Gaidar Magdanurov is the Chief Success Officer at Acronis.
According to CRN, some of the top challenges that managed service providers (MSPs) faced in 2022 included labor shortages, managing resources, unstable economies and supply chain attacks. While all of these are valid, through my time connecting with both small and large MSPs, I’ve discovered that a common and major underlying threat to MSP businesses is the retention of customers.
A major worry for MSPs is a conceivable, catastrophic and “unrecoverable” security event that can lead to customers going out of business or changing their managed service provider. The ever-changing threat landscape is leading to more concerns about this type of catastrophic event.
Check Point’s latest research report states that the frequency of cyberattacks increased by 38% in 2022, and that number is growing, with the global volume of cyberattacks reaching an all-time high in Q4 of 2022. The statistics are bloodcurdling, and because many businesses rely on MSPs for their security solutions, the rising number of cyberattacks presents a true probability for cybersecurity gaps in MSP offerings.
A successful cybersecurity practice should achieve three primary goals: Protect the data and systems of the customers, ensure compliance with regulations met by location and build a higher level of trust with the customer. Following best-fit cybersecurity practices is a great reputation builder and can help create a competitive advantage if done right—then again, it can be an exterminator of business reputation if implemented poorly.
The Cybersecurity Strategy
The first and most critical step is to define a cybersecurity strategy and implement a regular review cadence; the strategy may have to evolve with the market, customer needs and, of course, threat landscape.
A sound strategy should include:
• A cybersecurity framework. To do this, simplify documentation and management, choose a framework like NIST and use it as guidance to define the standard used to approach cybersecurity.
• Follow asset management and risk assessment. All types of data, applications and systems should be identified. It is especially important to identify the unique risks based on the customers served by the MSP. For example, some business systems can be exposed to public networks for collaboration with third parties, opening the opportunity for supply chain attacks.
• Updated security controls. Technology requirements should be defined based on the types of risks and procedures for deployment and management developed. For example, what kind of firewalls, antivirus software, EDR and intrusion detection systems will be used, and how will these tools be integrated?
• Meet compliance. Depending on the type of customers, you should define the required certifications and implement procedures for compliance. For example, the payment card industry data security standard (PCI DSS) should likely be utilized for businesses dealing with payment card information, or HIPAA adhered to for healthcare providers.
• Implement monitoring. Real-time network and device activity monitoring is necessary to detect threats and prevent or mitigate intrusion.
• Apply user training. I find that many MSPs neglect the importance of security training for end customers. Sending a link to a video is rarely a good way to train end customers. Higher efficiency of security requires regular exercise, including on-site training and retraining of employees.
• Deploy an audit plan. Your strategy should include timelines and checklists for the audit. As the infrastructure evolves and becomes more complicated, an audit allows you to discover new gaps in the security posture and close them.
• Adopt an incident response plan. It is critical to train the whole team on what to do if faced with an incident. Fast and coordinated response processes help prevent catastrophic consequences for the end customers.
• Consider cyber insurance. Finally, if everything fails, cyber insurance can provide reasonable coverage to minimize the financial impact on the customer.
Implementing The Practice
After the cybersecurity strategy is defined, it is time to ensure it is implemented through the following steps.
• Identify the resources. Document human and technology resources available as well as the gap in what is needed to implement the cybersecurity strategy; execute a plan to allocate the necessary resources. This may include hiring new people, shifting existing team members’ responsibilities, additional team training or partnering with third parties.
• Train your team. Knowledge in cybersecurity expires fast, and a continuous training process is mandatory for the team to effectively provide high-quality service to customers. Training is often neglected after the initial training, yet it must be continuous.
• Communicate your cybersecurity practices to the customers. This is a great time to get your customers on board with cybersecurity policies and build trust in them that your business, as an MSP, has their security needs covered. It is essential to implement regular updates for customers and remind them about the need for recurrent security training for their employees.
• Implement the technology and processes. Deploy the tools and start the execution of your cybersecurity strategy. Defining regular tests and updating the cadence for security measures is critical. Regular exercises on incident response help keep a high level of confidence in both your tools and team to ultimately confirm that the process will work in case of an event.
Overall, the key elements of a successful cybersecurity practice are regular reviews, updated tools and policies and continuous training of technicians and end customers. A successful practice is never static; it is dynamic and constantly evolving.
Due to the ever-increasing complexity of IT infrastructure and the evolving cyber threat landscape, I believe it’s important to implement proactive security measures. MSPs should establish a robust cybersecurity practice to defend their customer’s valuable assets and their reputation.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here