Written by Jake Newbury, Head of Sales at SEP2.
Connect on LinkedIn.
When should a growing business invest in a Security Operations Centre (SOC)?
Cyber security for SMEs
As Security Operation Centres (SOCs) are now becoming more affordable for organisations of all sizes, we have put this article together to help guide business leaders on when the right time to invest might be.
This article is split into three sections:
- You don’t need a SOC (until you’ve done these five things)
- What is a SOC, and what is it for?
- Reasons your business needs a SOC
This can’t be called a “Complete guide to buying a SOC” as there are many nuances to each organisation that needs to be considered. However, this article should help you to know whether a SOC is something to consider.
I appreciate that not everyone reading this will necessarily know all the cyber security terminology, so have included a link to the NCSC Cyber glossary at the bottom.
Before we go any further, I’d like to address what is probably the obvious question: why is the Head of Sales writing this article? And why should I trust anything he says?!
It’s a fair question.
At SEP2 we pride ourselves on having one of the most technically accredited teams across our vendors; when it comes to the technology at hand, they’re just about the most experienced you can be.
However, when it comes to knowing what concerns growing businesses… well, that’s in my wheelhouse. Out of everyone working at SEP2 I have the most contact with our customers, and with the key business drivers for investing in technology that we sell. It’s also my job to ensure our customer retention remains at above 90%, it’s in my interest to only recommend what they actually need. This leads us nicely to my first point:
You do not need a SOC (until you’ve done these five things)
Let’s get the easy bit out of the way first: a SOC is only as effective as the data that goes into it. As a cyber security company, SEP2 would like businesses of all sizes to have a 24/7 SOC. In reality, there are some other security priorities you should have in place first.
This section won’t give you all the information you need to solve these five problems but will provide a basic idea of what we would suggest. I will provide some links to more detailed information on each section if you wish to investigate further.
Assuming you have some level of centralised identity management (e.g. Active Directory), the following are paramount to the basics of your security posture.
1. Endpoint Security
This is the bare minimum for any business, from a self-employed contractor working alone up to an organisation hiring thousands. You need to have an endpoint security solution in place.
2. Password policies
There are some fantastic password managers and SSO tools. As a minimum you need to ensure employees’ passwords are complex enough and that they are changing them regularly (every quarter is generally good practice.)
3. Firewalls
This could be a “Next Generation” Firewall if you have an on-premises data centre. Check Point would be our vendor of choice, but your Internet Service Provider can likely make a recommendation to you.
Most SMEs utilise cloud these days. GCP, AWS and Azure all have some built-in security protections, but often “effective” security controls come as an additional cost. Remember that as business owners, you are accountable for your own cyber security, NOT your suppliers.
4. User Education
This doesn’t mean go and buy some expensive tooling to solve this problem, but ask yourself practical questions:
Have you got someone tech-savvy in your team? Could you ask them to run a session to the team about the dangers of clicking on a link from an unknown sender? Are you regularly reminding your team to be careful of ‘shoulder surfers’ when working on something sensitive? Could you supply some privacy screen protectors for those who travel regularly?
5. Configuration and asset management
This means understanding all your devices and ensuring that you don’t have any gaps in your security. For example, if you have ten servers and nine of them have perfect security configurations, but the tenth has a default password on it… you have a huge risk!
I’d also add vulnerability management as an optional extra to this section as something that should be considered but not necessarily a necessity.
If you don’t have all five of the above you can stop reading now. Go and get these things sorted (and then come back and read on!)
If you’ve come this far, let’s get into the meat of it: the purpose of a SOC and if you need one.
What is a SOC, and what is it for?
At this point you might be thinking, what actually is a SOC Jake?
This topic could be a blog itself, but I will keep it simple and provide a couple of links underneath for more detail if you’d like it.
A SOC (Security Operations Centre) is a centralised function that combines people, processes and technology to monitor your organisation’s security. This is done by correlating information from all relevant sources and taking the appropriate action. The central ‘engine’ of a SOC is typically a SIEM (Security Incident and Event Manager), which is the technology system that pulls all the information together.
Now onto the purpose of a SOC:
A SOC should effectively respond to and deal with threats.
I hate scare tactics, as it always feels like a cheap and easy shot in cyber security. However, this piece is designed to educate, so I’ll do this once and promise to not use any more scary stats for the rest of the blog. A recent study by the University of Salford in Manchester which found that 43% of cyberattacks target SME businesses, and 60% of these SMEs that fall victims of a cyberattack go out of business within six months. Moreover, cybercrime costs SMEs more than $2.2 million a year.
When I started in the industry, I remember hearing a great metaphor. If a burglar is walking down a street and all houses but one have a burglar alarm, which one do you think is going to be targeted?
The point is that adding security controls can’t guarantee you won’t be breached or hacked but it does reduce the chances and, in the case of a SOC, allow you to reduce the impact.
With the basic security controls outlined above you can reduce the chance of being breached, but with a SOC in place you can reduce the chance of catastrophic business impact. When speaking with enterprise organisations we use the terms Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). The faster you can detect and respond to a threat, the less impact it will have on your business.
