Are you using WhatsApp for business communications? 2021 is the year to stop

Should you be using WhatsApp for business communication?

While WhatsApp is a consumer-grade application, many people are using it for business purposes. It’s free and it’s easy to use – most people are probably already using it – so it seems like the ideal communication tool, particularly now many employees are working remotely. 

But is WhatsApp really suitable for business communication? 

Privacy Policy Updates

WhatsApp was acquired by Facebook in 2014. At the time, CEO Jan Koum stressed how deeply he valued the ‘principle of private communication’. However, just two years later, in 2016, both apps announced they would be ‘coordinating more’– but did give users the option to opt-out of sharing their personal data with Facebook.  

This time around, there is no opt-out. 

Users who want to continue using WhatsApp after May 15th 2021, have to agree to the updates made to its terms and privacy policy. This means being prepared to share their personal information such as names, profile pictures, status updates, phone numbers, contacts lists, and IP addresses, as well as data about their mobile devicewith Facebook and its wider companiesUsers who don’t accept the new terms will be blocked from using the app. The new policy, which applies to all users outside of Facebook’s European Region (including the UK), also means that simply deleting the app from the device will not prevent WhatsApp from retaining a users’ private data.  

Since the privacy policy changes were announced, WhatsApp has now said that it will not be sharing personal data from people who previously opted out of sharing their information with Facebook. According to The Register, this setting will be apparently be honoured going forward next month, even if you agree to the new policy. For all other users though, there is no opt-out.  

A WhatsApp spokesperson also said this update ‘primarily centres around sending messages to businesses to get answers and support’, claiming there will be no change in data-sharing for non-business chats and account information. However, there has been much criticism and concern about the update online.  

Update: 12th May 2021

Originally, WhatsApp planned to roll out its privacy policy update on February 8th 2021. However, due to huge public backlash and confusion, they opted to delay until mid-May. Through a series of updates, WhatsApp attempted to clarify its position, reiterating that the update is mainly meant for businesses using its messaging platform. But nonetheless, WhatsApp stated that the change would not impact “how people communicate with friends or family” on the platform. The company also specified in a blog post that it would continue to provide end-to-end encryption for private messages, and it didn’t keep logs of its users’ messaging and calling.

However, despite the clarification around data sharing, there are still plenty of reasons why businesses should stop using WhatsApp for business-related communication

GDPR Compliance and Liability

WhatsApp makes it abundantly clear that the app is designed for personal use in their Terms of Service. 

“Legal And Acceptable Use. You must access and use our Services only for legal, authorized, and acceptable purposes. You will not use (or assist others in using) our Services in ways that: … or (f) involve any non-personal use of our Services unless otherwise authorized by us.” 

After installing WhatsApp on your device, you’ll receive a pop-up asking for your permission for the app to access your contact. It requests that you ‘Upload your contacts to WhatsApp’s servers to help you quickly get in touch with your friends and help us provide a better experience. Agreeing to this means that all your phone contacts are accessible in the app. The problem is, it doesn’t distinguish between personal contacts and business ones. Your contacts haven’t given permission for a third party to access their personal data, which could be a potential breach of GDPR.  

WhatsApp has been clear that is for personal use. Users must agree to these terms and conditions before they can access the service and WhatsApp can access the users’ contacts. Therefore, the responsibility for GDPR lies with the user, not the app. 

Individuals who use WhatsApp for any business communications are in breach of the terms of service. This limits WhatsApp liability for GDPR because they have given the user all the responsibility for seeking the permission of their contacts.  

Security Risks of WhatsApp

Using WhatsApp for business communications is fraught with security risks tooWhile the app famously boasts security due to its end-to-end encryption, there have been plenty of reported hacks and flaws.  

Just last October, security researchers revealed that links to thousands of WhatsApp chats were accessible online. Although there was a quiet change to stop the links from being indexed by Google, the information was still readily available on other search engines. The group’s title, image, description and owner’s phone number were all readily accessible, you didn’t even need to actively join the group   

WhatsApp communications are also notoriously difficult for companies to monitor. It may be possible if they are taking place on a corporate-owned device, but even then, there are multiple hoops to jump through. Companies could require the employee to surrender the device, but to access the content itself, there would need to be an IT policy that states WhatsApp as an acceptable communication channel for business purposes. Although, this policy would be in breach of WhatsApp’s acceptable usage policy. The IT policy should be crystal clear about the firm’s right to access and for what purposes (ensuring these are proportionate), so the employee has no expectation of privacy.  

