Data protection is evolving at breakneck speed. Since 1971, when the first virus (aptly named Creeper, though it was actually created with good intentions) began targeting mainframe computers, the IT industry has been working to identify and neutralize a rapidly expanding list of cybersecurity threats.
That isn’t an easy job. Unfortunately (or fortunately for those whose outlook is shaped by high-profit opportunities), the responsibilities associated with data and network protection continue to rise and show no signs of abating in the future. No business is immune to the threats and, based on recent reports and industry research, the risks are exponentially growing each year.
Those factors are perfectly aligned to benefit well prepared MSP community members. The SMB needs expert support in all aspects of cybersecurity, from service and solutions design and procurement to advanced protection measures, and channel professionals are in the perfect position to deliver.
If only it were that simple. While all the technical know-how may come naturally to MSPs, a comprehensive cybersecurity portfolio must include “intangibles” such as consulting and assessment expertise. Remediation and data restoration capabilities are as important as offering firewalls and backup systems.
MSPs need to invest a fair amount of time, money, and other resources to become cybersecurity heroes for their clients. When your enhanced protection portfolio addresses the specific risks and related concerns of your clients, those efforts are likely to deliver a solid return.
Add the Right Ingredients
The magic question for MSPs is, “what should a comprehensive cybersecurity offering look like?” Of course, as in any service offering, many factors go into that formula, including regulatory and industry compliance requirements and levels of risk. No two customers will be the same, but MSPs need a cybersecurity portfolio that addresses the concerns of every business they support.
Using the following comprehensive checklist of services, your team can assess its current slate of data protection offerings and identify gaps that may (or may not) affect your clients’ state of readiness. Can your team address all the following security-related areas either directly or by leveraging peers, vendors, and other third parties?
General Cybersecurity Standards
Does your firm have the resources to address each client’s cybersecurity threats?
intrusion detection and prevention systems
Email security with encryption (beyond OEM standards)
Complete data encryption (at rest and in transport)
Security /dark web assessment tools
Do you segregate critical data assets and implement additional protection layers for your customers?
Do you provide 24/7 monitoring of clients’ cybersecurity systems?
Do you provide 24/7 SOC (Security Operations Center) services (internally or through a third-party)?
Does your team understand each client’s regulatory and industry compliance requirements?
Do you identify and address rogue IT (unsanctioned device/application use) issues?
Are effective password policies in place for every client?
Are you validating adherence to those requirements (at least quarterly)?
Do you regularly audit and disable outdated accounts?
Is two-factor authentication a standard requirement for all applications?
Do you prohibit shared accounts and passwords, with approval for any exceptions?
Do all clients have an operational (tested) disaster recovery plan?
Are network security assessments performed at least monthly for all clients?
Do you provide awareness education and training programs?
Do end-users know the best practices for recognizing phishing emails?
Are they cautious about sharing sensitive personal and company information?
Is the training content refreshed regularly (varying the topics, tests, and timing)?
Do you help clients restrict workplace access to certain websites?
Cybersecurity Planning Capabilities
Do you develop, test, and deliver training for incident response plans?
Do your clients have electronic device policies that cover all employees (management, too)?
Are validated procedures in place for ransomware attacks and related activities (to pay or not)?
Does each client have a tested business continuity/disaster recovery plan?
Network and Data Security Standards
Is all sensitive customer data secured and encrypted (in storage and during transmission)?
Do you employ cloud backup solutions as part of each client’s business continuity plan?
Does your firm ensure that all client business information is backed up regularly (onsite and remote environments)?
In the event of a disaster, can customers restore their operations in a mutually agreed upon time frame?
Is business data on personal mobile devices used for work purposes backed up and protected?
Are all wireless routers password-protected with access limited to employees and guests assigned access to a separate secure network?
Are VPNs (virtual private networks) a standard requirement for remote access to all business systems?
Do you assign access privileges by user’s job requirements? For example, companies should limit access to HR and accounting files to approved personnel only.
Do all computers use an automatic screen lock to log off after a period of inactivity (10-15 minutes is considered best practice)?
MSP Business Best Practices
Do you follow an industry-recognized cyber risk management framework to assess and benchmark risk profiles (i.e. NIST, CompTIA Channel Standards)?
Have you assessed and tabulated the potential financial impact of a cybersecurity attack on each client (lost productivity and sales, data losses, reputational damage, etc.)?
Do you incentivize team members to obtain prescribed cybersecurity accreditations? Examples include CompTIA Security+, Certified Information System Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), Certified Ethical Hacker (CEH), Certified Cloud Security Professional (CCSP)
Have your clients obtained adequate cybersecurity insurance?
Have you validated the coverage (policy requirements match protection and risk)?
What exposures does cyber insurance coverage address?
Are there any gaps in their coverage?
Have you implemented at least quarterly penetration (pen) tests for each client?
Do you monitor the dark web for customers’ passwords, credentials, and other vital information?
Do you conduct simulated spear phishing and social engineering attacks?
Do you provide equipment disposal and recycling services to ensure the proper destruction of files and documents with personally identifiable information?
Did you check all the boxes? Fear not, relatively few MSPs can confidently say they have every base covered when it comes to cybersecurity ̶but based on the feedback from IoTSSA members and other channel professionals, many are working hard to fill all the potential gaps.
While this is quite a comprehensive list of data protection needs and concerns, consider it a working document. The industry discovers new vulnerabilities every day and the number of tools MSPs have at their access will continue to expand in the coming years. As that happens, our team will add to this “ultimate list” and tailor our resources to help address the changes in our quest to help channel professionals build profitable and valued cybersecurity practices.
Brian Sherman, Content Director, IoTSSA
Disclaimer: The preceding checklist is for exercise purposes only to aid IT professionals in assessing the strength of their immediate cybersecurity posture. This checklist is designed to be used as a guide for IT professionals to be able to determine potential next steps required in order to effectively secure their IT environments. This checklist is in no way an offering of cybersecurity services or consultation and IoTSSA Inc. is indemnified against any potential liability resulting in its use.