Security-as-a-service: a guide to outsourcing

Security-as-a-service: a guide to outsourcing
Can an outside company bring the security your business needs?

When it comes to security, many small and mid-sized firms fail to understand the complex issues they face. Unless you have the skills in-house, the responsibility to ensure your data is safe will usually be better in the hands of an outsourced provider.

As data breaches increase, all businesses are at risk. This has led to a growing number of security-as-a-service products aimed at SMBs.

The choice is vast; SMBs can outsource some or all of their security, from firewalls and antivirus through to authentication and monitoring.

Choosing such services gives you access to new technology and management expertise, without requiring high initial costs or ongoing investments in upgrades and staff training.

Perhaps most importantly, outsourcing security can offer you the same protection that a bigger company enjoys. But choosing the right service is important. An audit is usually necessary first, and then you and your chosen provider can discuss which elements of security should be outsourced.

Increasing complexity

SMBs often fail to understand terms such as "zero-day threats" and "polymorphic viruses," as well as "more prosaic but equally important aspects of security," such as DLP and encryption, says Quocirca Analyst Clive Longbottom.

Therefore, allowing an external provider to deal with even small tasks can make a huge difference. For example, Longbottom says, using a cloud-based antivirus system for email allows problems to be captured and dealt with at an earlier stage, bypassing the problem of out-of-date virus definitions.

And protection is not just about protecting your business assets: SMBs that don't have up to date security can risk getting behind their competitors.

If you suffer a breach due to insufficient security, Longbottom warns, "all of a sudden your data is easily picked up, or your network is infected - and your competition is well placed to pick up your customer base."

Health check your system

Although outsourcing itself is cheap, an audit is usually necessary beforehand, says David Meadows, Technical Consultant at IT services firm Carat.

Providers such as Carat can perform a "health check" or audit on the system. "This gets us familiar with services and equipment on site - and shows up any holes," he says. "There are free software alternatives that we can implement, so sometimes you then only have to pay for an engineer's resource."

Carat has seen SMBs with varying problems, based on the size of the business and whether there has been any IT input before, says Meadows. "At some point antivirus might have been deployed but not updated; people use their chosen apps and don't know what's going on in the background."

For example, one of Carat's SMB clients didn't have a firewall in place. "It can be a real basic setup," says Meadows. "People can disable a firewall to get around a problem and then things get through."

In some cases, inadequate security measures can be slowing the internet too. An audit by an external provider can resolve such issues and speed it up, increasing your firm's efficiency.

When choosing a solution, it is essential to identify a security service provider that can deliver technology expertise, transport infrastructure, geographic coverage and the right price levels, says Product Manager James Webb at ALVEA.

"It is also important to understand the service provider's core competencies," says Webb. "For example, some carriers focus primarily on network connectivity and operational excellence, while others have deep levels of IT and security expertise. Also consider the service provider's size, financial resources, management team and knowledge in your industry."


A multitude of security products are on the market, but none of them can ever be completely secure, warns Ash Patel, EMEA Business Manager for Cloud at Insight UK. Cost versus security is "always the battle" for an SMB, he adds. "But the likes of MacAfee, and Webroot all offer good services in their own way."

TrendMicro and Panda also deliver security services. These have varying benefits from the level of security, to how cheap the product is, Patel says. "For example, Webroot is one that delivers both value and protection, but the best part is that it does not come with the frustration. In fact, it was so quick to install I actually installed it five times before realising it was there."

Longbottom recommends Trustwave, RSA and Dell's SecureWorks. ECSC has a specific SMB service, and RackSpace offers managed security around its hosting capabilities, he adds.

Other solutions are better sourced through managed service providers. As part of its security suite, Carat offers hosted email security including filtering for spam and viruses, along with a hosted cloud and servers for data. The costs are low: Carat's pay-as-you-go suites are £3 or £4 per user per month each.

Taking all this into account, outsourcing security to the right provider allows SMBs to punch above their weight. If you choose the right service, it also cuts costs and reduces the need for IT staff on site. "You don't need the IT resources or the IT kit in-house," says Meadows. "It gives smaller businesses all the capabilities of a bigger company."