Managing cybersecurity for small and midsize businesses (SMBs) often feels like you’re playing whack-a-mole. Many SMBs don’t have tightly defined procedures, so MSPs must build cybersecurity programs from scratch and respond to real-time threats. This lack of definition can have high stakes — about 40% of SMBs report losing critical data after a cyberattack.
Security requires careful thought, perhaps even more than what’s modeled in the wider industry. A recent study conducted by independent research firm TAG showed that even among CISOs and dedicated security teams, there’s a brewing crisis of confidence in their workday procedures for managing cybersecurity. About 93% are not sure their data protection policies are working.
The study unearthed several insights that MSPs should take to heart as cautionary tales when building cybersecurity programs for their SMB clients. By learning from these five gaps and pitfalls, MSPs can help keep their clients’ data safer — and protect their own reputations.
No. 1 There’s an Endpoint Data Protection Gap
Despite 93% of teams surveyed noting that they have policies or controls to protect their endpoint data, 71% of CISOs said they wouldn’t be surprised if they had a serious data breach on their company’s endpoints. This shows an alarming lack of confidence in the preventive controls in place for managing cybersecurity at these organizations. This means IT professionals aren’t even sure themselves that the steps they’re implementing to protect their data are even effective.
No. 2 More Tools Does Not Equal Less Risk
MSPs often showcase cybersecurity tools focused on detection and prevention to demonstrate their capabilities. That’s great, but cyber defense shouldn’t stop there.
Most of the security teams surveyed have deployed tools designed to detect and prevent malware to help protect their data. Nevertheless, a key finding of the study was that most of the teams had not deployed effective endpoint data backup and recovery tools for data resilience — putting their data at risk of loss when terrible things happen. Processes and tools designed to detect and prevent don’t always work, and simply having more tools doesn’t always translate to risk reduction.
No. 3 Manual Policies Are Not Effective
How much does your client’s cybersecurity posture depend on individual employees complying with policies? TAG’s study shows that cybersecurity controls that are dependent on employees adhering to administrative or technical policies are not effective and can put critical organizational data at risk.
Most security professionals surveyed noted that policies play a significant role in their strategy to backup endpoint data. However, they also expressed serious doubt that these policies were effective for managing cybersecurity. Having known ineffective controls in place is a bad place to be for a security practitioner. That said, it represents an opportunity for MSPs to provide tools that support defense-in-depth and data resilience.
No. 4 Cloud Collaboration Tools Are Not Backup
Are you letting your SMB clients use cloud collaboration platforms (CCPs) for backup and recovery? While CCPs are great for sharing documents and editing in real time, the study found that many company teams are misusing these tools and relying on them for data backup and recovery. Unfortunately, they’re not designed to do that nor are they effective.
Instead, MSPs should educate their clients and ensure that the right tools are used for the right purposes and aligned with client risk tolerance. CCPs are great for collaboration, but they’re neither effective for data resilience nor recovery at scale across the organization.
No. 5 Businesses Are Overconfident in Their Data Recovery Abilities
MSPs should regularly test the tools and processes they have in place to protect their client’s data. TAG’s study found that while most security teams had protocols and tools to protect their data, almost none had been tested for effectiveness. Therefore, whatever confidence existed in these tools and procedures was based more on assumptions than reality.
The Answer Is Simple
Don’t put your clients’ data at risk. Advocate for strong data resilience and offer peace of mind with purpose-built endpoint data back-up and recovery tools.
MSPs have a responsibility to ensure that their clients’ cybersecurity postures are holistic and effective. It’s important to have defense-in-depth capabilities, and remember that tool misuse and policy-centric data resilience will not support holistic recovery in the event of an incident or breach.
Essentially, return to the fundamentals.
Todd Thorsen is chief information security officer of CrashPlan. With more than 15 years of information security experience across various disciplines, Thorsen has built and led security programs focused on global security operations, risk and compliance, incident response, resilience, and data protection.
Image: iStock