BY Adam Oxford Wednesday, November 27, 2019Features»Industry

Heightened security

By Adam Oxford
27 Nov 2019
Elaine Wang, Rectron (Photography: Karolina Komendera)

How should managed service providers be selling security?

 

Words with Friends, DoorDash, Liberty Life, Marriott Hotels…the list of major companies and popular apps that have lost large volumes of sensitive customer information due to a data breach gets longer almost every day. And they’re just the ones that we get to hear about.

The one good thing that seems to be happening is that organisations are at least aware that their IT systems are at risk, and slowly but surely, the knowledge that the old ways of securing networks and applications are no longer enough is sinking in. According to Prime Indexes, the market for cyber security solutions has grown thirtyfold in 13 years, and growth is vastly outpacing that in general IT spending.

What can the channel do to accelerate this learning, and how should a modern managed services provider go about helping to protect its customers in an age of increasing complexity?

To try to answer some of these questions and others, The Margin put together a special roundtable of industry experts.

What lies beneath

While businesses are increasingly aware of regulations that may punish them for not investing in cyber security, the single biggest driver of cyber security is that businesses are being breached, and in huge numbers.

“Purely and simply, people are getting attacked,” says Colin Thornton, MD at Turrito Networks. “PoPI and GDPR are still theoretical."People know they’re coming and there’s a risk, but every single day of the week, I get a call from someone who’s been attacked.”

Colin Thornton, Turrito Networks Colin Thornton, Turrito Networks

Partly because a large proportion of these attacks isn’t made public, many South African organisations still believe they aren’t as at risk as their international peers.

“South African businesses still think they’re in a small corner of the world where no one worries about them,” says Elaine Wang, Rectron’s cloud and software solutions director. The truth is, she continues, that the South African Banking Risk Association (SABRIC) claims that the country ranks third for the number of victims of cyber crimes in the world.

Many of these incidents will be unsurprising, like ransomware, or phishing attacks. Some are truly shocking.

“We saw a local incident in which a datacentre was attacked,” says Pieter Nel, regional head, SADC, Sophos, “and the attackers got control of the air-conditioning system. Those kinds of endpoints are very vulnerable, and imagine the damage you can do if all the aircon is turned off?”

Helping organisations understand these kinds of vulnerabilities is still difficult, especially as the threats are constantly evolving.

“We had a local incident a few weeks ago where someone was lurking in a mail account for over two months,” says Nel. “We think there are a lot of attackers in a mailbox waiting for an opportunity. They wait until they see a big business deal, intercept the back-and-forth and change account details and so on where appropriate. What we saw in this case was that their English was perfect and copied the syntax and grammar of the senders in both directions too. Looking at those mails, you would never have known they were fake; it’s the first time I saw that level of authenticity.”

Robert Marston, Seacom Robert Marston, Seacom
“People don’t understand how exposed they are,” says Seacom’s global head of product, Robert Marston. “After an attack, they’ll say, ‘I thought we had anti-virus’ or some such thing.”“We see a lot of SMEs that still think a single off-the-shelf solution will protect them,” agrees Rectron’s Wang. “We engage heavily with Microsoft, but it’s staggering how many businesses are still using Windows 7 and expecting that it will protect them.”

This won’t change soon. As Nel points out, many embedded systems, such as POS, are still running Windows XP.

The hold-up

“There’s a false sense of security,” says Turrito’s Thornton. “Business owners aren’t reading IT magazines, and they think they’re protected.”

“You’d think people would have woken up after Wannacry,” says Securicom’s national sales manager Richard Broeke. “But there are still a lot of unpatched machines out there. We (the industry) are partly to blame; we aren’t educating these customers properly. We’re trying to sell to them, and we’re trying to sell based on scare stories of all the bad things that happen. We’re not selling the value of good security – and that’s hard. I always tell customers to look up the ‘Prospect Theory’; people would rather take a potential large loss against a guaranteed risk (of spending on security).

Richard Broeke, Securicom Richard Broeke, Securicom

“People don’t realise the value of what needs protecting until it’s gone. I was with a small company the other day, 22 years old, with six employees. They lost all their data, and it was devastating.”

Many decisions do come down to cost. While Wang points out that in newerSeacomMicrosoft products, security is no longer an added extra, it’s still far from the norm and it’s often removed to win sales.

“A lot of the channel falls into the habit of just wanting to compete on price,” says Seacom’s Broeke.

Things are changing, however, argues Sophos’ Nel.

Pieter Nel, Sophos Pieter Nel, Sophos

“We’re seeing a new type of partner, a value-added partner who is becoming more strategic,” he says, adding that the business model of cloud makes it more attractive for sales teams to engage deeply and on a monthly basis.

“The problem with cloud,” says Seacon’s Marsden, “is that it’s sold as a completesolution. But you still need to spin up your own firewalls and patch management that’s always buried in a slide or two.”

“From a channel perspective, resellers need more education,” says Rectron’s Wang. “Security is very specialised. Resellers think they can do everything, but the truth is that they can't. They need to find partners – but the mentality is still that if I partner with you, you will steal my customers.”

Who’s spending?

Perhaps the most surprising contention in the discussion is in which sectors organisations are investing. Banking and finance, obviously, come top, but many of the participantssuggest that government is also taking cyber security very seriously.

“We’ve noticed that manufacturing and engineering are getting there,” says Turrito’s Thornton. “Engineers enjoy the conversations and know what to do with it. Someone running a marketing company? That’s a harder conversation to have.”

The consumer market, however, is generally agreed to be the hardest, and also one of the most at risk thanks to smart home devices.

“We tried home firewalls, but they got no traction at all,” says Thornton. “What drives online security at home is child safety.”

Contrary to popular perception, South Africa is taking investigation of cyber crime seriously.

“I had a recent case working with SAPS,” says Securicom’s Broeke. “We interacted with them and a service provider on behalf of a client and they were very knowledgeable. They asked the right questions about IP addresses and knew how to subpoena. It hasn’t gone to prosecution yet, but the processes were in the right place.”

Despite this, however, there remains scepticism about the overall capacity of SAPS to investigate cyber crime, particularly non-financial data loss. That may change with the introduction of the Cybercrimes Act, but in the meantime, private institutions are doing a lot of their own investigating.

“The banks take it very seriously,” says Thornton. “You log a ticket and you get a response from a tech person.”