The greatest risks to information security are your end users. Most security incidents happen because someone clicked on something.
If people learn to spot a threat and avoid it, you reduce your organization's risk.
Anyone and everyone in your organization is a potential source of the problem. That includes new employees, tenured employees and even the C-Suite: your COO, CFO or Chief Risk Officer. We can’t emphasize enough: everyone needs to be educated.
Training your end users to uphold your security strategy needs to be part of your security strategy. You can build end-user training and education for your employees yourself, or you can subscribe to services that manage the training for you. These services will put employees to the test with tools that send mock phishing emails and monitor responses, so you’ll know who clicks, who reports and who ignores potential threats. Based on their responses, employees needing more cybersecurity training will be sent educational resources on identifying threats and proper responses.
If your information is at risk, it’s better to know your risk and what you can do to secure your information than to go on pretending everything is OK.
A cybersecurity assessment will give you a score to help you understand your risk. A cybersecurity assessment looks at administrative, technical and physical security controls currently in place at your organization. These controls range from whether you have good lighting in the parking lot, to your clean-desk policy, to asset control.
Cybersecurity advice today is much different than it was 10 years ago. Industries have evolved, as have products. While we have all learned to evolve cybersecurity strategies over time, the bad guys have learned, too. This constantly changing cybersecurity environment underscores the need for cybersecurity scoring. What you did five to 10 years ago to keep your organization secure is probably not adequate today. Cybersecurity scores help you understand gaps right now.
If you have a cybersecurity professional on staff, they can complete a cybersecurity assessment for you. If you don’t have that expertise available to you, an MSP can help facilitate a cybersecurity assessment for you.
Organizations with a Chief Information Security Officer (CISO) on staff have the benefit of in-house expertise to guide their cybersecurity strategy. If you do not have a CISO in your workplace, a virtual Chief Information Security Officer (vCISO) can consult with your organization to help improve your cybersecurity strategy.
vCISO consulting is designed for companies that either want to build a cybersecurity program from scratch or enhance the one they already have. Often, after an organization completes a cybersecurity assessment, they need help staying on track to address vulnerabilities that were found. The goal of a vCISO is to keep the organization focused on building and improving that security strategy.
As an example of how this works, the basic vCISO program at Loffler includes a consultation with a client for a half day every month. Consulting includes project management to provide guidance for building and/or improving a cybersecurity program. Sometimes this requires more work than half a day can provide, so projects can be planned outside of that engagement. Depending on the IT expertise available within your organization, you may be able to handle some projects on your own, or more time can be added to vCISO engagement where needed. The important thing to remember is the service is customizable to fit your organization's needs.
Even if your organization does everything it can internally to be secure, infiltrations can still be caused by your vendors. Malicious actors target vendors to gain access to other companies, because vendors can be smaller and more vulnerable to attacks. One example of this exposure is a data breach experienced by a major retailer, which occurred after an attack on an HVAC vendor who had access to their systems.
Vendor risk management is about understanding and documenting the security of your vendors. Often, this means sending vendors a spreadsheet with many questions that aren’t easily identified or open to interpretation, leaving recipients unsure how to respond.
While you can do Vendor Risk Management yourself, you can also have it managed for you. When vendor risk management is handled for you, an assessment is sent out to vendor contacts that requests cybersecurity details from vendors, makes sure they’re responding, and then follows up and works to fix communication issues. Managed vendor risk management also monitors incoming responses, provides monthly reporting and conducts new assessments on an annual basis. Click to watch a recorded webinar showing Managed Vendor Risk Management in action.
All of this is taken care of for you, so no one within your organization needs to maintain your vendor risk management list. When a new partner relationship comes online, you simply enter the vendor contact information into the vendor risk management tool and an automated assessment is sent to them.
Managed Vendor Risk Management keeps vendors honest, and keeps your organization on top of any potential cybersecurity threats from your vendors.
The greatest IT security challenge is knowing, in real time, whether you're secure. With Managed Detection and Response (MDR), you have software watching for anomalies in your system that will alert you to potential cyber incidents.