Things get even more complex if the employee owns the device and WhatsApp has been installed outside of a mobile device management (MDM) container installed as part of a BYOD policy. The same policy that applies to the corporate-owned device could be extended to employee-owned ones as well. However, given the device is owned by the employee and used predominantly for personal use, it is doubtful whether a forced surrender and access could be seen a legally proportionate.  

If there’s no BYOD policy in place? Access is near impossible. As a personal device, the employee would have much higher expectations of privacy and there would need to be an extremely compelling reason, akin to a criminal offence, for an employer to try and obtain access.

What should you use instead of WhatsApp?

While you could write WhatsApp into your IT policies as an acceptable communication channel for business communications, you would knowingly be in breach of the app’s acceptable usage policy.  

Plus, even with that in place, there is still a myriad of security, privacy, monitoring and accessibility concerns linked to the app’s business usages. That’s before you even begin to factor in cultural problems potentially caused by the informal nature of the app. Employees could post personal messages to work chats by mistakeaccidentally share their live location, or information could get lost between multiple group chats. 

Instead, it’s much better to opt for a business-grade secure communication solution. Many of these solutions function in the same way as consumer-grade apps, giving users a familiar interface so they can get started immediately, but with much stronger security. Solutions are available across multiple devices and will protect your voice, video and text data in transit and at rest, preventing accidental leakage or malicious attack.  

Join the Business & IT Leaders Forum

Do you want to receive more content like this? Then join our Business & IT Leaders Community. Not only will you receive our monthly briefing with more business improvement tips and advice, but you’ll also get exclusive access to virtual events designed for leaders who want to make strategic improvements and get ahead of the competition. 

What does a Chief Information Officer (CIO) do?

IT strategy - What does a CIO do to help your business?

What is a Chief Information Officer?

A Chief Information Officer (CIO) is usually the most senior member of a company’s IT team. The CIO handles the corporate IT strategy and determines areas for improvement in IT systems and processes.

Whilst in most cases the CIO reports to the Chief Executive Officer (CEO). It’s also common for a CIO to report to the Chief Finance Officer (CFO) or Chief Operating Officer (COO) instead.

The title of CIO is often interchanged with ‘IT Director’. Unfortunately, IT Director is also the name of a separate role. If a company has both a CIO and IT Director, the IT Director likely focuses on the day-to-day IT operations and reports to the CIO, who focuses on the long-term strategy and major IT projects.

What does a Chief Information Officer do?

1. Evaluates new technology

A CIO’s main responsibility is to be aware of emerging technologies and determining how (or if) they can be of benefit to the business. For example, a CIO might look at how to utilise AI, blockchain or the Internet of Things (IoT). Looking for a possible competitive advantage and/or financial benefit it could deliver for the business.

A good CIO can see past the hype of new technologies and takes a level-headed approach when determining a business case. This makes an understanding of business, as well as technical IT knowledge, necessary.

2. Manages the IT strategy

The CIO is also responsible for the creation of a business’s IT strategy. This includes infrastructure refreshes, upgrades to hardware and integrating new systems into the business’ operations. The mark of a good CIO in this area is their ability to align the IT strategy with the wider business strategy.

Thanks to being in regular contact with the CEO, the CIO will be able to communicate the needs of the IT department to the C-suite and the needs of the wider business back to the IT teams. This enables both the business and IT strategy to work in unison, rather than against each other.

3. Oversees IT projects

When the business is undertaking a major IT project, it’s usually the CIO who manages the implementation strategy. They’re also often the one who signs off the decided solution and who is accountable for the actual implementation.

For example, if the project was selecting a new line of business application, the CIO’s knowledge and their experience of technology, operations and commercial understanding are important to get the right business-enhancing solution.

How can I get a CIO?

The process of hiring a CIO can be a daunting prospect for any business, but it’s also difficult for a growing business. Since a full-time CIO’s salary ranges from £70,000 to over £240,000, procuring the funds or providing the right environment to attract and keep a candidate with the required knowledge of both IT and business plus several proven years of experience in similar sectors can be challenging.

