Martyn Harvey, Sedcom: “breaches aren’t really an if, they’ve become a when”
The digital world has always been clogged with cyberthreats and that’s why it’s only a matter of time when a company that doesn’t care about cybersecurity will be attacked.
There are often misconceptions about the topic of cybersecurity – if a company isn’t big enough, it’s not going to be attacked. In reality, small to medium-sized enterprises are as likely to become a target for cybercriminals as big companies. That’s because they often have fewer security measures in place.
Whether it’s a ransomware attack or a data breach, the consequences can be detrimental both financially and in terms of reputation.
Martyn Harvey, the Technical Director of an IT support and cybersecurity services company Sedcom, says that the ‘we’ve never been breached before’ mentality often changes only after an actual attack occurs.
Harvey agreed to share his knowledge and views about the importance of IT support services, cybersecurity, and useful protection tools.
Both your team and client base have grown exponentially since your start in 2005. What was the vision behind Sedcom?
The vision for Sedcom may have been tweaked over the years but has always been quite straightforward. At its core, it is to provide the best customer-focused service delivery possible, and in doing so, to help take the stress of IT away allowing our clients to focus on what was important to them – running and growing their business.
Can you tell us more about what you do? What are the main challenges you help navigate?
We’re an IT MSP that provides IT support, consultancy, cybersecurity services, and cloud hosting to clients predominantly in London and the South East of England. The main challenge we aim to overcome links in with our vision, and that is to help take the technical stress out of IT for our clients. It has certainly made us the ‘go-to’ company when it comes to their IT-related queries – we look to advise, support, and improve the environments we maintain. We help promote better processes and practices for our clients in the hope that IT just becomes one less thing for them to worry about. We always want to ensure the right skill sets for the task at hand. 99% of the challenges we come across – our team can deliver the best solutions for our clients. But we’re never scared to defer to one of our trusted partners if we think they’re going to be a better fit for the overall solution. We always have a ‘can do’ attitude when finding solutions to whatever IT problems our clients face, this is where we see a big difference in overall client satisfaction and ultimately their retention and word of mouth referrals.
Even though there are plenty of companies offering cybersecurity solutions nowadays, certain organizations and individual users still hesitate to upgrade their security. Why do you think that is the case?
I think cost and understanding are big factors in why improvements to an organization’s security posture can suffer. There’ll be companies out there that just simply don’t understand or appreciate the threats their business may be exposed to on a daily basis. This can be through a lack of interest or investment from management, or they may not be getting the advice or guidance they need from their providers. We see this a lot and it can lead to a ‘we’ve never been breached before’ mentality, which unfortunately often only changes after an actual breach, or worse, being hit by ransomware.There are some amazing cybersecurity solutions out there, but many can be cost-prohibitive for SMEs, making it hard for them to justify why they should be opting for additional services over their existing antivirus, and perhaps making use of a stronger password where they can. For companies to really understand the risks and what can also be an incredible eye-opener is at least budgeting for a basic network pen test – these sorts of exercises can help a company have the right conversations about where they may need to focus their budgets, give a better understanding on where any existing security measures may be flawed and hopefully start to give an understanding on why ensuring cybersecurity measures need to be regularly reviewed for improvement.
What was it like providing your services during the pandemic? Were there any new issues you had to adapt to?
We were quite fortunate through the pandemic; we have a great team that was able to adapt quickly to government guidance and adopt the ‘new normal’ with relative ease. The solutions within our own IT infrastructure meant working securely from anywhere was already available to us, so in essence, it was a bit like an extended disaster recovery test. The whole office was working from home, providing our services uninterrupted within a moment’s notice.
I’m sure like most MSPs, one issue our team had to deal with was the spike in workloads over the first few weeks of lockdown caused by a bit of a mad panic for those that didn’t have infrastructures suited for remote working. It became a bit of a balancing act trying to aid our clients in being able to work from anywhere yet ensuring appropriate security measures were in place given the lines between work and personal devices started to blur. Overall, the forced work from home scenario did aid in much more rapid adoption of cloud solutions, such as Microsoft 365.
Another issue, once the novelty of work from home had worn off, was team engagement and well-being. Microsoft Teams was a great tool to help us at least get a little bit of face time with staff and clients, whilst no substitute for being in the office or out for a meal as a team, it at least helped keep us all in touch with what was going on and made for some amusing ‘virtual socials’.
What are your thoughts on cybersecurity systems specifically tailored to one’s business? Is it something each organization should invest in or is it only relevant for large enterprises?
