Every single organization now appreciates some importance for cybersecurity. But even companies that think they have everything under control—especially in the SMB marketplace—are still making serious errors when it comes to deciding on security products and services. Many hold off decisions thinking that they are not priorities. Others simply have integrated poor cyber hygiene practices within their core processes and people.
Neither of these is ideal and as the champion for their security, your MSP does confront a lot of challenges when it comes to cutting through the noise and getting them to realize what is at stake and what can be done (both tactically and strategically) to mitigate their shouldered risks.
Here are 5 ways your MSP can be more effective and cut through to your client’s employees and leadership on security concerns:
Problem 1: Employee Training On Best Practices
You might think that you already have employee security training. You have phishing exercises. Everyone has watched the required videos. This is a no-brainer that we’ve been doing for years.
The problem is your users don’t care. They are doing the minimum to check the box but aren’t internalizing the actual problems. As social engineering attacks have gotten much more sophisticated, the human side of the security equation hasn’t really caught up to our reality.
And the most recent attacks that deal with user data aren’t getting put into their context. Think about the latest Uber breach, where a hacker was able to fool an employee into sharing their login info. Employees are not getting a lot of love when it comes to getting sincere understanding of the issue and internalizing how to fix those issues.
What should you be thinking about right now?
As you start conversations about their cyber stacks for 2023, one major component should be emphasized around people and process. How can you identify training that will be easy for their teams? Training that isn’t just about their workplaces, but about them? These are critical questions to be thinking about before pulling the trigger on new training in 2023.
Another huge point on employee practices is process. This is your opportunity to tailor processes so that you can eliminate human risks. Think of their critical data workflows. Work with your clients to understand how their processes might be improved to mitigate risks related to errors or breaches. This is where a vCSO offering will elevate you and your team. We have an entire MSP-centered framework for vCSO deliverables.
Problem 2: Failing To Have Proper IT Hygiene Within Their Network
One big problem, especially in co-managed opportunities is pointing out network-related problems without finger pointing. The technical staff may think they’re above staff training—probably true. A big challenge here is identifying how to communicate necessary change without seeming like a tattletale.
We all make mistakes and network security is an area that is really hard to get right the first go through. Unless you are regularly testing it and showing what is at risk and doing so in a way to improve rather than dwell on an issue, you will likely be doing nothing to improve their security posture. We recommend regular penetration testing of client environments—typically on a quarterly cadence—to make sure they are improving their internal security. Each quarterly report is a great way to communicate concerns and get them on board with your security stack pieces that might help address those issues.
Problem 3: Not Consistently Evaluating Their Security Posture
Most leaders will approach security as set it and forget it. They simply don’t understand that their risks are changing. Getting them to see the value in recurring security assessments will help them see that security needs to be kept top of mind. If you want to see a method of getting people to change their mindset on security, MSPs have found that evaluating their stack helps them understand how to communicate risks to their clients. We offer a free stack evaluation to the MSP community on our mission to help protect a Million people.
It's important to make clear that security is a continuous practice.
Problem 4: Not Knowing Where Their Data Assets Are
Their data is their gold. Without critical data, most companies are completely lost today. That’s the nature of our economy.
There are so many integrations, partnerships, third-party vendors, endpoints, and devices that making sure data is safe and contained is a serious problem. Most organizations don’t know where their data is and have no plan on maintaining it. Not to mention hybrid workforces, leaving data even more at risk behind Walmart-grade firewalls. As a vCSO, you can help them dive into this important problem.
If you currently do not have a vCSO solution, you can start by evaluating their network for data-related issues on a regular basis.
Problem 5: Treating Security As Another IT Issue
Leadership often thinks of security and IT as one department. They don’t understand that they work hand in hand. They might even think of anti-virus as just another piece of software that the company uses.
Your challenge is getting them on the right technology, but also policies and processes to enable that technology to be effective. Everyone at the company needs to have some awareness and ownership to security as a whole. Elevating yourself to a vCSO at their leadership meetings will be critical to changing their mindset from IT, where they are interested in work getting done to security, where they are interested that their work is protected.
One of the biggest impacts you can have to help protect your clients and prospects is by cutting through the noise and focusing their attention. With the right tools, I know you can be successful. If you’re looking for a way that has really helped MSPs close more security—even for the most stubborn clients—consider seeing how a cyber stack review can focus decisions and move them to start seriously thinking about their security posture.
