Channel

MSP Security Strategy: Stop Chasing Shiny Objects

Share
SolarWinds MSP VP Tim Brown
Related Podcast: Author Tim Brown, VP of security at SolarWinds MSP, shares strategies in this podcast.

In their attempts to keep up with the fast-evolving cyberthreat landscape, security vendors will often introduce solutions with new features and capabilities backed up by a lot of hype. The solutions capture the attention of MSPs who are always looking for new, effective ways to protect their customers’ environments. But they aren’t necessarily what MSPs or their clients need.

If new products were the only answer to cyberthreats, surely we would have solved the problem by now, considering the frequency of new product releases. But while cybersecurity solutions are necessary, frequent updates and new features often amount to nothing more than shiny objects that distract and derail MSPs from the task at hand, which is to secure and manage the environment. There’s no “silver bullet” to fight cybercrime. Addressing it takes a lot of hard work, education, data hygiene, and strategic thinking, as well as an unwavering dedication to keeping the basic IT security measures up-to-date.

Constantly adding new tools and features can in fact, be counterproductive, adding complexity to the cybersecurity environment. Complexity can sometimes create more problems than it solves, potentially adding new vulnerabilities.

So rather than get sidetracked by the latest and greatest security solution, MSPs should work with clients to assess their vulnerabilities, prioritize their data, and develop a plan to manage risk as best they can—and keep employees well-informed of threats and hazards. Here are three tips to getting this done effectively:

1. Focus on the Basics

Effective security requires a keen focus on the basics. If you handle this part well, the rest should follow. This includes making sure clients have reliable endpoint protection that scans for malware and blocks suspicious data, deploying and maintaining firewalls, applying patches in a timely manner, and making sure to back up data regularly so it’s available when needed for a restore.

MSPs should also work with clients to help implement strong authentication policies, restrict systems access to only the applications, databases, and services each user needs to do their jobs, and educate users on how to spot and avoid cyberthreats.

With the basics taken care of, MSPs can then focus on the more complex tasks of cybersecurity and the ongoing management part. The better managed an environment is, the safer it can be. Monitoring and detection solutions are essential to a well-managed environment, but they cannot do the job alone.

2. Risk Management

A lot of client communication is necessary to prioritize data and determine the level of risk each client is willing to tolerate. Since MSPs already help manage business risk for clients, they can take a similar approach to helping to manage security risk. To that end, MSPs should talk to clients about how to identify and protect their most important data, the “crown jewels.” That’s the data cyberattackers are more likely to try and steal.

From a technology perspective, managing risk involves tasks, such as:

  • Identifying at-risk data and assessing vulnerabilities across the environment
  • Addressing the potential financial impact of a breach
  • Tracking historical risk trends and sharing them with clients
  • Conducting risk intelligence scans
  • Leveraging threat intelligence sources to keep systems and policies up-to-date

But technology alone isn’t enough to activate effective risk intelligence. It takes a comprehensive strategy—spanning processes, people, and a deep understanding of the intricacies of the business itself—to succeed at reducing the attack aperture. In approaching security from a risk management perspective, MSPs can help clients recognize that security can never be 100 percent guaranteed. But if a business takes all the proper steps to protect itself based on best practices, it can be much better prepared to respond should an attack ever occur.

3. Responsibility goes both ways

MSPs should try to get comfortable with the role of risk-management advisor and educator. Even when clients understand security risks, which isn’t always the case, they still may have a nebulous idea of how to address them. Because security talent is so scarce, they typically struggle to find and hire skilled cybersecurity professionals.

The responsibility falls on MSPs to help their clients understand the risks they face, the “what ifs,” and how to address them. And to accomplish that effectively, MSPs shouldn’t allow themselves to be distracted by the newest, shiny object in security. Otherwise, they might not be able to deliver the best possible security solutions to clients. Simultaneously, clients must also be willing to engage and build their awareness. It is difficult to do one effectively without the other.


Tim Brown is VP of security at SolarWinds MSP. Read more SolarWinds MSP blogs here.