The advantages of an outsourced CIO

For businesses in this situation, an alternative is to outsource the CIO function. This approach has a few notable advantages over hiring an in-house CIO.

  • It’s less expensive as you usually only pay for the time when you use their services, rather than a salary.
  • It can be easier and much less expensive to switch who fulfils the CIO function when you outsource. It’s also usually possible to switch to another CIO Service without changing your outsourcing provider if the problems were a result of a poor culture fit. This saves the hassle of beginning a CIO search again and eliminates resulting HR issues.
  • You can hire individual CIOs from many providers for specialist projects. Allowing you to not rely on a single individual having every skill required for every project you want to undertake.
  • An outsourcing provider offering a CIO Service often has many CIOs who can work together or combine their knowledge to provide you with a solution. Essentially giving you the expertise of multiple CIOs for the price of one.

There are some disadvantages to consider, such as only having part-time availability. But, since the CIO role is strategic, they’re not typically required at the drop of a hat. So it’s unlikely to have a significant impact.

For a growing business, the benefits of outsourcing the CIO function far outweigh the negatives. It’s an effective way of gaining an expert to assist with the IT side of the business, without the traditional costs and HR headaches.

The Cloud Migration Guide – Part 1: What is a cloud migration?

Cloud - What is a cloud migration?

A cloud migration is the process of moving files, software, desktops or infrastructure to a cloud-hosted environment. Cloud migrations are often undertaken by businesses who are seeking to expand beyond their current hardware, storage or space limits. Or alternatively, a cloud migration may be the first step on a digital transformation for the business, opening the ability to undertake new IT projects which may not have been feasible before.

What types of cloud migration are there?

Cloud migrations will typically fall into one of the following categories:

  • Migrating from physical infrastructure to cloud infrastructure
  • Migrating from one cloud platform to another platform from a different supplier

However, we can break these down into further subcategories:


In-house applications are replicated in the cloud without redesign. This is typically the fastest method for migrating applications and the one which causes the least disruption. However, without a redesign, the migrated applications may not be taking full advantage of the speed, scalability and versatility the cloud offers. This is sometimes known as a “forklift approach” or “rehosting”.

Software as a Service (SaaS) migration

Some applications are moved to the cloud whilst others remain on-premise. Email and payroll are two functions often moved to a SaaS solution as it reduces hardware requirements and maintenance costs.


A small amount of upversioning is done whilst moving applications to the cloud, allowing them to take greater advantage of cloud architecture. While slightly slower, this method allows businesses to take better advantage of cloud functionality without draining their resources.

Application Modernisation

Instead of moving the application, it is remade (known as refactoring) to be optimised for a cloud environment. The result is a refactored application that fully utilises every benefit cloud architecture has to offer. This approach is particularly beneficial for the migration of legacy applications but it takes far longer than any of the other methods.

Choosing which type of migration is best suited for your business is a strategic decision. And to get optimal results, you need to consider your migration goals, your timescale and the importance of the application itself.

How can a cloud migration help?

Depending on your specific business goals, a cloud migration helps you in a range of different ways.

  • If you’re aiming to reduce the upfront costs of IT infrastructure then transferring your backups, disaster recovery and general file storage over to the cloud is an advisable course of action.
  • To get increased workstation performance you should consider hosted desktop or if you want all-round performance increases then you should look at cloud hosting for your servers.
  • For streamlined business processes and increased efficiency, you could migrate to cloud-based Office 365.

How can businesses move to the cloud?

Migrating to the cloud is not a singular activity and there are many ways your business can do it. It can be done with Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS). Below are some examples of ways you can migrate to the cloud.

1. Office 365 migration

Migrating from the old, license-based versions of the Office suite to an Office 365 subscription that is cloud-based can lead to a range of business efficiency improvements.

Not only is the software regularly updated with additional security and bug fixes, but new features are often added, and performance increases are made. This further boosts the efficiency of the programs and can increase productivity and collaboration.

Because Office 365 can save files in the cloud, this also lets you access your important documents from anywhere with an Internet connection on any device that has the relevant app installed. This allows for a much more agile approach to work as you can access the files you need, wherever you are.

