyber security. Even with hours of technical consulting from an accomplished security provider, won’t deliver as much ROI or impact, if they aren’t able to educate your internal team.
Choosing a cyber security vendor may just be one of the most significant business decisions you will be making for the future of your business. So, ensure that you are investing the right amount of time and research before you sign that contract.