Vertical Targets: Why Solution Providers, Security Experts Say SLED Market Is At Risk

As health care and retail are battered with reports of security breaches, security experts said that the next big vertical target for hackers could be the state, local and education (SLED) markets.

The shift comes as retail and health-care markets are becoming more aware of vulnerabilities and investing in the technology they need to protect themselves, Lysa Myers, security researcher at ESET, said. That leaves the SLED market open as a juicy target for hackers who are looking for an easier path to steal comparable information.

"It used to be [retail and health care] were the largest share of breaches that happen every year ... I think the next big target is going to be schools because they have a lot of the same sort of information that the criminals are targeting," Myers said.

[Related: Education Week 2015]

Sponsored post

Jeep Keyser, director of strategic alliances at Accuvant/FishNet, soon to be Optiv Security, said he has seen a "dramatic change" in the SLED market over the past six months, particularly around the state and local government side.

"It is different in the fact that hackers and malware and all the threats that are invading the infrastructure are coming to [the SLED market] as a target. That wasn't the case a couple of years ago," Keyser said.

That trend was echoed in this year's Verizon Data Breach Report, released in April, which found a "prolific" amount of malware attacks hitting the education market at an average of 2,332 a week in 2015, more than double the amount seen in the financial, retail, insurance and energy/utilities industries. The report credited the large amount of attacks to lower policy and control restrictions that made the education market "easy-pickings" for attacks.

For solution providers, that means there is a growing opportunity to provide security technologies to the SLED markets. Keyser said he sees the SLED market turning to solution providers for their security needs, rather than vendors or in-house IT staff, as they look for a trusted adviser who can guide them on the best way to solve the challenge efficiently and holistically.

"The good news is that they're solving a need for security ... and they're looking for solution providers," Keyser said. "It's not new, but it is absolutely more prevalent because budgets were increased in 2015 by 3 percent to 8 percent in state and local government. That's a substantial jump ... and there's more growth there."

Keyser said he sees SLED customers demanding many of the same technologies as the commercial and enterprise markets, including next-generation firewalls and managed security services. ESET's Myers added mobile device management technologies to the list as well, especially as schools adopt more tablet and Chromebook technologies. Bob Swanson, compliance engineer at LogRhythm Labs, in an email said there is also a demand for centralized IT management platforms as state and local education institutions move to standardize and centralize student data.

Vendors also are jumping on board with the trend, gearing up their portfolios and reseller partners to take advantage. Todd Palmer, vice president of Americas channels at Palo Alto Networks, said the company sees a huge opportunity in the education market, particularly for higher education and state and local government.

"We're just seeing a massive acceleration," Palmer said.

To help its partners take advantage, Palmer said Palo Alto plans to restructure some of its sales approach in the coming months to have dedicated sales organizations go after the SLED market on the East and West coasts. That push includes building out specified marketing efforts and recruiting specific partners that focus in the SLED market, he said.

Despite the push from vendors and solution providers, the education market as it stands right now is mostly "behind the curve," ESET's Myers said, due to budget restrictions and allocations, as well as challenges around mobile technologies. However, she said she expects that will change as threats start to become more apparent in the space.

For solution providers looking to get a jump on the market, Myers recommended starting with a risk assessment to show schools their vulnerabilities and where they can get the most "bang for their buck" with their security budgets. From there, Myers recommended focusing on the "Four As" of authentication, authorization, account management and audit logging, which she said are even more important in schools than in other industries.

"I'm hoping as security becomes more of a given as opposed to something to be argued about, that they'll make it a priority," Myers said.