Your clients have security risks. There’s no denying this fact at this point. As their go-to for all things technology, you are their trusted advisor when it comes to keeping them and their data safe.
But how do you get them to start thinking about risk?
And what can you help them do about it?
Do you make sure they can renew their cyber liability insurance policy? Perhaps.
Do you make sure that they have an advanced cyber stack in place to prevent a lot of threats that could cripple their business? Most definitely. (One of the easiest ways to communicate tangible impacts from these types of risks is to show them what is at stake).
When the rubber hits the road and you and your team needs to help your clients make decisions on their security risks, there are 4 ways to deal with them.
Accept the risk? In some cases, it may be nearly impossible to address a specific security concern. It may be using a specific vendor that is critical to your business. It may be having a Windows 7 machine in their environment because of legacy software or machinery. It may be a critical process in their business that they are unwilling to change. Whatever the risk is, your clients may be willing to stomach some risks simply because how they run their business. In these cases, you will want to document this decision with a risk acceptance form. They’ve acknowledged they understand the risk and are moving forward with it.
NOTE: often businesses will accept risks purely to save money. I’m sure you’ve dealt with this in the past. Our partners have found that presenting the results of a simple penetration test can often change their minds. To see this process in action, consider a stack evaluation—we offer these at no charge to the MSP community.
Transfer it? Another option is to transfer the risk to someone else. Have someone else shoulder some of their risks. One way to go about this is by having a cyber liability insurance policy in place. Realize that today in 2022 insurance providers are tightening their requirements. As you communicate insurance as a risk transferal mechanism to your clients, remember to get them aware of changing requirements—and addressing those. One of the big new requirements popping up is performing recurring third-party security assessments. You might want to consider implementing third-party assessments for your clients.
Avoid it! In the perfect world you would simply avoid all risks. When you have the chance to not have one, I’d strongly suggest getting them on board with that solution. You can often avoid risks by changing behaviors or processes within your client’s workflows. You can also change technical policies to eliminate holes in their networks. By eliminating certain risks, you will make your job supporting them easier. One way to help them see how they can protect their systems and change certain behaviors within their organization is by seeing what they are risking by continuing to do things the old way.
Reduce is! If you can get them to see how they can shrink their risks, everyone will be better off. Often this entails them investing in your advanced security stack. By putting better controls in place on their network, you are reducing the attack surfaces they are exposing and narrowing or nearly-eliminating the chances for an attacker to act within their network. Again, if they are hesitant to invest in security because they see it as a black box with no perceived return on investment, showing them exactly what is at risk when someone clicks a link or tries to open a door on their network is critical.
Risk is a challenging topic, for sure. And making sure your clients understand what their risk level looks like will be critical in prioritizing security projects and implementing solutions that match their expectations. This is exactly why we are rebooting the vCSO training workshop. To enable you—as an MSP—to help lead your clients and prospects with a security-forward approach.
For more information, visit www.galacticscan.com/vcso
[SEATS EXTREMELY LIMITED]
