In channel discussions, we tend to discuss MSPs as a singularity. While that’s a common occurrence in the business community, with most companies focused more on branding than individuals, it can become a problem in certain areas if providers paint themselves with a “wider brush.”
For example, how many times have you seen companies tout the advanced skills of a key employee and suggest it illustrates the proficiency of all their team members when you know that’s not the case. That one person may be the only one on staff with those proficiencies, and those types of misrepresentations can kill an IT business (not just its reputation).
MSPs and MSSPs who overpromise and underdeliver are doomed to fail. There are few second chances for IT security firms that fail to spot and stop an easily avoidable cyberattack or address standard compliance requirements. In other words, there are so many things that could go wrong that providers must have a skilled team of experts in place to ensure they are not over-promising and under-delivering when it comes to data protection and privacy.
With attacks against IT services companies rising and continued warnings coming from various government entities, including the U.S. Department of Homeland Security and the Federal Bureau of Investigation, strengthening your internal posture is imperative. A preventable breach or ransomware incident that spreads from an MSP business to its clients’ systems can cause more harm than a short-term outage. The reputational damage can put your IT firm into an unrecoverable tailspin.
It’s a gut-check time in the channel. Every MSP must take full measure of its internal risks in addition to the threats facing their clients. IT professionals must up their game, taking steps to enhance EVERY team member’s cybersecurity IQ as the first line of defense.
Get an Outside View
MSPs are typically quite knowledgeable in the field of data and network protection. However, when you build an IT services business from the ground up, your investment can skew your opinion of certain tools and practices. It’s hard to be a neutral evaluator if you have skin in the game ̶ a real problem when assessing the strength of your internal cybersecurity stance.
A sure way to get a realistic view of your IT services firm’s vulnerabilities is to engage a third-party expert to perform pen (penetration) testing and, if needed, comprehensive data privacy and network protection assessments. This new de facto channel standard involves regular cybersecurity health checks from qualified MSSPs, whose team members look at literally every facet of an MSP’s operations, including the aptitude of each employee.
The results of periodic pen testing and other security-related evaluations can help you pinpoint problem areas so they can be properly prioritized and systematically addressed. Implementing the recommendations provided by neutral third parties can enhance the security posture of your business as well as those of your clients and validate your firm’s expertise with new and existing customers. Though it may seem like an unneeded step for skilled cybersecurity professionals, putting your MSP under the microscope of an outsider is a great way to open your eyes to potential vulnerabilities your team members may not catch until it is too late.
Address the People Problem
Some of the most common “issues” encountered by MSSPs when assessing IT services business are employee related. Mistakes happen, and poor decisions occur in every organization, and not every person working for an MSP is a skilled cybersecurity professional (and even those people have an occasional lapse). All it takes is one slipup to let someone or something into your systems.
Cybercriminals are waiting for those breaks. These opportunists may be watching or hammering away on your systems right now, looking for an opening to gain control of all the networks you manage. One unsecured terminal or employee sharing login credentials with someone disguised as a vendor rep or a client, and the MSP business you worked so hard to build could be in jeopardy. The resulting breach could compromise the privacy and personal information of everyone in your IT ecosystem.
Poor email security practices can have a similarly devastating effect on any MSP. Phishing schemes just require one person to click an infected link or download a corrupted file to launch an attack. After that, ransomware can spread like wildfire through an office and may, if not blocked with preventive measures, affect client sites with the same voracity.
Caution everyone from your top techs to the new sales trainee on the risks as often as possible. More importantly, they require everyone to undergo awareness training, with no exceptions, including the management team. The first step in improving the cybersecurity IQ of your staff is to make a top-down commitment to education.
Awareness training is just one way to increase your team’s security consciousness. Today’s MSPs have to be more prepared than ever to tackle internal and external threats, which means you must continually work harder to stay ahead of the cybercriminals. Growing your team’s skills set is imperative.
What are your team’s current cybersecurity capabilities? Start by asking a few simple questions:
- How many certified security professionals do you employ?
- Which certifications do they possess?
- Do you set cybersecurity-related training objectives for key employees with incentive programs to ensure timely completion?
- Are all employees put through awareness training, including non-security professionals such as sales, marketing, and operations team members?
The answers to the above questions give you a baseline from which to develop a cybersecurity training plan. The next step is to evaluate the various tools and programs that can help boost your employees’ data protection skills and awareness and implement those that meet your objectives.
Any plan should include setting aside dedicated work time so workers can complete their assigned tasks, as well as providing the facilities and equipment they might need in those educational pursuits. A top-down commitment to security-related training helps keep employees focused on their own personal responsibilities.
There’s simply no substitute for education and training when it comes to protecting your company and your clients. MSPs must strengthen employees’ security skills and awareness and continually move the bar forward if they wish to remain competitive in an ever-evolving world of threats. With a high cybersecurity IQ, your team can demonstrate that they are willing and fully capable of neutralizing the risks to any business ‒ whether protecting your systems or those of your clients.
Brian Sherman, Content Director, IoTSSA