The SOC plays its part in stopping threats, but its most important role is identifying when there is a potential breach and stopping it in its tracks!
Reasons your business needs a SOC:
What determines if you need a SOC is not directly related to company size, but more to the way your business operates. I saw an article where the writer proposed that if you have fewer than 100 employees you do not need a SOC or SIEM. With respect… this is complete nonsense. Some organisations with 20 users may need a SOC and some with 300+ do not. These are some of the key things that typically justify investing in a SOC:
1. Your customers expect one
As I mentioned at the beginning of this blog, one of the most important metrics in my role is winning and maintaining customers. This is paramount to any business. Many of our customers who supply their products and services to others are now finding that cyber security is an important part of the supplier onboarding process, due to the frequency of supply chain attacks.
Supply chain attacks are prevalent and have been for over 10 years. When I first started in this industry, the recent attack that everyone loved to discuss was Target (the US retailer) which was a supply chain attack. And a decade on, the problem has not gone away. If you have 30 seconds, go to the news tab on Google and search “supply chain attack”, and you will see the number of high-profile organisations falling foul of this.
So, don’t be caught off guard when you are about to close that revolutionary deal for your company when the customer asks for you to have basic security controls (including a SOC) in place.
The NCSC also has got some great content on this. Remember that you should also be vetting your suppliers!
On a recent webinar one of our customers discussed their journey to invest in a SOC. They revealed that the main driver was wanting to provide their product to the government and military, who demand this level of security before you can even get your foot in the door!
2. You stand to gain industry-specific benefits
Each industry will have its own ways of working. For some companies, having effective cyber security gives them a competitive advantage in their space. Some examples I have seen:
- A software development company using their improved Cyber Security as part of a submission for an industry award nomination
- A bank who needed an Electronic Money Institution (EMI) license in order to issue electronic money in the European Economic Area, and who had to have a 24/7 Managed SOC in place to achieve it
- A private healthcare organisation using cyber security in their marketing to demonstrate their care for their customers’ information as well as their health
3. You have compliance requirements
Sometimes compliance is dictated by our customers (as in point one), government legislation, industry standards (point two) or several other drivers. Whatever the impetus, and no matter how much of a headache it is, compliance is here to stay.
This can be anything from Cyber Essentials, to ISO27001, to NIST. It can be a daunting process, particularly if you’ve never heard these terms before. I confess to only reading ‘ISO27001’ for the first 6 months and having no idea how to say it out loud (I-S-O-twenty-seven-thousand-and-one, BTW).
Not every framework will require a SOC. Sometimes it’s unclear exactly what is needed to achieve a certain regulation. Unfortunately, this is an area on which you’re likely to need outside consultancy. Incidentally, SEP2 do offer consultancy services around compliance… but I’m not here to sell, of course.
There’s a helpful guide from IT Governance about the different compliance standards to get you started here.
In the ‘olden days’, when everything was hardware and we used to meet our customers in person, I visited many who used their email gateways/SIEMs/Encryption tools etc as doorstops, only plugging them in once a year when the auditor came in. Our advice when it comes to compliance is if you need to complete a certain requirement, don’t just complete what’s needed to tick the box. If you have to invest in it, make it work for your business!
4. You’re looking to gain investment to grow your business
Recently we spoke to an IT company who were looking to grow globally. When they sought investment, the investors required them to have a SOC in place before proceeding with hiring or channelling money into the new regions.
From conversations with many of our customers, it’s clear that this is not a one-off. Many, if not most, investors are now considering the security posture of growing businesses when investing. As demonstrated in multiple high-profile breaches, cyberattacks directly affect share price and revenue. Therefore, most investors will do their due diligence before investing to ensure you have an acceptable cyber posture.
5. Because getting breached sucks (but it could suck a little less)
The last, but probably the most valid reason, is the impact of a breach. They will very tangibly affect your bottom line. Here are three examples I have seen:
- A DDOS attack which prevented an online retailer from taking payments on Black Friday
- A ransomware attack on a services company which hindered employees from performing their duties, resulting in the loss of several weeks’ worth of billable hours
- A phishing attack on a catering company which resulted in an employee transferring funds to someone pretending to be an Exec.
There’s also the impact on your brand, the ability to deliver a service under SLAs and the potential of losing valuable customers.
Do not make the mistake that SMBs are not large or high profile enough to be attacked. You are!
One additional (fun) benefit: I’ve seen the SOAR component of a SOC used to track when an engineer swiped into the office, so by the time he arrived at his desk (a few flights of stairs up) he had a hot coffee from the machine ready for him (very Wallace and Gromit!).
In conclusion, please buy SEP2’s SOC service. Joking! I mean, unless you want to…
In real conclusion, a managed SOC is one of the largest investments a business can make that does not have a direct impact on increasing revenue, so do not rush this decision. Make sure you have the basics done right first, you understand what benefit you want to get out of this and talk to multiple providers to find the best fit for your business.
