Managing the Moving Target: Cybersecurity for the SMB

You may not want to admit that your clients don’t understand the dangers of working through the world wide web, but that won’t make the problem go away. No matter how much your team tries to educate business leaders and employees on all the various security risks, from phishing schemes and poor password management to social engineering, few will ever fully grasp the complexity of the issue. Few will ever feel completely comfortable without a 100% protection guarantee.

As every MSP knows, you can’t give anyone those types of assurances. Cybercriminals target everyone and won’t stop until they get what they want, nor will they allow even the most formidable defenses to get in their way. As long as these activities remain highly profitable, the quantity and severity of these activities, along with the number of people who fall into their traps, can be expected to continue rising.

After all, cybersecurity has become more of a human interaction problem than a deep-rooted technological challenge. Just one mistake ̶ visiting a virus-infested website or clicking a link in a phishing email ̶ is all it takes to lock down an entire network. Those in the tech industry understand those risks.

Unfortunately, your clients and prospects may not fully appreciate the danger and have the same level of concern as you and your team members. At least not enough to take their security responsibilities seriously.

Spell It Out

It’s human nature to take shortcuts. Some tend to confuse those actions with efficiency, but when email recipients skip a basic security best practice and click on an infected link in a message, they will likely end up costing their employers a lot more time and money.

That’s why everyone who touches a computer should abide by corporate network and data protection standards. Whether your clients include those rules in their electronic policy or develop a separate document with cybersecurity guidelines, every company should have a list of employee expectations.

It may seem like a formality, but every company must require everyone with network access to sign that document and register for a user awareness training program ̶ with zero exceptions! From the receptionist and college intern to the top member of the management team (including the owner or CEO), every employee must be held accountable for maintaining a strong cybersecurity posture.

Company standards are essential. Without rules in place, no one can be held accountable for following security best practices or reporting suspicious behaviors. As “chief cyber officers,” MPS have a responsibility for ensuring that their clients have practical rules in place and that everyone is closely following those guidelines. Punishment for non-compliance typically falls to the customer, though there are certain situations where providers may need to lock down network access to those violating the protocols. Those corrective actions should be spelled out in the client’s security policy (whenever possible).

Shake and Stir

Repetition is key. Without an ongoing end-user training program, it’s far too easy for people to lapse into bad habits or not be aware of the latest schemes that cybercriminals have unleashed on what they hope will be an unsuspecting public. No MSP wants their clients to fall into that trap.

The key to good cyber health is keeping end users on their toes. Maintaining an effective cybersecurity posture requires organizations to mix up the activities from time to time. In addition to the regular training and testing regimen, which typically include a variety of activities, MSPs should schedule penetration tests and other impromptu drills.

While you may not be able to thoroughly assess your clients’ real-world readiness without significantly disrupting their operations, security checks help providers identify issues and tighten their controls. Without that insight, it’s harder to manage the risks and set the proper expectations.