A lot of our partners are asking us for recurring third-party assessments.
Why would you want or even want to consider this?
There are several reasons, but here’s what we’re seeing:
- Cyber Liability Insurance Requirements— many of the current cyber liability renewal forms are currently requiring third-party security assessments or penetration tests.
- Compliance Needs— we have had a number of partners that have completely dropped the ball with generating quarterly and monthly reports needed for specific compliance demands, costing them relationship capital with their clients.
- Building Client Trust— If you have clients that are security-minded and you aren’t providing them regular updates on their security posture, they might feel like what you’re doing to protect them is a security black box. These clients may be the most prone to get second opinions or free problem prevention reports if they’re not really kept in the loop.
And here are some of the issues in needing this:
Scheduling them— I’ve heard this over and over again. MSPs that have missed an assessment they’ve promised a client. They either end up scrambling to see how they can produce a retro-actively generated report from a specific point in time. This never ends well. It ends up eroding trust with your client and creates chaos chasing the report down.
Having third-party reviews— another big issue MSPs are facing right now is generating a third-party analyzed report. There are several instances where MSPs have generated their own reports, triggering questions with auditing teams. Having a third-party generated report addresses these types of concerns.
Recurring third-party assessments have been something partners have been asking about a solution because they haven’t had time to get done. That’s a major issue because if you’re promising something that you’re not doing, you most certainly will lose a client.
When you have identified a client that really should be engaged in recurring third-party assessments, you will want to realize a couple of things.
Third-party pen tests start at about $10,000 a piece. Even if you are bundling these assessments into your advanced cyber stack, get them to realize their value. If you are a partner and need a way to demonstrate this to your client, we can certainly provide you a statement of work to illuminate exactly how much a service would cost.
These penetration tests—the ones you are selling—should be including reviews of vulnerabilities that cyber attacks are currently exploiting. That would include an analysis of remote user locations. External vulnerabilities. M365 evaluation. Personally identifiable information. Security groups. Everything you would normally find in a vulnerability assessment. Collaborated and read out by a third party.
If you just use a tool and you do your own assessment, remember that everything you’re doing is costing money. I would strongly reconsider just giving them away without at least communicating what it’s worth.
BUT what if you could do something else? Where you didn’t have to worry about it getting done over and over again like clockwork?
What we have is a solution that many of our MSP partners have been asking for over the last 2 quarters. ClientWatch, a way that they can get their assessments in their client’s hands WITHOUT investing time and engineering work by expensive technical teams. A way you can prove that someone is doublechecking your team’s work and give you the ability to review, accept or make changes to your client environment before you read out the results.
This is a great way to go through a third-party generated report and have the peace of mind that all this stuff is happening.
It also makes for an easy conversation about security with your clients on an ongoing basis.
If you're not a partner yet, one thing I want to mention is you just, you can't proofread your own work. So what would you do if an attacker actually got in like would your security solution. Detector, even, stop an attack. If you're interested in finding out, go to www.galacticscan.com/stack and we'll do an analysis for you. And during that analysis will go through for free. This will give you a thorough understanding of areas to be testing your and your client networks for.
We will evaluate your cybersecurity stack to test its effectiveness. We'll show you how your tools respond, and we'll give you steps that you can take to protect yourself.
