It seems every day this month there was either an announcement about a security hack or another note about the NSA spying. Although most people think "It won't happen to me", with the constant news, even the most ignorant, I mean, confident person would have to start to worry. Factor in that many breaches aren't detected for months.

So do you start selling managed security based on FUD?

Who do you partner with? Your favorite CLEC or a security firm?

How much liability do you have? If you sell managed security and your client gets hacked, what is the backlash on you? These are just a few questions that I have been contemplating lately.

On FUD (fear, uncertainty and doubt), security can only be sold that way. I am not heavy handed but just mentioning the big breaches - Target, Anthem, Home Depot, the federal government - would give anyone pause. It isn't a matter of if, but when will you be hacked. And will you know?

Some CLECs outsource security. Netwolves is partnered with IBM and Palo Alto Networks. Telepacific partners with Perimeter E-Security, now part of SilverSky. Quite a few providers use SilverSky. So take a deep dive into the security products to see who the partner is. (And, yes, I realize that a known quantity like IBM doesn't mean foolproof, but no one ever got fired for buying IBM).

Liability I will leave up to the lawyers. However, I have had Business Liability from the Hartford for over ten years. I will be getting a review of it this year to be certain that I am covered for all of the new things that I do, but it isn't expensive (less than a grand per year).

Now if you sell managed security and the client gets hacked, be proactive. You sell networks that have outages and data centers that have down time. Know what recourse the client has.

Do you have locks on the door? Why? Anyone can pop the lock or smash a window. Same with security.

An unprotected computer will be hacked in minutes when connected to the Internet. Start simple. Give out a computer security policy to your customers, include these types of things:

• Updating O/S and applications is a vital step in security.
• Changing passwords every 90 days.
• Running and updating anti-virus.
• Lock down the wireless AP.
• Employees shouldn't give passwords out over the phone or email.

Start there and work your way up to managed router, then firewall, then IDS (intrusion detection).

SIDE NOTE:

The healthcare system is under HIPAA/HITECH rules that mistakenly employees of that system think only pertain to electronic records, yet paper records fall under the same rules. The carelessness of ePHI makes for a fun read.

• Files on a thumbdrive left in a car.
• Records being thrown in the trash (not shredded first).
• How secure is the physician's phone?
• Is the doctor getting texts, pictures, voicemail with ePHI (electronic protected health info) on their cellphone?

These are just conversation starters if you have healthcare clients. You don't have to be the HIPAA expert - leverage a partner.