2. Backup as a service

Migrating to the cloud enables more than performance upgrades. It can also offer security and resiliency improvements such as Backup as a Service (BaaS).

Also known as cloud backup or online backup, BaaS is a method of offsite data storage, where a third party regularly backs ups files, folders or hard drives to a secure cloud-based repository. This protects the data and enables it to be restored should it be lost, damaged or destroyed.

Businesses using Software as a Service (SaaS) applications are common users of BaaS, as SaaS vendor’s backup policies often don’t guarantee the swift and complete restoration of lost data that BaaS does.

With BaaS it’s also possible to take live backups. Instead of taking backups every night or every week (you should be really backing up at least once every day) a backup can instead be made every time a file is saved or changed. This means that instead of losing a whole day’s work, a few minutes’ worth, or potentially no data is lost.

Furthermore, migrating your backup to the cloud removes the worry of rotating and managing tapes or hard disks and ensuring they are taken offsite at regular intervals.

cloud file backup

3. Hosted desktop

Hosted Desktop is a relatively old use of cloud technologies – but is still popular. Having hosted desktops means that rather than the workstation located in the business office doing the processing, a copy of the workstation hosted in the cloud does it instead. Mouse clicks and key presses are transmitted to the hosted machine and a live feed of the screen is sent back to the physical machine to be displayed.

By migrating desktops to the cloud, businesses can increase the performance whilst simultaneously decreasing the cost of hardware.

This has the benefit of reducing the overall processing power required for each individual workstation (and thus the price of the workstation) as the cloud hardware (which has superior performance to the workstation hardware) is doing all the processing already.

Hosted desktop also means that you can access the hosted machine from nearly anywhere. If the machine you are using has the software that allows you to connect to the hosted machine, you can work on the go and access the files stored on the hosted machine from anywhere.

cloud hosted desktop or cloud hosted infrastructure

4. Disaster recovery as a service

DRaaS is where a copy of the core server infrastructure, including critical data and applications, is hosted in the cloud. In the event of an emergency where the IT environment is down, i.e. through hardware failure, natural disaster, or cyber-attack, everything can switch over to the hosted version and the business can continue as normal with minimal downtime.

Compared to legacy disaster recovery systems, DRaaS is significantly easier, less expensive and more accessible for businesses. It also doesn’t accrue the costs of having duplicate hardware constantly running in case of an outage.

The failover process can additionally be set up to occur automatically, letting access be restored in minutes. This significantly reduces downtime and avoids the crippling financial losses caused by an outage.

Why should I undertake a cloud migration?

Moving to the cloud allows you to experience a range of benefits. Reduced infrastructure costs, increased performance, scalable storage and improved cyber-security are just a few examples.

Part 2 of the Cloud Migration Guide looks at the rewards of a cloud migration along with the potential risks and how to mitigate them. Read part 2 here.

See also:

FAQ: What is patch management and why is it important?

IT security - What is patch management and how does it help your business?

Patches are the name for software changes which are designed to update, fix or improve that software’s functionality. Patches are deployed for various reasons including fixing security vulnerabilities and bugs, improving the user experience or increasing performance.

What is patch management?

Patch management is an automatic update process for every node on the corporate network. This includes endpoints in physically inaccessible locations such as remote laptops and mobile devices.

Deploying patch management means that staff will not need to manually check for and deploy software patches, which will typically be an exhaustive, time-consuming task – except for the very smallest of businesses.

How does patch management work?

There are different methods of patch deployment and they vary depending on the infrastructure design for each company information system.

Most companies with large infrastructures implement automated patch management systems which reduce the manpower requirements of manual implementation. Other companies will outsource this function to a trusted third party. Often, if your IT support is fully outsourced, patch management will be included as part of this service.

An automated patch management system requires the installation of a client agent. This enables network administrators to manage patch distribution from a centralised interface. They can configure the settings for patch distribution, generate reports on the status of patches and set distribution at different levels to cover different applications and devices.

Why is patch management important?

New vulnerabilities are discovered every day and unpatched systems are one of the easier attack vectors for cyber-criminals to take advantage of. Companies continually release new patches as vulnerabilities are uncovered by researchers and hackers and if your business does not apply these updates then cyber-criminals have an easy entry point into your network.

