Should a small firm outsource its security?

Can a small business justify employing a full-time in-house IT security manager?

New Asset  
Our company suffered a security breach in the form of a virus last month. As managing director, I am concerned about the effect on our business of more serious incidents in the future. Should I employ a dedicated IT security manager or use third-party managed services? 




Outsource, but someone in-house must retain control

You are right to take this seriously, because your next breach could take your business offline and pass the problem on to your customers and suppliers.

It is tempting to focus on straightforward technology, for example, installing anti-virus and firewall software, as this appears affordable and straightforward to set up.

However, securing your business is not a trivial task. You have to assess your exposure, formulate policies appropriate to your business and train users. You have to design and implement a security product and monitor it 24 hours a day, which requires a detailed knowledge of your network. You have to manage rules for your firewall and for controlling what people can do on the web. You also need to produce reports to demonstrate your protection. This is a tall order for just one person.

In light of this, small and medium-sized organisations are increasingly turning to managed service providers to help them keep their businesses secure.

Third parties can help you assess your vulnerabilities and formulate policies. If they are also the people that provide your network, they are in a position to fully integrate security. If you make sure your managed service company has government and manufacturer accreditation and lays on expert monitoring around the clock, you are in a position to achieve more peace of mind that a lone internal resource can provide.

A managed service does not have to be expensive. Third parties can help you balance your risks and budget and may avoid you having to make capital investment. When you consider the full cost of employing a dedicated person, a third-party service may seem very attractive.

Using a managed service will allow you to concentrate your efforts on your core business. However, you should still have one person responsible for security. They need not be dedicated or an expert in technology, but they do need to understand your company's business and the impact of security failures.

Mick Hegarty, general manager, ICT, BT Business

Consider training the IT manager as security expert

There is no hard and fast answer. A small company probably does not need a dedicated IT security manager, but the person who looks after IT should definitely be keeping a close eye on security. You could even consider training this person to become a security expert.

Regardless of whether you have an internal security manager or whether you employ a managed service provider, the key to IT security is to implement systems and policies.

However, you should ensure they are not too complicated for people to use, otherwise you will leave your organisation open to even more threats as there will be lots of security holes you do not know about.

If you do decide to work with an external service provider, make sure they are accredited and can demonstrate their experience in providing security for a business of your size.

Mike Lucas, regional technology manager, Compuware

Internal threats can be controlled with software

Breaches in security can arise from many areas, including internal staff. The decision of whether or not to employ a security manager will depend on where the breach has arisen and where you think any breaches may occur in the future.

Any policy should be explained and accepted by the staff so that everyone knows what is expected.

Typically, viruses will get into the business through e-mail, websites or storage media. Protection can be provided against e-mail-based viruses by using a third party to scan incoming and outgoing e-mails for viruses.

Similarly, access to the internet can be managed and controlled using a rules-based web control system.

Next, you need to ensure that you are either controlling or preventing e-mail and access to the internal systems from computers that could be vulnerable to viruses. A typical example is where a user on a home computer is allowed to establish a virtual private network into the main system but does not have any firewall or anti-virus protection.

If the previous breaches in security and the perceived threat is of the nature outlined here, it will be hard to justify a security manager in a small business.

Trevor Lucas, managing director, TAL Computer Services

A security audit will tell you where the problem lies

When did you last conduct a formal security audit? If a virus can breach your current defences, this is clearly an indication that not all is well, but I would not hire anyone until you understand the extent of the problem.

The British Chambers of Commerce has written an excellent security guide for small business owners, which can be found at In it you will find an easy to follow audit process and an example of a security policy for your business.

Having conducted the audit you will probably find you need some external support. Again, you can find qualified businesses at bCentral.

You should take the opportunity to address your IT systems as a whole to make sure they are supporting your business effectively; your security policy should reflect that people will work from home, client's offices or on the move.

Now you are in a position to choose in-house or third party. I think you have no choice but to make a member of your staff responsible for security. However, the tools and services to keep your systems secure are most cost-effectively provided by third parties.

It is important to keep all your software updated with the latest fixes and patches. You should try to purchase software that does this automatically or make it part of your IT partners' contract. Finally, in six months' time review the security policy in the business and in 12 months conduct another audit.

John Coulthard, head of small business, Microsoft UK

Outsourcing would be a suitable short-term fix

Whether security is managed in-house or outsourced, the first and most urgent requirement is to perform an audit to identify all possible risks and to determine the source of the breach.

If anti-virus procedures have been neglected, it is likely that other areas have been too. The audit should be used to determine a suitable response and to create a security policy that will identify clear roles and responsibilities.

The security policy should be communicated to all staff and a breach of the policy made a dismissal offence. Even if management is outsourced, someone in the company must be responsible for enforcing the security policy.

If a dedicated manager is to be employed, they must be of sufficient calibre and, if resources are limited, the role is better outsourced. In view of the urgency of the issue, outsourcing may be the only possible short-term solution.

A third party or in-house manager are both likely to rely on commercial anti-virus products combined with an appropriate directory services configuration. In determining whether to outsource, it is most important to consider who will be responsible for regular maintenance, identification of new threats, reviewing the situation and regular reporting.

Mike Hudd, technical director, Netcel


BT Business

TAL Computer Services



Microsoft UK

Read more on Managing IT and business issues