putilov_denis - stock.adobe.com
6 best practices for informing MSP clients about cyber risks
With the cybersecurity threat landscape in a constant state of change, MSPs must help clients understand how to protect themselves. Here are six best practices.
As cybersecurity constantly changes, MSPs need to ensure their clients adapt along with emerging threats.
Because clients are busy running their businesses, it's important that MSPs provide the resources clients need to protect themselves. There are many different strategies for doing this, from supplying educational content to performing in-person training. The best approach is to combine some or all of these tactics.
With that said, here are six best practices for keeping clients informed about evolving cybersecurity risks.
Perform regular security audits
It's well known that most businesses think they're far more protected against cyberthreats than they actually are. In reality, only 5% of companies' folders are protected on average, according to a study by security firm Varonis.
The best way to make clients aware of their vulnerabilities is to show them through regular security audits. Not only do audits drive home the importance of cybersecurity, they also bring to light new risks that have emerged since the client's last audit.
Any thorough audit should check for the following:
- unsecure passwords;
- overly permissive access control lists (ACLs) on folders;
- inconsistent ACLs on folders;
- a lack of file activity auditing;
- outdated security software; and
- noncompliant software installed on systems.
At the very least, MSPs should perform a cybersecurity audit for their clients once every two years. Additional audits may be needed as new threats emerge. Companies that store sensitive customer data require more frequent audits. Depending on the data, monthly or even weekly audits are recommended.
Update clients through newsletters and social media
Emailed newsletters provide an easy way to inform clients about new threats. MSPs can use newsletters to talk about cybersecurity news, their companies and the industry as a whole. By regularly sending newsletters, MSPs can also keep cybersecurity top of mind for clients.
When using newsletters, the key is to provide value. If MSPs send out newsletters too often -- or simply use newsletters to promote their services -- people will unsubscribe fast. However, if newsletters contain important information that's useful for clients' businesses, they'll likely get read.
There are a lot of opinions around how often newsletters should be sent, but once a month is a good cadence.
Another option for communicating security updates is to use social media. Regular posts that offer useful information will keep clients coming back. Additionally, they'll help MSPs grow their social media following.
Here are some potential topics MSPs can cover in their newsletters and social media posts:
- reminders about cybersecurity best practices;
- updates around new phishing scams and malware;
- announcements about cybersecurity training and seminars;
- links to useful articles and resources; and
- overviews of what the MSP is doing to protect clients.
Publish blog posts
Emailed newsletters are a useful tool, but they don't lend themselves to long-form content. Some topics require a more detailed explanation, and this is where blogs come in.
Like newsletters, blogs are a way to update clients on industry news, potential risks and cybersecurity strategies. However, blogs can go far more in-depth, creating a great resource for clients to bookmark and refer to on a regular basis.
Blogs also allow MSPs to establish themselves as cybersecurity authorities and build trust with clients. By demonstrating expertise, MSPs can attract new clients -- and influence existing clients to heed advice.
Blog posts are extremely effective when used in tandem with emailed newsletters. MSPs can preview their blog posts in newsletters, linking to the full post so clients can click on more information.
Hold seminars, events and webinars
As cybersecurity leaders in their communities, it's important for MSPs to give back. One way to do this is to hold local seminars and events.
Seminars and events give clients a chance to learn what's happening in the cybersecurity industry, receive the most up-to-date information and ask time-sensitive questions. Events don't have to be large or expensive. By simply renting a room and inviting clients and businesses to an informative presentation, MSPs can provide immense value.
In fact, events don't even need to be in person. MSPs can hold webinars that clients can join from any location, potentially reaching a greater number of people.
The great thing about events is that businesses won't just learn from MSPs. They'll also learn from their peers. By networking with other professionals, clients can discover what similar businesses do to protect themselves.
Cybersecurity awareness training and phishing simulations
Seminars and events are a good introduction to the subject matter, but they can't replace one-on-one training. Like security audits, MSPs should regularly conduct security awareness training with clients to ensure they're properly protected and aware of potential threats.
According to a Canadian Internet Registration Authority cybersecurity survey, a mere 22% of businesses conduct regular cybersecurity awareness training. Only 41% of businesses have mandatory cybersecurity training for new employees. So, this is likely an area many clients can improve on.
Training should include information on the following:
- compliance and operation security;
- potential threats and vulnerabilities;
- application security;
- data security;
- host security;
- access control;
- identity management; and
- cryptography.
In addition to training, MSPs should perform phishing simulations. Phishing simulations allow organizations to identify their vulnerabilities and reinforce the training provided to their team.
Review clients' policies and security procedures
As clients' cybersecurity advisors, MSPs will likely be involved in developing policies and procedures. Once clients have policies and procedures in place, it's important for MSPs to review them with clients and their teams at least annually.
These reviews serve as a refresher for clients' existing employees and an introduction for new staff members. Reviews also give MSPs a chance to update and add procedures that address emerging threats.
Additional reviews may be required if a client does any of the following:
- opens a new office;
- allows employees to work from home;
- allows employees to use their own devices;
- hires remote workers; and
- experiences a security breach.
Cybersecurity isn't always the first thing on clients' minds, so it's up to MSPs to ensure they stay well informed on the latest developments. By using the strategies above, MSPs can become confident that their clients have all the information necessary to keep their businesses safe.
About the author
Stanley Kaytovich is director of operations at Qwerty Concepts, a managed service provider based in Piscataway, N.J. Kaytovich is also a member The ASCII Group, a North America IT community of MSPs, solution providers and systems integrators.