One of the key IT considerations for small/medium business owners is how to deal with cyber security. The issue may come to the fore because of a cyberattack that has occurred against the business, or even against you personally.
The reality is that many smaller businesses can’t spare even one person from their main role to deal with security issues, let alone hire a dedicated and highly-qualified CISO/security professional.
So what are the main pros and cons of outsourcing IT security?
There are a number of advantages in outsourcing IT security which make it a tempting proposition for SMBs.
Opting to outsource your IT security can save you money in a number of ways. Firstly, it will mean you don’t need as many full-time IT staff on your payroll – controlling your wage costs. Secondly, it usually results in less outlay on equipment, software upgrades/updates, and training.
Expertise and experience
The staff of an outsourced IT provider are experts in their field. They will most likely hold multiple certifications/accreditations, have years of experience and be knowledgeable about current threats. This level of expertise is hard to maintain internally. They will also be up-to-date with best practice in the field.
Access to the best technologies
Traditionally, smaller businesses struggled to access the technologies available to larger firms with huge IT budgets. Outsourcing is one way that SMBs can access the same tech as the ‘big boys’, helping you maintain a competitive edge.
Access to immediate upgrades/updates
Security-focused IT support providers have access to the most up-to-date software versions and will pass these on to you. They will take charge of ensuring that patches and updates are immediately enacted, keeping your data always safe.
Peace of mind
Outsourcing cyber security allows you to focus all your energy on your core business rather than fretting about the latest security threat, or whether your firewall is up-to-date.
So those are the advantages, what about potential downsides?
Lack of control is often cited as a drawback. You are effectively entrusting a crucial function – as well as your highly sensitive data – to an outsider. This additional risk could be an acceptable trade-off for the many benefits but micro-managers may feel it is a step too far.
Potential damage to staff morale is sometimes another reason for not outsourcing. You need to ensure that your existing staff continue to feel secure and motivated, and not worried about being replaced by an external resource.
The third reservation is often about the provider’s priorities. An external provider is likely to have multiple clients so how do you know that they will prioritise your problems, rather than treat you as one among many?
Which elements are most suitable for outsourcing?
The best things to outsource are the most complicated and the most tediously time consuming, such as firewalls and VPN management. Vulnerability, content filtering, DDoS prevention, and malware scanning are also good elements to outsource.
So why keep it in-house?
The usual reasons for keeping IT security in-house are to avoid disrupting the status quo, to maintain full control over the systems and data, and to ensure no ‘other clients’ are in the way if something needs to be tackled immediately. In short, some managers like to keep an eye on everything – which is fine if they understand all the threats. Nobody knows your business better than your in-house team. They are also familiar with the office culture, other employees, and the day-to-day challenges specific to your business.
The choice is down to the balance of benefits you feel you will get from outsourcing. You can also choose a ‘middle way’ by outsourcing just those elements you feel comfortable entrusting to a third party, and also maintaining some in-house control.