The new year is upon us: it’s time for business leaders to evaluate where to raise the bar. Cybersecurity is one area where nearly every organization can and should do more in the new year.
When we scan the landscape, we see various challenges, especially for SMB organizations. While many MSPs are experts in advanced cybersecurity tools, often there is a significant lag in client adoption. Multi-factor authentication (MFA) is just one example. MFA is one of the best tools to prevent cyber breaches, yet many MSPs only have it implemented for their largest and best clients. The rest of the clientele often remains exposed.
In other cases, clients may have robust information security policies or business continuity plans, but they have let them get long in the tooth. These sorts of plans require an annual refresh. Alas, too often procrastination sets in and the can gets further kicked down the road.
MSPs play a vital role in helping their clients continuously improve their cyber security posture. Cybercriminals and threat actors are relentless in finding new ways to exploit businesses and organizations. Therefore, MSPs and their clients should use the new year to take a fresh look at the cybersecurity challenges ahead. Now is the time for refreshed plans and new resolutions.
In this blog, we will explore the six best cybersecurity new year’s resolutions for MSP clients.
1. Implement Multi-factor Authentication (MFA)
MFA is one of the best tools to prevent cyber breaches. With MFA, the user is prompted to authenticate themselves with something they know, such as their password, and something they have, such as a one-time passcode generated by an app on a previously registered mobile device.
This two-step process is easy to implement and defends against situations where an employee’s password has been stolen. With widespread password re-use, if an employee’s re-used password gets into the wild, this password can be used by cybercriminals in “credential stuffing” attacks. In these sorts of attacks, threat actors aggregate stolen username and password information from the dark web and attack companies, sites, and services with the stolen credentials. MFA defeats these attacks because more than one authentication technique is required.
MFA is best paired with the use of a password manager. The only way to encourage employees to use strong and unique passwords on every site or service is to empower them with a password manager. Password managers generate a strong and unique password for each software tool, app, or service and then store these passwords in an encrypted locker. All an employee needs to do is unlock the password vault during their session or workday to use their unique passwords. MFA and password managers are a great one-two punch.
2. Deliver a Cybersecurity Awareness Program
Too many organizations are still doing annual cybersecurity training. Annual training doesn’t really work. First, it encourages a compliance mindset, rather than real cultural change. If annual security training is merely a hoop to jump through, employees and staff will comply, but they will learn little and their habits won’t change.
There is a better way. The solution is a cybersecurity awareness program. By “program,” we mean something robust and ongoing. Researchers have discovered that adults learn through repetition and micro-learning. A good cybersecurity awareness program will deliver a steady stream of content, videos, education, and challenges to employees throughout the year. Bite-sized chunks of content, delivered in a compelling and fresh manner, actually raise awareness and transform people’s understanding and habits. Fortunately, there are several great services that MSPs and their clients can activate to deliver ongoing cybersecurity awareness programming to employees.
3. Routinely Audit Your Tech Stack
Another cyber hygiene area is routine technology audits. In today’s workplace, employees and department heads add new SaaS and software tools at a dizzying pace. Employees can access corporate SaaS applications from a wide range of devices, including laptops, desktops, smartphones and tablets. Some devices may be company-owned, while others may be BYOD. Suffice it to say, employees of all stripes have fully embraced the work-from-anywhere lifestyle.
Therefore, organizations of all sizes should thoroughly inventory their technology assets. Cataloging devices and physical infrastructure is easy enough. What’s harder is keeping track of SaaS applications and software tools. It is vital to understand all the different areas where corporate data may live, including on employee desktops, in file-sharing applications, or on mobile devices. Many industries operate with strict rules around the handling and storage of personally identifiable information (PII), protected health information (PHI), or other private client or customer information. If you don’t know where employees are storing data or governing it proactively, PII or PHI can be stolen, lost, or compromised. Generally, experts from an MSP are essential in the process of helping clients fully inventory and audit their technology assets.
4. Adopt a Cyber Security Standard
Adopting a cybersecurity standard is another good new year’s resolution. A cybersecurity standard provides a written framework with minimal policies, procedures, tools, and security processes. Most standards presume that various organizations will have different levels of maturity and resources. It is natural that smaller organizations will have lower levels of maturity – and smaller budgets for cyber security defenses.
There are various cybersecurity standards. A few of the most popular include:
- International Organization for Standardization (ISO) ISO/IEC 27032:2012
- Center for Internet Security (CIS)
- Control Objectives for Information and Related Technology (COBIT) 2019
- National Institute of Standards and Technology (NIST) Cyber Security Framework
The most important thing is for organizations to adopt a standard and stick to it for a meaningful amount of time. Moreover, a client needs to know where they stand against complying with the standard. Perfection is not the name of the game. Rather, awareness of where a client stands is the first and most important step. Next, the client’s leadership team needs to be guided by their MSP and have a proactive approach to risk management. But to know where a client really stands against a standard, they need a cyber risk assessment.
5. Perform a Cyber Risk Assessment
With the new year, it is a great reminder to perform cyber risk assessments with clients. With the rapid pace of technological change, an annual assessment is a great idea. What’s more, the external threat landscape is also continuously evolving. New threats emerge and cybercriminals continue to innovate. Moreover, something that just a few years ago would be considered “enterprise-grade” technology now may be considered standard for SMBs.
Clients should be encouraged to leverage a third party for cyber risk assessments. Checks and balances are important in helping leadership teams stay accountable while leveraging outside expertise. Many MSPs are experts in delivering this form of audit and assessment. A great idea is to weave the annual security assessments into premium service agreements or to ensure the client has adequately budgeted for an annual assessment.
6. Focus on Backup and Business Continuity
Lastly, MSPs should deliver clients robust backup and recovery solutions that protect all corporate data and infrastructure. A great outcome of a technology audit and risk assessment is for organizations to know where all corporate data resides. For instance, with the explosion in SaaS adoption, corporate data now resides in various cloud-based applications. The SaaS providers of these applications, such as Microsoft, Google, or Salesforce are not responsible for backing up and protecting SaaS-based data. The client is, and by extension, so is the MSP. Therefore, organizations and their MSPs need to implement comprehensive backup and disaster recovery technology and services to protect corporate data no matter where it resides.
At Dropsuite, we arm MSPs with a cloud software platform to easily backup, recover and protect their important business information. We work with MSP partners to help them educate, lead, and manage their clients for better cyber hygiene and operational health.