The plethora of newsworthy data breaches over the past twelve months has both helped and hindered the efforts of channel companies. Hackers and cyber criminals have been invading networks and exploiting vulnerabilities for years, but the stakes are growing and, no matter what investments companies are making, it’s rarely enough to halt their efforts. The good news is that business leaders are learning just how valuable their information is. The bad news (for them, as well as providers) is that, even with a multitude of protection tools at hand, there are never enough security measures to stop determined hackers.
So how can channel firms expect to stop these breaches or at least discourage cybercriminals from targeting their clients? That was a major point of discussion during the CompTIA IT Security Community meeting at ChannelCon earlier this month. One thing many members agreed on is that breach protection begins with the basics. Today’s solution providers need to offer at least a minimal level of protection to their customers, such as AV and firewalls, and then educate them on the more advanced services that are available. Some channel firms may choose to offer that next-level support themselves, including end user training and pen testing. The key is to ensure your clients clearly understand the risks and their security options, regardless of who ends up delivering the services.
In fact, community members invested much of their ChannelCon meeting time discussing various levels of security portfolio offerings. Group leaders divided the room onto three sections based on existing and desired security goals (foundational, comprehensive or advanced) and then focused the conversation on defining what it meant to offer that particular level of protection from a channel perspective. They discussed and described the key benefits of their particular portfolios, as well as what their specific clients wanted and needed to meet business and compliance requirements. The goal of the breakout session was to create a list of what providers consider to be essential offerings for their customers.
The “advanced security” group discussion was facilitated by Community Executive Board members Mike Semel, President & Chief Security Officer of Semel Consulting, and Charles Tholen, President and CTO of Cognoscape. They started out with a “deep-dive” into the regulatory and compliance measures MSPs’ customers need to have in place, including active monitoring, incident response teams and pen testing. Semel started off by asking attendees “Are you really providing comprehensive advanced security or just offering your customers a lighter, Cliff’s notes’ version?” He was referring not just to the tools, but the crucial support services that will help MSPs differentiate themselves as true security experts. That includes testing processes, forensics and other critical support options. What ‘nuggets’ of information were shared during the breakout?
- Security professionals have to validate when an actual incident has occurred, which may require forensic services. Your client needs to know if and when a reportable breach has occurred so they can take the appropriate actions and, hopefully, minimize their potential fines and liabilities. A $5,000 investment in these types of services may seem expensive, but it’s actually quite cost-effective when you consider the major financial penalties and/ or the loss of intellectual properly they face should a breach occur.
- Understand that you are not responsible for your customers’ compliance. That’s an important thing to remember. For example, if one of their employees fails to follow procedures, you shouldn’t (and can’t) be accountable for their mistakes. “If they only do eight of the ten things we recommend after preforming a compliance review, we can’t be responsible,” emphasized Tholen.
- If you are providing advanced security services (or plan to), be sure to check in with your business’ insurance company. Your risks may be substantially higher than a typical VAR or MSP business. You need to ensure liability coverage will protect your company if a breach were to occur with one or more of your clients.
- Detection is the problem. Are you monitoring their systems for irregular behavior? You need to develop a baseline so issues are easier to spot. “The goal of monitoring is to reduce the time between when incident occurrence and detection,” said Tholen. The average time between occurrence and detection is 57 days and third-party organizations are responsible for discovering many breaches.
- Pen testing (penetration testing) is quite advanced, requiring certain skills and certifications. It’s a good way to assess employee security best practices, but partnering here may make more sense since the investment can be significant and the service may be used very infrequently.
Several IT Security Community members also emphasized the value of using the CompTIA IT Security Assessment Wizard that they developed as a group initiative. This straightforward, three-page questionnaire allows MSPs to produce a comprehensive and comprehensible profile of their clients’ IT security systems. It offers providers a great place to start the conversation and gives them an opportunity to evaluate the true potential for expanding their security portfolios.
To learn more about how members are using the IT Security Assessment Wizard, and the value of joining the Community’s discussions, register here.
Lisa Person is Director of Member Communities for CompTIA