A playbook is meaningless if no one reads it, and useless if no one executes against it. The same can be said for a company’s policy on cybersecurity. Just because you have one, or set one for your clients, doesn’t mean a thing if it’s not being followed and refreshed regularly.
Combating cybersecurity is a team sport. It requires everyone’s efforts to play IT safe—from the MSP to the end-user. Today’s cybercriminals know MSPs hold the keys to unlocking data within countless small and midsize businesses. Don’t become a headline. Use these tips to help your team tackle cybersecurity within your organization, as well as with your customer base.
Perform Regular Assessments. To ensure you know what you have and what you don’t, you need to regularly audit your business, as well as your customers, to account for what’s in play and what isn’t. The audit should include documenting the technologies you’re using and the policies you have in place as well as those you don’t. It should also uncover any shadow hardware or software that is being used to access company data. In addition to minding the gaps, a few common red flags we often uncover during assessments include:
- Multiple endpoint security products with varying license expiration dates that are unmanaged.
- An obsolete or unpatched operating system (e.g., Windows XP), an OS nearing end of support (e.g., Windows 7), or a current operating system (e.g., Windows 10) that’s behind on software patches.
- Personal devices that are unmanaged
Use the Right Tools. There’s no shortage of tools and technologies to thwart cyberattacks. The challenge is using and managing the right tools and technologies in concert. Often in this space, more is just more and can actually result in a diminishing return. Use your assessment to take inventory and then take action. Set a standard of excellence and stick to it. Use the solutions inside and outside your organization.
Secure Identities. To help solve identity management challenges, consider using an identity management tool like Okta, ClearLogin, Azure Active Directory, or similar products designed for teams in addition to implementing multifactor authentication for your team, as well as your clients.
Limit and Monitor Network Access. Your network houses a vast amount of intellectual property and sensitive information, and not everyone in your organization needs access to it. Only provide access to what’s required to get the job done and limit full or admin access to those who genuinely need it. Do the same at the client.
Always Test Cyber-Awareness. Even when they use the latest, most advanced technologies, research shows, end users are responsible for up to 91% of all security breaches. Whether it’s using easy-to-guess passwords, clicking links and attachments from phishing emails, or falling for social engineering scams, victims often play some role in the breach. Employee training and awareness programs from providers such as KnowBe4, Mimecast, and Symbol Security are a must, and you should include simulated phishing attacks to validate learning retention.
Be Willing to Walk. Tackling cybersecurity isn’t a part-time job, and again, is a team sport. If your company isn’t prioritizing cybersecurity, why not? If your customers aren’t willing to adopt the best practices you’ve set out, why keep them? Cybersecurity must be taken seriously, and if your company, colleagues, and/or clients aren’t making every effort to do so, you have to be willing to walk away.
ARG strives to help clients stay ahead of the overwhelming choice and pace of change that are ever-present in IT decisions today. Justin Praske has been assisting clients in managing that choice and pace of change at ARG since 2004. As Chief Solutions Officer, he leads the product and analyst teams that are tasked with anticipating the changes coming in technology, partners, and pricing—and sorting through the noise for our clients—so that they can make the best decisions.