Security Centre

Security guidelines for professional services firms

By Bruce Hoard

Latest Business News
Ecommerce revolution has driven discounting change
Expert urges good data centre management
Virtualisation competition may drive deployments

View the full archive

Subscribe to the latest market news feedSubscribe to feed
Get your free MSAT toolkit today.
 
Contact Us
Call us to discuss your business requirements
Speak to an IT Expert
Find a Microsoft partner who can answer your business needs:
Enter Postcode:
Search by Category
 

Related Links

Microsoft solutions for professional services

How Microsoft provides a high level of document control

Get the Malicious Software Removal Tool

Try Microsoft Antigen tools in a virtual lab

How Microsoft serves professional services

When it comes to security, professional services companies often have tight IT budgets, an ever-increasing amount of content, and a lack of dedicated security personnel. Protecting data at services firms may require combining technology and services to get the job done. This article offers some guidelines to help.

In Summary:

Midsize professional service firms must understand their top security drivers.

They need to investigate managed services to help maintain a secure environment.

They also must take advantage of low-cost security improvements, and conduct in-depth research before purchasing products or services.

Coping with limited IT resources is nothing new for professional services firms, which include law firms, advertising agencies, and construction and consulting firms, among other services businesses. These firms are accustomed to working with limited resources.

From a security perspective, such firms increasingly have to address the budget and security issues associated with supporting both onsite and mobile users. The steps below can help your firm in addressing this challenge.

1. Determine the business-critical needs of your organization

Before you devise a security strategy, consider the leading issues for growing your business and taking care of customers in your industry or sector.

In the case of law firms, client confidentiality is all-important, so you should spare no effort in protecting data access and privacy. Law firms, which often have high mobility requirements, should look at robust access control and audit capabilities, according to Gartner Inc. research vice president Greg Young. Implementing these technologies means that only authorized personnel can access corporate data, and make network changes --- such as adding software or new users.

John Green is CIO of Baker Donelson, a Memphis, Tenn.-based law firm with 1,000 employees. Laptop PC security is a leading issue for Green, who is looking for ways to bolster protection, including adding encryption capabilities. As well, he is interested in the upcoming Windows Vista release, noting: "I look forward to evaluating Vista, which has built-in security enhancements over XP, including the ability to encrypt the hard drive. That's one of my priorities." Baker Donelson currently encrypts e-mail for select clients.

The security challenges at ad agencies, on the other hand, require managing large volumes of graphics-intensive files, and working with remote employees who often resist what they view as security intrusions on their workflow. According to Kevin Beaver, founder and principal consultant with the Atlanta-based security consulting firm, Principle Logic, these creative types can enjoy the benefits of secure remote communications without technical hassles by using the virtual private network (VPN) capabilities embedded in most firewalls. "I think it's more than enough," Beaver says of the embedded technology. "Is it un-hackable? No, but nothing is 100 percent secure."

2. Evaluate outsourcing

When it comes to midsize construction firms, their most sensitive data is typically found in payroll systems, says Russell Morgan, founder and president of Information Technology Solution Providers Alliance, which serves small and midsize businesses. As a result, more and more construction firms have turned to outsourced payroll solutions. It requires a leap of faith for companies to trust mission-critical data to a third party, Russell says, although you can easily build assurances into your contract. "In almost all situations, managed services firms are bonded and willing to sign contracts in terms of service level agreements and performance characteristics," he adds.

Midsize professional services firms are increasingly enjoying the benefits of third-party security services because they offload complex IT security requirements to experts. Managed services providers are now catering specifically to the needs of midsize businesses in response to growing marketplace demand. Although there are different levels of security outsourcing, the most common packages include monitoring, firewall configuration, and intrusion detection and prevention systems.

It's not easy to do a direct cost comparison between outsourcing security and managing it in-house. Managed services organizations typically charge per monitored device, such as a firewall or gateway, which is a different pricing scheme than paying a full-time employee, Young explains. Fortunately, outsourcing costs for security are now becoming more standard, which means a better deal for midsize companies. As an example, the charge for monitoring a single firewall is now commonly below US $1,000 per month, Young notes.

Despite these advances, however, IT departments should still closely evaluate managed services firms by getting references from other companies in their industry. Based on that research, IT should insist on stringent contracts that satisfy service-level and business requirements. Be sure to research thoroughly your business requirements regarding performance needs: there is a distinct difference between 95 percent and 98 percent uptime, and you may even require the highest level (typically 99.9 percent).

3. Concentrate on cost-efficiency

Before you purchase any technology or sign a service contract, consider tasks which will cost your organization little or no money, such as making sure your PCs are in secure configurations, and seeking out free versions of anti-spyware solutions (such as Windows Defender). Despite the cost-efficient advantages of enhanced security technology, your best return on investment for enhanced security is the money it will save your firm in disaster management if a harmful breach occurs. If client data is exposed, for instance, you will need to consider how hard it will be to recover from such a public-relations stumble. The best way to get a bigger security budget, experts say, is to squeeze the most out of your existing security dollars. This means assessing current security systems and ensuring that they are working at peak efficiency.

Related Microsoft solutions

Access control and auditing capabilities are available in the Windows Security Auditing application found in Windows Server 2003. For those firms looking for even stronger security, consider an integrated client and server security system, such as Microsoft Forefront. In terms of VPN solutions, Windows Server 2003 can be configured as a VPN remote access server.

Bruce Hoard is a freelance writer based in Bangor, Maine. His work has appeared in Computerworld, Forbes Magazine and The Wall Street Journal.