Cybersecurity breaches are making headlines more often—especially in our remote work reality—against organizations of all kinds, from the U.S. federal government to the private sector. While these headlines cover massive breaches, MSPs know that businesses don’t need to be big-name players to attract malicious actors. Small and midsize businesses (SMBs) are at risk for cybersecurity threats, too.
In fact, our 2020 ConnectWise State of SMB Cybersecurity report found that 77 percent of SMBs were worried about a cyberattack within the next 6 months. What’s more, 79 percent were concerned that their remote employees and devices would experience a breach.
As an MSP provider, existing and potential customers may have asked you about conducting a cybersecurity analysis. Or, if you’re working with clients who don’t understand their cybersecurity risk, you might be thinking about offering a cybersecurity analysis to alert them to possible dangers.
In this post, we’ll walk through the key areas of an effective cybersecurity analysis.
Privacy Program
Cybersecurity incidents put data at risk—from sensitive information to federally protected records, such as protected health information (PHI). Every cybersecurity analysis should include a thorough review of privacy policies to evaluate whether an organization is properly managing and storing data before a breach occurs.
A privacy program review includes:
- Internal Privacy Policy: How does the organization internally manage data, such as employee information? An internal privacy policy might also touch on the use of company assets such as the internet, computers, and mobile devices, and any applicable laws and regulations the business needs to follow.
- External-Facing Privacy Policy: Does the organization have a policy they share with clients, partners, or other external parties detailing how data will be used? Are they required as part of meeting privacy regulations?
- Employee Training: A privacy policy is only effective if it’s understood. Does the organization include training for employees to help them understand company policy? Are there any consequences for breaching the policy?
- Data Retention Policy: Last but certainly not least, how long does the organization store data?
Policies may need to take into consideration a variety of general data regulations, such as the General Data Protection Regulation (GDPR) in the European Union (EU). And most recently, upwards of 23 states have enacted privacy regulation to some degree.
Also, depending on their industry, your client may be subject to additional local, national, and international regulations. For example, in the U.S. organizations (covered entities and business associates) that manage PHI are subject to the Health Insurance Portability and Accountability Act (HIPAA), which is designed to ensure the privacy of sensitive health data, and the Health Information Technology for Economic and Clinical Health (HITECH), which expanded the enforcement of HIPAA with more technical requirements for healthcare providers using electronic health records.
This complex landscape is why a cybersecurity analysis should also include a review of the regulations your customer is subject to. What laws apply? What technological safeguards are in place to comply? How up-to-date is the business in ensuring compliance? Your analysis will reveal whether an organization has a clear, detailed process for data management and storage, especially for sensitive or personally identifiable information (PII).
Security Program
With advances in cybersecurity technology, people are often the weakest link in an organization’s security posture. Take, for example, phishing scams: It’s not uncommon for an employee to engage with a phishing email and inadvertently infect an entire company network.
Compliance with regulations (like those mentioned above) includes an organization’s ability to demonstrate that they’ve adhered to requirements. Proving that compliance doesn’t mean just “checking the box” one time. It requires ongoing awareness and action. A SMB cybersecurity analysis should assess what the current security program looks like, including:
- Security Awareness Training: Employees should be educated on common cybersecurity tactics, such as phishing.
- Clean Desk Policy: Information out in the open is vulnerable information—not just digitally, but physically. Does the organization address how physical information (such as flash drives and laptops) is stored when employees are away from their desks?
- Visitor Policy: What are the rules or security processes non-employees must follow when they visit an office? This applies to business partners, vendors, clients, and anyone who is not an employee coming into the office.
In addition to these policies and programs, MSPs should look for foundational security measures, such as multi-factor authentication (MFA) and an inventory of digital assets.
Tools
Almost no business today operates without software and technology tools. While these tools simplify business operations, they can also be routes for bad actors to enter an organization’s network. As part of a cybersecurity analysis, MSPs should look at their customer’s full suite of technology, including:
- Virtual private network (VPN)
- Wi-Fi / wireless networking
- Secure email gateway (SEG)
- Firewall
- Backup solution
- Domain name system (DNS) security
- Endpoint detection and response (EDR)
- Security incident and event management (SIEM)
While the process will vary with each tool, the analysis should include auditing, testing, and/or properly configuring settings. These tools are the technological frontline against cyber attacks, so it’s vital MSPs ensure everything is set up correctly.
System Hardening
Once you have a sense of an SMB’s policies, programs, and tools, it’s time to focus on defense: System hardening fine-tunes settings and removes unnecessary vectors of attack.
For example, you might discover that a client’s employees have unused and outdated applications on their computers. These should be removed, as any leftover apps are targets for hackers.
System hardening also includes enforcing policies, securing endpoints, implementing perimeter security, and instituting a patch management plan. As MSPs know, patch management is critical for keeping clients’ systems up-to-date, eliminating gaps in security, and resolving known problems.
Vulnerability Management & Assessment
Now that you have a pretty good sense of the organization’s security posture, it’s time to focus on vulnerability assessment and management.
In order to protect themselves against potential threats, SMBs must first understand their weaknesses. As an MSP, you can educate clients on potential vulnerabilities by defining gaps in security and recommending the best way to resolve them. Oftentimes, these gaps are caused by software bugs or weaknesses, so a management plan that monitors software programs in use and remedies issues as they arise is also helpful.
Incident Response Plan
While we all hope to avoid a cyberattack, hackers are becoming more sophisticated every year. Many SMBs have no idea how to respond to a breach. That’s why a cybersecurity analysis is incomplete without an incident response plan, defining clear roles and responsibilities for when—not if—a cybersecurity event occurs.
Cybersecurity Analysis: An Opportunity for MSPs
Cybersecurity represents a significant opportunity for MSPs to scale their business, expand employees’ careers, and build customer confidence with more business- critical services.
A cybersecurity analysis is an excellent way to engage new, existing, and potential clients—making them aware of the strengths and weaknesses of their cybersecurity posture. For more details on how to conduct an analysis, take a look at our robust checklist of SMB Cybersecurity Essentials and for a more rigorous assessment, consider ConnectWise Identify, which is based on the NIST cybersecurity framework. Of course, it's important to note that while certain tools can help organizations comply with regulations and frameworks, the simple act of using any one of those tools does not make an organization compliant in and of itself.
Last but not least, practice what you preach: Take a deeper dive with our SMB Cybersecurity Checklist and our self-assessment for MSPs to gauge your own cybersecurity preparedness. MSPs often manage sensitive or valuable data, with access to client devices, networks, and more that’s attractive to bad actors—in fact, three MSPs are targeted with ransomware every week on average. That’s why we always recommend that MSPs protect their own house, in addition to offering cybersecurity services to clients. Check out our ConnectWise MSP+ Framework and Playbooks to get started.
As more business functions move online and into the cloud, SMBs will continue to face cybersecurity threats. MSPs have an opportunity to evolve their businesses and provide cybersecurity support—and a cybersecurity analysis is a great starting point.
Author Jay Ryerse is VP, cybersecurity initiatives at ConnectWise. Read more guest blogs from ConnectWise here.
