There was a time when large enterprises were cybercriminals’ primary focus, but today, small and midsize businesses (SMBs) account for nearly half of all attacks.
SMBs store valuable data similar to their larger counterparts, but budgetary constraints and a lack of internal expertise make it difficult for smaller organizations to implement comparable defenses. Yet the financial impact and reputational damage of an attack can be particularly devastating to a small business — especially with the cost of a data breach rising more than 13% to $3.31 million this year.
No matter how you slice it, cyber preparedness has never been more critical for SMBs. And it’s up to managed service providers (MSPs) to help their customers become incident-ready through proactive and actionable incident response planning.
Support Through IRP
Scott Barlow
SMBs often relegate incident response planning — and cybersecurity in general, in some cases — to the backburner due to a lack of time and resources. But with the threat landscape intensifying and the average ransom doubling, a comprehensive incident response plan (IRP) now is a must for preserving your customers’ cybersecurity hygiene as well as their bottom lines.
By taking a thoughtful and tailored approach that addresses your SMB customers’ needs and resource constraints, you can ensure they are equipped to effectively respond to attacks. Here are five ways to do that:
- Assess Customers’ Preparedness. If you haven’t discussed IRP with your customers, start a conversation to assess their current plans. Do they have an IRP in place? If so, when was it last updated? Have you reviewed the plan? Asking these questions can help determine next steps, whether it’s refining a customer’s current IRP or starting from scratch.
- Assist in creating an Actionable Plan. If a customer lacks a comprehensive and up-to-date IRP, CISA offers advice and guidance as a starting point. For instance, CISA recommends organizations select a security program manager to create their written IRP, which should include actions to take before, during, and after a security incident. Ask customers to appoint this individual, who also can serve as your point of contact regarding the IRP. As you offer guidance, consider the following: Does it outline specific roles and responsibilities so employees know what to do in the event of an incident? Is the plan straightforward, actionable and tailored to the organization’s risks and resources? Additionally, make sure the IRP is available to all members of the organization and review it as a group.
- Facilitate Tabletop Exercises (TTXs). Encourage customers to host simulated cybersecurity incidents designed to test an organization’s ability to respond to a real-world attack — with you as a facilitator. These exercises are an effective way to test your customers’ IRPs. To facilitate TTXs, either develop your own scenarios or leverage CISA resources that offer practice exercises and discussion questions. After each exercise, hold retrospectives and work with the customer to refine their plan, ensuring it reflects their resource availability and evolving threats.
- Fill in Customer Security Chasms with Third-party Services. You may uncover gaps in customers’ defenses where both you and the customer lack resources to address a given issue. In these cases, many MSPs turn to third-party cybersecurity providers to complement their services. For an upfront cost, services like managed detection and response (MDR) equip customers with a dedicated team of experts to navigate dynamic threats, helping decrease their likelihood of falling victim to costly data breaches. Some cybersecurity providers also offer incident response retainers that enable experts to quickly jump into active threats, investigate, and remediate them. Collaborate with customers to assess their specific security needs and provide insights to guide strategic investments in third-party services.
- Promote a Culture of Security. While helping customers build their IRP, don’t overlook day-to-day security hygiene. Help establish and promote a security-first culture through education and training, such as phishing training, to lay the foundation for an effective IRP. Make sure customers have adequate defenses in place, like multi-factor authentication (MFA) and strong password policies. Even the most thorough IRP can’t rectify human error or lax security practices.
Build SMB Resilience By Being Proactive
The increasing overlap between the technologies and infrastructure used by SMBs and large enterprises means their attack surfaces have more in common than ever.
But while facing the same sophisticated threats as large enterprises, your SMB customers lack the same depth of resources and expertise to prevent and mitigate the resulting attacks.
Through comprehensive incident response planning tailored to your customers’ resource availability and risk exposure, you can make sure they are prepared to act before, during and after a cyberattack.
Scott Barlow is vice president of global MSP & cloud alliances for Sophos.