Furthermore, patch management also ensures that your enterprise technology continues to function as it should. Software bugs, even minor ones, can cause headaches and impact employee productivity so automatic patching ensures that these problems can be resolved as soon as possible.

What are the benefits of patch management?

Patch management ensures that all pieces of software – even those which are rarely used – remain up to date, ensuring that they don’t introduce major security holes within your business.

Automatically deploying updates also frees up a vast amount of time, allowing staff to focus on more productive areas of the business. Rather than checking through update lists, they can work on getting the most business benefit from the IT systems or looking into ways to further modernise the systems through digital transformation. Furthermore, if you have staff working remotely or from mobile devices, patch management ensures that these devices remain up to date regardless of location.

What are the consequences of not deploying patch management?

An average of 50 new major vulnerabilities are discovered each day, the majority of which are addressed in patches. While patch management is not a cast-iron guarantee against every potential vulnerability out there (or which may arise in the future), it is a preventative measure to protect the integrity and security of your network infrastructure and information systems.

However, it’s clear that many are still not implementing security patches. This can be seen by the fact that one of the most popular vulnerabilities to exploit is a remote code execution in the Windows common controls, known as CVE-2010-2568. An exploit which was patched in 2012.

If a vulnerability does arise, having a solid patch management system in place means that the network is being constantly monitored. This especially important when it comes to preventing a “Zero-Day Attack”, which is an exploit which can occur while a patch is in the process of being produced to repair it.

How can you ensure your patch management is effective?

While automatic updates are beneficial, the best patch management strategy is one which balances automatic and manual updates.

Automatic updates are not a cure-all and can sometimes cause problems without proper vetting. Microsoft, in particular, has a track record of having to roll out patches to fix the bugs introduced in their patches.

The most effective way to manage patches will vary between each organisation, but there are a few key factors which apply to all:

  1. Critical security fixes should be applied as soon as possible.
  2. For all other patches, consider how often the software is used and how business-critical it is to decide how urgent the patching is.
  3. Where possible, ensure that patches are installed outside of working hours to minimise disruption to business workflows.

The key concern for most businesses is the number of patches and the manpower required to deal with them, however, with patch management and new technologies, patches can be managed much more effectively.

Contact QuoStar today to find out more about effective patch management.

FAQ: What is Cyber Essentials?

IT security - What is Cyber Essentials and why you need Cyber Essentials

Cyber Essentials is a government-backed scheme designed to help organisations of all sizes reduce their risk of common cyber-attacks. It allows businesses to obtain one of two Cyber Essentials badges and has the support of industry organisations like the Federation of Small Businesses, the CBI and numerous insurance organisations.

What are the certification levels?

There are two levels of certification available: Cyber Essentials and Cyber Essentials Plus.

Cyber Essentials Badges

What are the requirements?

In order to become certified your IT infrastructure must meet specific requirements. These are defined by five technical controls:

  1. Firewalls – You must configure and use a firewall to protect all devices, particularly those that connect to public or other untrusted wifi networks
  2. Secure Configuration – Only use necessary software, accounts and apps
  3. User Access Control – You must control access to your data through user accounts. Only give administrative privileges to those who require them and control what an administrator can do on those accounts
  4. Malware Protection – You must implement at least one measure (e.g. Anti Malware, Whitelisting, Sandboxing) to defend against malware
  5. Patch Management – You must keep all your devices, software and apps up to date

Companies applying will also need to test all their in-scope public-facing IPs. For most companies, this will be the block of IP addresses they get from their internet service provider, but it also includes IP addresses at all in-scope locations like data centres and cloud providers.

You can exclude IP addresses from tested if you do not have control of the security configuration of the service, for example where the address belongs to the cloud provider.

Cyber Essentials Plus also includes a technical audit of in-scope systems. This includes a representative set of workstations, mobile devices and build types in use by the organisation which an unauthorised user could access.

To determine the number of build types you must review the number of operating systems and software suites installed. For instance, if more than one browser or Office suite is used then each variant will need to be tested.

What are the benefits of Cyber Essentials?

  • Protects your organisation from approximately 80% of cyber-attacks, according to the UK government.
  • Demonstrates your commitment to security and data protection to customers and stakeholders.
  • Boosts your reputation and increases your chance of securing new business by showing you have cyber-security measures in place.
  • Cyber Essentials permits you to work with the UK government, Plus gives you the opportunity to work with the MoD.
  • Lets you focus on your business objectives, knowing you are secure.

