As cyberattacks continue proliferating and data breaches continue gaining headlines, people in general—and business owners in particular—have become increasingly aware of the need for greater cybersecurity. Yet people often think of cybersecurity in binary terms—you’re either safe or not. But the truth really isn’t that black or white.
Instead, businesses should think about cybersecurity in terms of risk. What risks are acceptable? Which aren’t? Ultimately, you should think about how to reduce your cyber-risks over time.
Risks: A Smarter Way of Approaching Security
As previously mentioned, many people only focus on the end goal of cybersecurity—protecting their assets from cybercriminals. However, some assets are more important than others. And some attacks are more difficult to deal with than others. For example, if a project manager gets a cryptominer on their system that doesn’t attempt to reach out across the network, the damage to the business will be minimal. However, if a sysadmin gets a keylogger that sits silently on their system, criminals could walk away with a boatload of sensitive information.
Businesses already think in terms of risks in other areas. They know some systems are too critical to stay offline for too long, and so those become the focus of their backup and disaster recovery strategies. The same thinking should apply to security. If you don’t have conversations about risk, you could set yourself up for problems. Here’s why:
- False expectations: It’s easy to fall into the trap of selling the “perfectly secure” dream when it comes to security. But this sets customers up for false expectations. Despite user training and strong email security, an employee could still click on a phishing link and download malware. You could inherit systems from a previous provider with serious security flaws or even compromised systems. Or you could face a zero-day attack that no one in the industry sees coming, which hobbles your customers’ businesses. There’s just too much uncertainty with security to think of it as all-or-nothing. If you set customers up to think in terms of secure or insecure, you’re simply not presenting a realistic picture.
- Risk to your business: Building on the previous point, if you promise customers the moon and can’t deliver, you could lose their business and potentially build a bad reputation. There’s no reason for that—just remind them they should be thinking in terms of risk like any other investment.
- Tradeoffs with convenience: Security measures can usurp the user experience for customers easily enough. Often, security requires people to jump through additional hoops, which can slow them down (and be a pain in the neck). Just think about two-factor authentication (2FA)—instead of simply providing a username and password, you have to enter an additional code to gain access to your accounts. But when you think in terms of risk—and set that expectation for customers—you can heighten your level of security for the riskiest assets and offer a more basic level of security (and higher level of convenience) to the rest of the workforce.
Shifting the Conversation
Before we get into specifics, it’s worth mentioning that you can still talk “security” with customers. You probably should kick off your first prospecting conversations by emphasizing cybersecurity. But once you get down to brass tacks, make sure both the bulk of your sales conversations and your first kick-off calls emphasize risk. Here are some tips:
- Ask risk-based questions during sales calls: When talking to potential customers, ask good questions to uncover the biggest potential risks in their environments. Obviously, you don’t want to get too far in the weeds here or gather anything too sensitive about their environment. However, you should ask about their patching policies, how often they run backups, whether they employ additional email security, or use endpoint protection. These can help you remind them that security isn’t an all-or-nothing proposition. They can also help you better tailor your services to their needs.
- Start your relationship on the right foot: Once you land the account and have greater access to their environments, dig further into their potential risks. For example, if they have certain accounts with access to sensitive data, you may want to require multifactor authentication (MFA) when signing in and use a secure VPN if they’re not on the corporate network. Or you may decide to focus on segmenting the networks to prevent lateral movement from threats. Regardless, survey the environment, determine where their greatest risks lay, present your clients with a plan, and execute.
- Periodic risk reviews: Over the course of your customer relationship, make sure to consistently review your customers’ current environment and security practices. As new risks crop up, document them and periodically review them with your client. This lets you act as an advisor to the client on how they can continue reducing their overall risk—and gives you the opportunity to expand coverage or sell new services to the client.
- Consider your own risk factors: As an MSP, you should make sure your own security is up to scratch. For example, if one of your technicians uses a weak password, they could leave multiple clients open to a potential security breach (although, you can greatly reduce this risk by using a strong password management solution like SolarWinds® Passportal.)
Reducing Customer Risks, Piece by Piece
When it comes to security, it’s probably healthier and more realistic to think in terms of reducing risk than in terms of “secure or not.” Over time, your goal as a services provider should be to mitigate the risk to customers step by step. Start with any obvious risks such as poor patching policies, infrequent data backups, or devices without endpoint protection, then build out from there. At the end of the day, we need to think of security like any other part of a business—an exercise in acceptable and unacceptable risks.
A good portion of security threats find their way into organizations via the inbox. If your customers rely completely on the native security of their primary email provider, then they’re taking a major risk that could be dealt with easily. SolarWinds® Mail Assure can help. Designed for MSPs, it uses collective intelligence from its global user base to help make it easy to prevent email attacks from harming a business. Learn more about SolarWinds Mail Assure today.
Guest blog courtesy of SolarWinds MSP. Read more SolarWinds MSP blogs here.
