IT and Business Insights for SMB Solution Providers

How Much Cybersecurity is Enough?

Balancing a company’s data protection and productivity needs with its budgetary constraints can be difficult, especially for the MSPs often charged with finding a “happy medium” between quick and secure system access and cost. Providers have to juggle fiscal responsibility with their obligation to deliver effective solutions.

Of greater importance is enabling your clients with the latest technologies and helping scale their operations while keeping everyone in their proper IT security lanes. The primary goal of data protection is to restrict access to company files and systems to authorized personnel. After all, thwarting cybercriminals is just part of the job for MSPs: keeping their information safe from prying eyes is just as important.

There are a lot of responsibilities to juggle today. Businesses are being forced to adhere to a myriad of existing and new federal, state, and local information security regulations. Addressing industry standards is just one objective. Corporate espionage is a rising concern, as is the use (or sharing) of company and personal information by former or disgruntled employees. When you add hackers and other criminal elements to the mix, life can get stressful for business owners and the MSPs who support them.

That’s why controls and layered protection play such a critical role in cybersecurity. Finding the right balance of technology, processes, and policies can be difficult and gets costly, which is why MSPs need to carefully assess all aspects of their clients’ information workflow before making recommendations or changes.

How much can they conceivable spend? Is the proposed solution overkill? Those answers usually depend on the specific threats and issues those companies need to address. All business owners want their systems to be properly protected, but they have other obligations to address and, at the end of the day, still need to make a profit.

A Sensible Starting Point

The objectives of cybersecurity protection haven’t changed over the years, no matter how much your clients can spend. Businesses need your team to protect their information, which continues to scale in size and complexity, without slowing down their operations. Experienced MSPs often follow the NIST (U.S. Commerce Department’s National Institute of Standards and Technology) framework as a starting point and then tailor or add solutions to meet the threats and operational needs of each client.

Version 1.1 of the NIST framework, introduced in April, strengthens and updates the original’s standards, guidelines, and best practices. The changes are intended to address the escalating and continually shifting threats and risks surrounding cybersecurity. Enhancements to authentication and identity standards and clarification of self-assessments and incident disclosures are just a sampling of those updates.

Cybersecurity experts emphasize that government recommendations are a good place for MSPs to start, but even after adopting those changes, there are no guarantees for your clients. In fact, nothing you do can stop a determined hacker – or overcome the “human factor.” From opening obvious phishing messages and visiting high-risk websites (despite the warnings) to writing passwords on sticky notes attached to their computers, there is no limit to what employees will do to work around prescribed IT security measures.

Next Level Protection

While NIST addresses most vulnerabilities, MSPs can’t address everything (or everyone) that threatens their clients’ information systems. Persistent cybercriminals and poorly trained employees can easily overcome the standard AV and firewall solutions, which helps explain why the layered security approach is gaining traction.

Technological advances are also contributing to that movement. The cloud and mobility solutions are shifting system access and data management outside your clients’ firewalls, so protecting their network perimeter is increasingly more difficult with each passing year.

Those combined vulnerabilities are driving demand for overlapping and more advanced defensive measures, including email security, network assessments and analytics, data encryption, privacy controls, and end-user awareness training.

Which do your clients need? The easy answer is all of them, but pricing and operational considerations often force MSPs to take a more conservative approach. Start with a complete compliance and vulnerability assessment for each customer, and present proposals that address their most likely threat scenarios.

After implementation, monitoring and reporting are crucial. Security is dynamic, so MSPs may need to add, subtract, or replace applications or services based on their clients’ cost or workflow concerns. You should always be comfortable with the systems and services your team supports.

In other words, don’t compromise your standards; even when clients suggest changes in your security protocols, tools, and policies. Also, make sure they understand the implications of those alterations ‒ and get it in writing. Refusing to accept the responsibility for compromises made in their cybersecurity protection should be a red flag to walk away.

How much security is enough? The answer, at least for MSPs, may never come. The key is providing your clients the level of protection they need to stop the most likely potential threats, for a price they’re willing to pay (and you’re ready to accept).

Brian Sherman
Content Director, IoTSSA

 

The post How Much Cybersecurity is Enough? appeared first on IOT Security Services Association.

About the Author

ChannelPro SMB Magazine
SUBSCRIBE FREE!

Get an edge on the competition

With each issue packed full of powerful news, reviews, analysis, and advice targeting IT channel professionals, ChannelPro-SMB will help you cultivate your SMB customers and run your business more profitably.