What are the requirements for Cyber Essentials certification?

  • Firstly, complete a self-assessment questionnaire.
  • Then, a senior company representative signs off the questionnaire.
  • An external certification body then verifies the questionnaire.
  • The external certification body undertakes an external vulnerability scan of Internet-facing. networks and applications to verify there are no known vulnerabilities present.

What are the requirements for Cyber Essentials Plus certification?

  • Firstly, complete a self-assessment questionnaire.
  • Senior company representative signs off the questionnaire.
  • Then, an external certification body then verifies the questionnaire.
  • The external certification body undertakes an external vulnerability scan of Internet-facing. networks and applications to verify there are no known vulnerabilities present.
  • They will also test the security and anti-malware configuration of each device type/build. This is done using malicious email attachments and web-downloadable binaries, including an on-site assessment.

How to get Cyber Essentials certified

QuoStar offers a Cyber Essentials consultancy service for organisations that require additional guidance. Our service includes Gap Analysis, technical support and guidance to implement the required controls, practical advice to ensure ongoing security and guaranteed certification. Please click here for more information on our Cyber Essentials consultancy service.

Which type of IT support is best for my business?

IT outsourcing - Which type of IT outsourcing is best for your business?

One of the easiest ways for companies to gain other business efficiencies is to outsource part, or all, of their IT to a managed services provider.

There are many options available and in today’s blog, we will discuss what each one will typically include.

While the exact names may vary dependent on the provider, the following models represent the typical services offered.

Remote Managed Services

In this model, all or part of your hardware, software, infrastructure, networking and communications is managed remotely by a third party. The IT service provider will monitor, maintain and support your devices from their location. Some of the most common remote services include 24/7 support, infrastructure management, security management, proactive maintenance and operating system administration. It’s feasible for many businesses to be managed this way on a day to day basis. In a high-end essence, it’s often referred to as “keeping the lights on”.

Find out how you can reduce your IT spend and get a greater, measurable return from your investments.

Infrastructure Hosting

Infrastructure Hosting is also known as Infrastructure as a Service (IaaS), part of the umbrella term of “cloud services”. This model can include a turnkey IT solution on vendor infrastructure or can use your existing infrastructure in a third-party data centre. Typical services provided as part of this model include 24/7 support, infrastructure management, security management, applications hosting, operating system administration and disaster recovery.

Application Managed Services

This model is typically an addition to Remote Managed Services or Infrastructure Hosting, rather than provided as a stand-alone service offering. An IT Service provider will manage specific line-of-business applications through your application layer, from relatively simple applications and systems such as Active Directory through to complex applications such as ERP systems and business intelligence.

Fully Managed Services

With this model, you will outsource all of your business’ IT functions to a provider. However, like all things not all providers are equal. A traditional managed service provider will focus on break/fix support. Only delivering standard elements such as helpdesk, account management, products and resold services. While these services “keep the lights on” they do not really enhance your business.

In order to receive a return on fully managed IT services, you need to find a provider who works in partnership with you. Working proactively as part of your own team to enhance your environment, focusing on vision and strategy to ensure it aligns with and supports the achievement of your overall business goals. It’s basically about measuring and improving operations through the intelligent application of technology, process and systems.

Cloud Services

Cloud services are now a primary way for businesses to gain enterprise-class IT systems without the traditional costs which used to come with running them on hardware sat in an office, i.e. CapEx, high end internal IT support, security, network, energy, update etc. The cloud services available now in the main are reliable, secure and robust. It’s all about choosing the right model to fit the business. It’s often common to have a mix of both in-house and cloud services, a hybrid infrastructure. This is typically where the operational advantage lies. It’s still not usual for a cloud-only solution to be right for all but the smallest and simplest businesses.

Obviously, these are just examples of options. True value is returned to a business through detailed analysis and review, to truly understand which options best suit the business where it is now and where it will be in the future.

Do you want to reduce IT spend and get a greater return from your budget? We can show you how. Click here to find out more

What is Security as a Service?

what is security as a service

Security as a service (SECaaS) is the outsourced management of business security to a third-party contractor. While a cyber-security subscription may seem odd, it’s not much different from paying for your anti-virus license. The difference is that SECaaS is the combination of a lot of security products wrapped up into one more central service.

