With so many threats to a small business’ information systems, how can providers sort through the vulnerabilities and identify the most significant risks? Of course, the first step is to conduct a complete network assessment, looking for the “weak links” which cybercriminals most often exploit to get into your client’s IT infrastructure. Identifying and eradicating those “points of entry” helps MSPs minimize the risks and reduces the damage associated with data breaches (most often caused by the careless actions of employees).
No matter how much protection you provide your clients today, they’re going to need more. Cybercriminals won’t give up their relentless attacks. In fact, thanks to AI and other emerging technologies, the depth and breadth of their schemes to scam businesses and gain access to your clients’ vital information systems will increase exponentially in the coming years.
MSPs must prepare for the onslaught. Experts expect the attacks to get more severe and difficult to defend in the foreseeable future, which is why channel professionals must step up their cyber security game. Your clients look to your team for total protection ‒ even though IT-savvy people know that there’s no such thing as cyber security utopia.
Your clients need to understand the limits of current protection measures. Education on the risks and repercussions of non-compliance is an important step, but SMB organizations are going to require a lot more support to address future vulnerabilities and meet their shifting compliance requirements.
Let’s start with the largest current concerns for the SMB. If your clients don’t have adequate measures in place to address these specific areas, they should be top priorities:
1. Phishing
No matter how much training your company provides, or what controls you put in place, your clients’ employees will make mistakes. MSPs can’t protect companies from everything that end users do. People make mistakes all the time.
Unfortunately, cybercriminals understand email users and work diligently to exploit their weaknesses. Those weak links (otherwise known as employees) are now responsible for a majority of the business cybersecurity issues. In fact, 74% of respondents to a recent SANs Institute survey identified users clicking email links and opening attachments as their most significant concern.
Phishing attacks happen quickly. Cybercriminals “hook virtually 100% of their victims within the first 24 hours — by which time they have already shut down nearly 50% of their phishing URLs and moved on,” according to Aberdeen Research. MSPs can do little to thwart or slow down these attacks once they begin.
Solutions that catch email-based spam, viruses, and malware are a great start, as is a backup application to securely store and retrieve messages when phishing attacks take out your clients’ systems. Awareness education and other preventive measures also tend to limit the success of these schemes, though nothing you do will stop an unyielding cybercriminal who has your customer in his or her sights.
2. Ransomware
While the “atom bomb” of IT security threats typically comes via email, ransomware also inflicts damage through malicious websites and articles. The only good news is that end user (and business owner) awareness is rising and that, in turn, is forcing decision makers to have more constructive security discussions with IT services professionals.
How big is the issue? According to IDG, ransomware damage costs are predicted to hit $11.5 billion by 2019. Your clients need a solid security game plan if they want to avoid becoming part of that number. Proactive measures such as end-user training and layered cyber security tools are business critical, as is a tested continuity solution.
If your firm isn’t offering all those options, either yourself or in partnership with other IT professionals, it’s time to build out that part of your portfolio ‒ today! Regardless of company size or the markets they support, ransomware is an equal opportunity attacker, going after anyone willing to open an infected link.
In this case, an MSP’s top responsibility is quickly recovering their clients’ information and business systems after a ransomware attack. Preventive measures and tools are crucial, too, but when hit with a worst-case situation, clients will definitely value your backup and restoration services.
3. Compliance
Companies that follow proper cybersecurity practices have fewer concerns with federal, state, and local data protection regulations. Unfortunately (or fortunately for MSPs), few businesses can make that claim.
Government and industry IT security rules usually prescribe a mix of tools, best practices, corporate policies, and testing processes to keep a covered organization’s information secure and free from prying eyes. Many principals believe those specifications have already been addressed.
Of course, unless a qualified professional is monitoring and validating the effectiveness and completion of all those steps and tools, no one knows ‒ unless they experience a breach or fail an audit. MSPs assume a lot of the responsibility. You must ensure each client understands all the applicable rules and regulations that apply to their organization and recommend measures to keep them compliant.
That doesn’t mean they’ll listen. If a client decides to ignore compliance advice, be sure to get it in writing or walk away. Their failures can have financial and reputational consequences to everyone involved.
Compliance is business critical. MSPs who provide consultation, design, and testing services have a real opportunity to differentiate and boost their revenue opportunities.
Ongoing Concerns
Cyber security is a dynamic issue. Addressing the three concerns listed above is a good place to start, but by no means can you guarantee your clients’ success.
That’s because the criminals have lots of time to concoct new schemes and launch attacks. Their business model is highly profitable and, with new automation tools and innovations such as AI, expect their “productivity” levels to rise exponentially in the next few years.
MSPs need to stay a few steps ahead. What are you doing to up your “cyber security game?” Are you arming your team with the tools, skills, and knowledge needed to keep your clients safe? That’s a question you should be asking every day.