cybersecurity-mythsHaving reviewed over 450 MSPs in 2020, I can tell you that your cybersecurity strategy can make or break your business. This strategy should provide differentiation to protecting your most valuable data assets, utilizing a tiered framework of security measures.

As you work with your clients to identify and protect their valuables (all the assets that each client values), sure you will realize that strategy becomes critical. This strategy will help inventory and prioritize data assets and determine how strong protections must be at each security level to keep those assets safe.

By keeping transparency to how data is being protected, creating an understanding of tradeoffs between protecting data at a specific level and realizing the risk associated with not implementing security controls, your team should have acute awareness into the risks associated with cyber debt. The problem is that most organizations either do not understand where they fall in the spectrum of being secure or have lost track of what specific pieces in their stack are the most crucial to protecting themselves and their clients.

Today I want to walk through a couple of myths that keep popping up when evaluating MSPs—myths that can be extremely dangerous.

Myth 1: The More We Spend, The Safer We Are

According to our research and experience, there is no direct relationship to spend on cybersecurity and a company’s success in their cybersecurity program.

In fact, some of the MSPs that are spending a LOT of money on cybersecurity today had equally a LOT of issues on their networks. Many companies that were investing heavily in tools that were under-performing.

In part, this is because several of those MSPs were not implementing their tools to protect their valuable data assets (they had sensitive information in the wrong locations on their network).  Several had not even taken a step back to understand where their data assets were before sitting down with me and discussing a strategy (we often go through easy to follow strategies for our clients).

The data protection problem may seem like a tool problem in the short term, but what we’ve been seeing is data drift and the lack of a functioning process hindering the success of even very useful tools.

The overinvestment in tools also pops up when evaluating improper configurations. MSPs are spending good money on tools that could work if only they were configured correctly.

The problem? Vendors will not properly configure their tools for you. You, as the MSP, are expected to get everything right. Even in those cases where there is no documentation (yes, I’ve been there!), you’re the one they will point fingers at if something happens.

How to avoid getting into the habit and mindset of being secure because you are investing in cybersecurity tools?

Understand what your tools are doing. Before signing a contract for another tool in your cyber stack or renewing a contract with a vendor simply because your contract is up, make sure you understand where your spend is going and that your investment is giving you something valuable to bring to your clients.

Part of the process of evaluating your stack is to test whether those tools you spend good money on are working. We test our client’s networks continually to ensure that configurations are working as expected and when they aren’t, we help them understand next steps.

Myth 2: The More Advanced Our Technology, The More Secure We Are

This is definitely a hard myth to break (at least in many of our heads). We want to believe that more advanced tools will address growing cyber threats. The truth is that many of the threats our MSPs are confronting today can be addressed by using less-advanced methods.

We are not dealing with military-grade cyberattacks in most cases. The financially motivated hackers try to exploit cheap exploits that won’t take too much time to implement. They need holes in networks that are easy to get to and easy to get them in and out. Most would rather smash and grab, rather than construct elaborate schemes to compromise a network longer term.

As an MSP with the responsibility to protect thousands of endpoints, you will want to make sure basic security initiatives are complete before investing in the latest hi-tech solutions. Making sure your team understands what those basics are and consequences to those actions will go farther than simply relying on a hi-tech tool to protect you.

You don’t want to know how many MSPs do not even have their firewalls configured enough to prevent a hacker from stealing sensitive information from their network. Why invest in more technology and services— SIEMS, SOCS and next gen-grade solutions—until you’ve got the basic security levels covered?

If you or your clients invest in advanced security technology without a lack of understanding on how best to use them or how exactly they fit into your current cyber stack/ strategy, how will you be able to properly support that new shiny tool? Identify your strategy and how new initiatives will help that stack rather than focusing on what’s new for the sake of getting the latest technology.

My message to you: you need to rethink the way you’re approaching security. Rather than perpetuate myths (like these big two above) throughout your organization and that of your clients, why not focus on how to be resilient?

How can you manage trade-offs associated with cybersecurity?

Discuss  issues so that everyone understands your risks and the solutions to address those risks.

How can you get your team to understand processes and protocols rather than being told to simply follow policies blindly?

We work with our clients’ teams to work through managing the trade-offs associated with cybersecurity. Evaluating and discussing which initiatives make sense to invest in (both from a security and busines perspective) and which to discontinue. How can you better classify your security components to make them more understandable? How can you get your team bought into your security processes? These are all things we do to get our partners to be more effective at selling and delivering security solutions.