The range of security services provided is vast and goes down to a granular level. Examples range from simple SPAM filtering for email, all the way through to cloud-hosted anti-virus, remote automated vulnerability scanning, managed backups, cloud-based DR and business continuity systems and cloud-based MFA systems.

The services are either delivered directly from the vendor where the reseller takes a commission or they are delivered from specialist firms who have the in-house skills capable of building, integrating and managing specialist security services for their customers.

Just a note here: you may have heard of SaaS (software as a service). This is different to SECaaS.

1. Is SECaaS dangerous?

Putting your security in the hands of another business may seem like a big risk. And if done incorrectly, it’s almost guaranteed to have a less than ideal outcome. But businesses have had success with SECaaS and there’s no reason you can’t either.

The most likely cause for an issue is choosing a supplier based solely on price. A business offering SECaaS that’s been around for a few years and has a range of clients but charges £50 per user per month is going to be very different from the business that offers “cloud-based security” for £10.99 per user per month.

Do not instantly go for the cheapest option when considering SECaaS.

Sure, you might be paying nearly 5 times as much. But if your SECaaS provider has the lowest price on the market they’re skimping on something. And if there’s one thing you don’t want to skimp on, it’s your cyber-security.

2. What are the advantages of SECaaS?


Despite what was just said about avoiding cost-cutting when it comes to cyber-security, one of the main draws of SECaaS is the long term price savings it can have. Because you don’t actually own the infrastructure, you don’t need to pay for its floorspace or for its upkeep (prices which can fluctuate based on external factors). Instead, you only pay a flat rate that is unlikely to change.

Fully managed

Your provider is the person keeping up to date with the changing threat environment, not you. That means that you can focus more on your own business goals instead of diverting time towards understanding the various threats out there and ensuring that your defences deal with them.

Greater expertise

A good SECaaS provider is going to consist of people who know everything there is to know about cyber-security and regularly keep up with trends and changes in that area. As a result, they’ll have a much greater range of expertise which you can utilise to keep your business safe. This also lets you keep your core employee focus on your own sector rather than branching out and getting a dedicated cyber-security expert.

Frees up time from repetitive tasks

Time-consuming admin tasks that need to be done can be performed by your SECaaS provider instead. This can be things like reading system logs or monitoring the overall network status.

3. What are the disadvantages of SECaaS?

Reliant on SECaaS provider acting

This is the main reason that you should be choosing a high-end SECaaS provider.

Because SECaaS providers are the holders of a lot of data, they (and as an extension, you) become lucrative targets for cyber-criminals. If they are breached then you are breached so ensuring they have made big investments into their security is paramount.

To make sure that your chosen provider is continually investing in their security, be sure to keep in regular contact with them. Ask questions about what they are doing to address the latest types of exploit or flaw and dig deep into the specifics of what type of security they have in place on their own systems. Is it minimal or is it high-grade and comprehensive?

Whilst in the decision stage you should also be asking each provider exactly what kind of security they have in place or what is their policy is around topics like staff training. If they can’t prove that they are taking their own security seriously, you can bet that they won’t be taking yours seriously either.

Increases vulnerability to large scale attacks

The uniform security measures SECaaS providers have over multiple clients allow them to keep up a comprehensive level of security. But it also means that if a vulnerability is found for a business who use the same SECaaS provider as you, then that same vulnerability can be used against your security.

Because one vulnerability gives so many potential attacks for a hacker, probing the security of the SECaaS provider is much more rewarding for cyber-criminals. This means they put in a more concerted effort towards breaching the SECaaS provider’s security. This can inadvertently make you a prime target for cyber-attacks.

Be aware though, as a business (even a 2-10 employee one) you’re already a prime target for cyber-attacks. If done properly, the perceived increased danger of choosing SECaaS can be made negligible. Especially when compared to the increased overall security you would receive from a high-quality SECaaS provider.

3. Why is SECaaS being offered more often?

Security providers are becoming aware that with the rise of small businesses. There’s a growing market for security services that don’t need expensive internal employees or risky infrastructure investments.

