Many MSP teams have asked me how to prioritize their security tasks. I thought the topic was so important that I created a SecOps (security operations) call about this for our partners. I also wanted to highlight some of the details here.
I like to evaluate security risk in order to start prioritizing tasks and projects aimed to secure your or your clients’ networks. The easiest way to start tackling this is by quantifying your risks a little.
Think about the frequency something may occur or pop up in your environment vs how that vulnerability ultimately impacts an organization. Both frequency and impact are easy enough to gauge (and frankly should be assessed). Frequency can simply be a count of how often a type of an attack occurs or how often your team identifies a vulnerability within a network or group of networks. If you are noticing something popping up quite often, you probably can assume that sooner than later someone will try to exploit it. That’s especially true if the vulnerability is known and exploitable.
Impact might take a little more thought than simply counting. You will need to figure out what specifically a vulnerability could lead to. For instance, if you find out you have a vulnerability within your RMM, if exploited, what would it give someone? Access to your network? Your clients’ networks? Passwords? Other sensitive information? Depending on what a hacker will be able to get into from an exploit may help you figure out how urgent you might need to resolve the issue.
Additionally, there has been a lot of chatter lately about how exploits can be put together, leading to more penetrating attacks. As you evaluate vulnerabilities within your environment, you might want to think a bit more wholistically about how one vulnerability may lead to another exploit. I like to do this by thinking about how my systems are interlinked.
Commonly, you will want to think of the following targets to cyberattacks:
- Customer data
- Employee data
- Intellectual property
- Third and fourth-party vendors
- Product quality and safety
- Contract terms and pricing
- Strategic planning
- Financial data
Managing your cybersecurity risk is not going to be easy. No one is going to have a tool that will do it all for you. You’re going to need a continual and ongoing process to address new risks popping up and new vulnerabilities being discovered. Your MSP is never going to be more secure tomorrow without thinking about and figuring out how to address your cyber risks.
What we recommend is making sure you understand how your cyber stack stacks up against current threats. One of the easiest ways of doing this is by getting a cyber stack evaluation.