All businesses, regardless of their size, need to be investing in suitable cybersecurity solutions, unfortunately, breaches aren’t really an if, they’ve become a when – just look at the recent headaches ProxyLogon or Log4J caused for IT admins. If a company can align themselves to a suitable IT security framework alongside implementing cybersecurity solutions, it will go a long way in ensuring they’ve covered as many bases as possible.I don’t believe there’s a one-size-fits-all solution when it comes to cybersecurity, every business is going to be in a different place on their journey towards better IT security. Whilst larger enterprises may often be seen as a more lucrative target to attack, it’s the SMEs that are seeing the highest increase in breaches as they aren’t always as far along in their journey as an enterprise would be. It’s causing a lot of the SME market to play catchup, but that’s a good thing – as awareness is increasing and it has been driving better conversations around cybersecurity and what options exist for SMEs to help better protect their business and gain insights into what threats they’re facing.
Since many companies have rapidly started to adopt cloud solutions as a way to enhance security, do you think there are any details that could be overlooked in the process?
There are a lot of companies out there that won’t have cybersecurity knowledge in-house or adequate cybersecurity abilities from their IT provider, so they aren’t always getting the bigger picture guidance on adopting cloud solutions – this causes many of the associated risks to be overlooked. I think cloud solutions can often, and falsely, be perceived as a way of removing a company’s own responsibilities for their IT security as they feel it becomes the responsibility of the cloud provider. This couldn’t be further from the truth, cloud solutions can definitely help enhance and improve a company’s security posture, but cloud solutions come with their own set of risks and security concerns. Through adoption of cloud solutions, productivity is often the immediate focus, where security tends to be an afterthought – or worse, not even considered until malicious activity has occurred.
One example that often gets overlooked is identity management and auditing. With companies adopting so many different cloud solutions, they’re rarely centralizing user account management and logging. This can lead to a number of blind spots within the organization where threats regarding legacy accounts, poor password management, and increased likelihood of data leaks are a real concern. Fortunately, solutions are out there, Microsoft’s Azure AD and Microsoft Sentinel are relatively low-cost and widely supported options that can really help fix these sorts of multi-cloud solution weaknesses.
In your opinion, what IT and cybersecurity solutions should new businesses focus on?
Focusing on a suitable IT Security framework and finding a reputable MSP who’s going to be a good fit for your company, I think, is the best starting point for any new business. Cyber Essentials, as an example, is a framework here in the UK covering five basic security controls around firewalls, secure configurations, user access control, malware protection, and patch management. We’ve seen it really help a number of our clients, even well-established companies, gain a better awareness of good cybersecurity practices, which in turn has helped decisions on required solutions. As a new business, why reinvent the wheel? Fortunately, frameworks like this exist to help give guidance on some well-established best practices that can aid in right-now requirements vs future nice-to-haves.
As a new business, it’s also unlikely that there are suitable IT and cybersecurity resources internally, so with so many challenges already being faced just trying to get the company up and running, I think it's important to bring onboard IT experts that can help understand your needs as a growing business, advise on best practices, and then offer relevant solutions that can be implemented correctly given available budgets.If in doubt, MFA! We see a lot of new businesses being able to make full use of cloud solutions, but often miss the first and most crucial protective option – Multi-Factor Authentication.
And for casual Internet users, what personal security tools do you see becoming commonplace in the next few years?
With all the breaches and data leaks now making mainstream news, I think user awareness around cybersecurity topics is on the rise, which is a good thing. This is also where I see an increasing number of people facing concerns on how they should be protecting their personal data, especially those that may have already been victims of ransomware or account takeovers and identity theft.
My ‘go-to’ tools that I think will start to become commonplace for personal security over the next few years are reputable cross-platform password managers, VPN, and DNS privacy services, and an increase in not only the number of sites and services offering MFA but users who enable it.
We all use so many online platforms now that having the same one or two passwords for everything is incredibly dangerous. Password managers are such a powerful tool when used correctly, good password managers are now including several features to help report on weak passwords, password reuse, dark web leaks, and can aid in storing other sensitive information types securely for easy on the go reference. VPN and DNS services are another great tool to aid in Internet privacy and online security, especially DNS filtering for families that may want simple ways to help filter out certain web nasties and content for their children. Ultimately, MFA is one of the best tools that I think casual Internet users can employ as it makes account takeover so much harder should any personal details ever end up leaked online.
What does the future hold for Sedcom?
We’re not one to rest on our laurels, we’ve got such a great team of people that continue to contribute so much of their efforts into improving themselves and the business, it’s why we are where we are today. We’re always looking to keep ourselves informed about what’s going on within our industry and see what vendors, services, and solutions are going to be names that we can trust to a) use them ourselves, and b) recommend them to our clients. At the minute, we’re focused on sustainable growth across all parts of the business, always ensuring we keep a personal touch for our clients given the relationships we’ve built over the years. We’re certainly excited to see what the future brings, especially around our growth within the cybersecurity space.