The Dangers of Assuming "IT Support" and "Security" Are the Same

As originally published in the American City Business Journals.
After 25 years in the information technology (IT) industry, you start to see some trends.
One of the most troubling patterns I’ve noticed recently is that many business owners equate IT support with network security; they believe that because someone is managing their infrastructure, they are largely protected from any breach or significant data loss.
While I understand the cause of this mindset (inflated promises from the IT industry itself are at least partly to blame), the false sense of security becomes increasingly dangerous as cyberattacks continue to evolve in the worst sort of way.

Security elements covered by standard IT support

With your basic network management — whether it’s in-house or outsourced — you’ll get a certain level of protection. This usually includes:

  • Patching for your servers and workstations to eliminate vulnerabilities
  • Anti-virus, anti-spyware, and anti-malware to prevent infection
  • A spam filter to catch most shady emails
  • An updated firewall to protect from threats from the web
  • A strong password policy
  • Restricting data to only the people who need it
  • File/server backup of some sort

All of these elements are a fantastic start — and critical to the overall health of your infrastructure — but they aren’t enough to keep you truly secure.

Security elements NOT covered by standard IT support

If IT support is all you’re relying on, you’re likely not properly addressing:

  • Business continuity planning (beyond pure disaster recovery)
  • Intrusion detection and response planning
  • Policies including employee separation, equipment use, mobile device use, etc.
  • Any encryption needs (hardware, email, etc.)
  • Any compliance requirements
  • The kicker: employee training

    New Call-to-action

What’s more is that these elements can completely undercut any technology controls you’ve implemented.
A well-intentioned but uneducated employee could very easily, for example, choose to download an unexpected attachment labeled “invoice.exe” and suddenly infect your network with ransomware. And if your team then doesn’t know how to properly respond to the infection, you’re only giving it more time to spread to every corner of your network, and possibly to your only hope for recovery: your backups.
Most IT resources will be able to provide you with direction regarding some or all of these elements, but it’s going to take a commitment of time from your leadership and your staff as a whole, and an investment beyond what it takes to keep your technology running.

How to break the cycle

If your business sticks to the paradigm that regular network management in itself is keeping your data safe, you risk finding out the hard way that this isn’t actually the case.
One way to make sure you’re forced to accept “IT” and “security” as separate entities is to create a dedicated budget line item for each. This way you are quite literally drawing a distinction between the two, and can properly allocate funds to each initiative.
Beyond that, make sure you’re working with a partner that understands the severity of the issue at hand, and can help guide your business forward safely and thoughtfully.

New Call-to-action