The single biggest challenge in selling a managed IT service has very little to do with the technology involved. Rather, it’s usually the pride of the internal IT organization that gets in the way of a more rational decision business decision being made. Nowhere is that paradox more apparent than in managed security services.
A new survey of 660 professionals involved in IT security conducted by Dimensional Research on behalf of Barracuda Networks finds that among the 70 percent of respondents that were impacted by some form of a phishing attack involving email, 43 percent spent time removing malware or viruses from systems. A third report credentials were stolen, while over a quarter (27 percent) confirmed their organization suffered some form of reputational damage. One-fifth also admit they experienced some form of direct monetary loss involving the transfer of funds, while 17 percent said some form of sensitive data has been lost.
The survey also notes that nearly a quarter (23 percent) experienced some form of an email attack that cost their organization more than $100,000 in the last 12 months. Almost half (48 percent) confirmed their organization had experienced some form of lost employee productivity from these attacks, while over a third (36 percent) said these attacks resulted in business disruption or actual downtime.
Internal IT teams don’t see a problem
When asked to rate their remediation capabilities, only 3 percent of the respondents rated themselves as being inadequate. A full 62 percent of respondents rated themselves as being either very good or excellent, while 35 percent said they are adequate in their ability to catch most attacks.
When asked about what specific email security technologies their organization had in place, not surprisingly 88 percent said they had virus and malware filters, followed by spam filters (85 percent). Reliance on more advanced forms for email security, however, start to substantially drop from there.
More than half make use of email authentication (68 percent), URL protection (57 percent), and computer-based training for employees (55 percent). Less than a third makes use of sandboxing (29 percent), automated incident response (25 percent), dedicated spear-phishing protection (23 percent) or account takeover protection (22 percent), all of which are usually part of a managed security service.
There’s a significant disconnect between the perceived capabilities on an internal IT team and true impact email-based attacks are having on the business. It would be fair to say that at least half the respondents to this survey would be better served by a managed security services provider (MSSP), especially when you consider the soft costs stemming from lost productivity and disruptions to the business.
The challenge MSSPs face is getting internal IT teams to come to terms with that reality. Internal IT teams often loath to admit that they need help for fear of being perceived as inadequate by rest of the business.
Internal IT teams often also determine cost only in terms of how much money is spent on products and staffing, rather than including total cost to the business. IT teams rarely factor in all the other things they could be doing, if they weren’t spending so much time cleaning up after a malware infestation.
MSSPs need to approach internal IT teams gingerly. Nobody likes to be told that somebody else is better at something than they are. The art of the conversation is to first show them how bad everybody else is. Only then, does it become easier for internal IT teams to admit that they could use a little extra help.
Photo: Maximumm / Shutterstock.