Many growing businesses also don’t have the up-front funds to develop a hardware heavy security system. Therefore, they find a monthly plan to be much more manageable for their finances. For example, implementation of two-factor authentication and disaster recovery may have cost £100K five years ago. But SECaaS can deliver the same project on a £1,000 budget with no CapEx.

Because of the flexible nature of SECaaS, many of the decisions can now be addressed head-on. There is no longer the same level of risk anymore surrounding topics like setting up security infrastructure. Businesses can switch SECaaS providers more easily. So, this ‘de-risking’ of cyber-security has made the SECaaS market ideal for businesses who want to avoid making a bad decision.

Finally, with the rise of the cloud and increased internet speeds. Services offered over the internet are now on a par with in-house solutions. This has meant that cyber-security being offered as a service is now very feasible and is genuinely useful.


So, you may now be asking yourself if you should consider SECaaS for your business. Unfortunately, there’s no comprehensive answer. If you want to improve your security, without draining your budget, then it’s worth reviewing. But if you already have a fairly comprehensive security setup in place it may be better to ensure that it actually is as comprehensive as you think it to be and then just sticking with what you have, upgrading it and maintaining it as you already are. Alternatively, you could look into a UTM system for your business if you’re uncomfortable with SECaaS but want to make your security more comprehensive.

FAQ: What are DDoS attacks?

IT security - What you need to know about DDoS attacks

What is a DDoS attack?

Distributed Denial of Service (DDoS) attacks are a form of cyberattack that aims to disrupt access to a service (such as a website) in order to extort the owner or to serve as a distraction whilst another attack occurs. DDoS attacks are usually driven by a botnet (a network of infected machines) which overwhelm the service and prevent access to legitimate users.

DDoS attacks usually attempt to overwhelm services using one of two methods. Either by sending a massive number of connection attempts or by using up all available bandwidth. Any business or organisation can be a target for this type of attack. In some cases, DDoS attacks can even be directed at individuals, although this is rare.

What’s the difference between a DoS attack and a DDoS attack?

The difference between these two attacks is that a DoS attack typically comes from one machine which is utilising a single connection, whereas a DDoS attack uses multiple machines and multiple connections.

What are the types of DDoS attack?

1. Bandwidth flooding

Also known as a volumetric attack, this attack involves saturating a server’s bandwidth with bogus packets to the point that legitimate users can no longer communicate with the server.

2. Resource flooding

This attack involves sending an overwhelming number of resource request to the server or gateway devices such as a firewall; causing CPU usage to peak. Since the CPU is being used for menial requests, genuine requests either fail to get through or are processed incredibly slowly.

3. Application-level flooding

This attack targets the software which runs on the server with the aim to flood it with so many requests that the software crashes, taking the server offline.

How can I stop DDoS attacks?

The number one question is how do we protect ourselves from these attacks or at least mitigate our risks?

Well, there are devices that companies can purchase that claim to prevent DDoS attacks such as SMB\E firewalls but these won’t help you if you are a victim of large-scale attacks.

So firstly you need to review your attack surface and mitigate risks. For example, say you run an e-commerce site, it’s probably not advisable to run it from your premises. You may find an attack on this site not only knocks out your e-commerce site but also other critical business services, such as email, remote workers and access to cloud services.

Depending on your environment, you may wish to host critical services and servers in a provider’s cloud infrastructure. Another option is to look at co-location (rented space in a data centre). Most cloud providers are going to have access to bandwidth far greater than anyone else – do check this though! Cloud hosting platforms are great for being able to scale out quickly in terms of system resources and network connections when you see high demand. Increasing numbers of web servers and balancing traffic between them may also help you in a TCP connection attack.

Volumetric attacks on bandwidth are a lot more brutal so how do we defend ourselves against these? Again you can use cloud providers for your online sites so they can deal with the volume. However even they will struggle with the scale of the attacks seen by Sony and Microsoft.

So what else can we do? Well, you can buy services from third parties who will route the attack via them and take the initial impact whilst trying to counteract the hackers, or you could have geographically separated infrastructure that sees a mirror site of your current environment which can ease the strain in an attack.

There’s a fair chance that you may never experience a DDoS attack on your IT systems. However, you should take the time to understand what the risks are and how/if you will mitigate them.