The magnifying glass is (or will) be pointed at you.
As an MSP, you are looked at as the protector of data. As the provider that is able to resolve issues quickly. And most importantly, you’re the team that users trust to proactively keep their networks secure and running.
In today’s climate of worry, fear and uncertainty when it comes to cybersecurity or even day to day life, you better believe that your clients (ahem… and their insurance providers) are taking a closer look at what’s being done under the hood on their networks.
The once set it and forget it mentality of maybe the 2000’s is no more. Everyone has heard of a ransomware attack at this point. Unless they’ve been living under a rock for the past ten years, I’m certain everyone is aware of the security risks we face today are far greater than ever before.
But how do you reconcile expectations of an insurance provider and maybe a client that is expecting continuously running and working security solutions, configurations, and protections against current attack vectors to be dealt with on your watch?
How can you even convince a new prospect that is security-conscious to trust signing up with a new IT provider? Even if you come with glowing reviews from referrals, you are still new and change is pretty hard to handle. How are they going to ensure that very least you are taking the steps to keep them safe? And how are you going to satisfy insurance questionnaires explicitly asking them to validate their security is being handled? (Not to mention the many policies now requiring ongoing third-party assessments of their network environments).
How often should you be performing an analysis for your clients and what should be in that assessment? How can you provide valuable third-party unbiased information to them to attest to the quality of your work and demonstrate that your team takes security seriously?
Here are 3 critical components of any third-party auditing strategy.
Make it clear that security is a priority to your clients—establish a relationship with contacts at your client site. Make sure they understand that you proactively get audited by a third-party to validate your security controls are working as expected. Explain to them that security today isn’t as simple of buying a new solution. It is constantly changing and evolving and to meet current threats, evaluating and re-evaluating threats is a critical component to ensuring they are ultimately secure.
If you aren’t communicating the value of continuously checking up on their security, they’re not going to understand the need for it. By having a conversation about why theses assessments are important, you will ensure a stronger relationship going forward.
Determine what data is most valuable to them—if you’re auditing their network blindly without context of where critical data is being stored or what data is necessary for them to operate, are you really going to be that successful recovering that data when the time comes, they need you to do something?
By working through with your client to identify what information is critical to them keeping their doors open and lights on. And what key processes are impacted by that data, you can help them understand what is at risk on their network.
I often suggest that our partners partake in an annual tabletop exercise with key clients to determine how ransomware, data breaches, or other network-impacting events will leave their network and businesses. This is the perfect type of exercise to lead your client to understand why investing in data security is critical. A third-party assessment would be one key part to discuss after going through one of these exercises.
Get them to commit to a cadence for ongoing monitoring—this often depends on your client and their needs. Typically, we recommend quarterly assessments of an environment because it gives enough granularity to identify problems but doesn’t hold off from addressing any critical vulnerabilities if they pop up. It also gives your team enough time to show progress in improving and building a better program for them. The less time you give yourself between assessments, the more engaged and on top of security items you will have to be. Quarterly reviews tend to be a happy medium to get prioritized security initiatives taken care of.
Not sure how a third-party assessment works? Never had a third-party review of your cyber stack? MSPs have been finding that cyber stack evaluations help guide how to both evaluate and improve their stacks.