Long before the Specter and Meltdown security breaches were announced in January 2018, channel partners in the United States learned that you need to absorb the costs of such unplanned downtime to keep your customers satisfied, as most of them will seek out your local solution provider to browse for patches and more suitable solutions when they are facing these kinds of flaws. As a result, the companies in the channel are forced to absorb 1% to 5% of the costs of security failures, even if it affects the financial health of their enterprises, since they renegotiate contracts with customers is critical in a moment like this, in which their data and technology park are at risk. In the name of preserving the long-term business relationship, channel partners such as integrators end up offering services that were not part of their initial scope, such as “fixing” older chips and processors that make hardware more susceptible to threats.
This type of work can take up to 600 hours, and increase administrative and managerial expenses by 15%. “When there are extra costs involved that are clearly out of the business relationship with our customers, we determine how to handle them on a case-by-case basis and then act accordingly, negotiating changes and costs if necessary,” explains Mike Barg, chief engineer of Lexington Consulting, Massachusetts.
He says the company is still absorbing the time needed to patch the AMD, ARM and Intel processors that prevent the consequences of Specter and Meltdown on clients PCs, four months after the announcement of the problem by Google engineers. “We need to do this in our off hours. It is a function of scale. For customers with thousands of PCs, these patches are very significant”.
Therefore, for channel partners, especially Value Added Resellers (VARs), although the flaws mean unpaid overtime and work and are not limited to deployment of patches, but also in seeking information from sales representatives of manufacturers such as Intel, security breaches are also an opportunity to narrow the relationship by helping customers understand the performance implications of having old hardware. The result is to show the value in acting as an intermediary between OEMs, chip manufacturers, and users. “This shows why VARs are your customers’ advisors, as it’s not as easy to install patches as it is to install the latest updates,” said Kent Tibbils, vice president of marketing for ASI, from California. “It may not be a commercial opportunity, but it is clearly a partnership opportunity to strength the link between VAR and customer through education and guidance. ”
Most channel companies attribute the burden of risk mitigation plans to their existing service and management contracts. This is the case of the integrator NetSciences, from Albuquerque, New Mexico, where Meltdown reached about 80% of its customers’ machines and required US$ 11,000 in working hours, a high value considering the company’s capital being valued at $ 1 million. The company president, Joshua Liberman, explains that the mitigation plan for corrections involves absorbing 100% of the cost to help certain customers. “We fix any machine we have built that is in the 3-year-warranty period. We charge a fixed fee in the management services agreement and treat the patches as system failures. The problem is to convince clients outside the warranty period to pay for the service”, he says.
Otherwise, some channel partners try to sell new contracts and a minority of them are reimbursed by the suppliers of this problematic products.
Failures are not handled trivially, but have become a routine in the North American market, and vendors such as AVG, Cisco, AT & T, Google, Samsung and Netgear maintain rewards programs for any outsider who finds bugs and reports problems on their hardware, software or applications. In just the last three months, AVG paid professionals from outside the company for 32 vulnerabilities found. Microsoft already offers US$ 15k for remote code execution weaknesses, and up to US$ 10k for security design flaws.
Liberman, from NetScience and Barg, from Lexington, believe that the market has reached a point where security flaws and attacks are inevitable, but should be leveraged by the channel. Liberman is betting on the possibility of small businesses finally upgrading their equipment since old hardware is more susceptible to threats. On the other hand, Barg points out the added value of solving the faults in the channel. “There will always be security risks for IT systems as they co-evolve. As consultants, we must add tangible value to our relationship with the customer continually. They respond favorably to this approach because we provide a solution that works for both”.