One well-known approach to MDR is to build a Security Operations Center (SOC) to watch for these anomalies. Enterprise organizations for many years have been able to build and staff SOCs of their own, but smaller organizations often lack the budget to do so. Fortunately, SMBs can now hire a SOC as a service to monitor their systems for them.
The value in MDR is in the knowledge that a team of cybersecurity experts are always watching your systems. Intruders that enter your network will not go unnoticed.
With MDR, you can expect analytics, fine tuning to the monitoring of your systems and researching any events that could prove to be harmful.
When a notable cybersecurity event occurs, the MDR notifies your organization of it immediately, so action can be taken to protect your systems.
Having an incident response plan means you can answer the “What happens when...” questions with concrete responses. Can you answer those questions? Do you have an incident response plan?
Many organizations do not have a formal incident response plan, because having one requires an organization to admit they're at risk. This is a hard thing to do. But admitting risk exists is crucial to knowing what to do if something happens.
Think about an incident response plan like homeowner’s insurance. You don’t buy insurance hoping your home will burn down; you buy it to cover yourself if there’s a fire. The same logic can be applied to an incident response plan: You need an incident response plan, so that if something happens, you know what to do.
Your incident response plan needs to be documented. You need to know who to mobilize and which tools to deploy in the aftermath of a security incident. MSPs offer incident response planning as a service to clients which includes everything from writing the plan, to providing people who will act for you when an incident arises.
Physical security might not be the first cybersecurity solution on your mind, but it’s an important component of your cybersecurity strategy.
Physical security includes card access systems, video surveillance systems, alarm systems and more. All the things you’re using to keep your building monitored and secure. Physical security is used in office buildings, warehouses and remote offices. These business-grade physical security systems are hard-wired and more robust than what you’d see with consumer-grade security equipment.
Building access control is a great example of physical security playing a part in a cybersecurity solution. It makes employees’ lives more convenient, because they don’t need keys to buildings. People have access to areas they need. Building access control also helps lock areas down at specific times for certain people and allows you to grant access only when necessary. As it relates to cybersecurity, it controls access to and logs entrances into computer data centers and wiring closets. In addition, camera systems allow you to see who is going in and who is coming out of data-sensitive areas.
Outside of equipment and hardware, physical security also concerns having clean desk policies and good lighting in the parking lot. Security risks don’t always involve stealing intellectual property, but can often look like stealing access, a fundamental security concern.
What does your organization need to ensure the physical security of your organization? Which physical security best practices should be applied to your workplace? An MSP focused on cybersecurity can help you design a physical security plan with both employee safety and data security as top priorities.
Speaking of policies that help keep our people and our information safe, do you have formal policies surrounding your cybersecurity practices and procedures?
It's not a matter of if you experience a cybersecurity incident; it's a matter of when. Policy creation is an act of preventing poor security practices. At a minimum, you need a password policy, an incident response policy and an acceptable use policy.
The act of creating the policies is something many organizations can do on their own, but it’s a daunting and drawn-out task. Many don't know where to start. MSPs can provide policy templates to help clients get started, with expertise in policy creation that will help you get strong policies in place.
Let’s talk about an often-overlooked endpoint on your network: printers and copiers. This gets into endpoint security, the Internet of Things (IoT) and utility computing devices that are often forgotten in a business network environment. You need to be able to identify and secure those devices to keep your systems safe.
When printers, copiers and other endpoint devices on your network are left forgotten and unprotected, they can be subject to a cyber-attack.
Cybersecurity solutions can assess and protect your printers and copiers, to take the burden of securing printers away from your IT team; they don’t need to worry about them.
In addition, Follow-Me-Printing offer tools to manage printing to help you reducing waste and control costs, in addition to securing the documents you print by keeping them from unauthorized eyes. Follow-Me-Printing does this by requiring you to check in – either with a badge or a pin number – at the printer before you print. This prevents “hot” data like pay stubs from being left on a printer to be picked up by anyone.
Without proper planning, poor data storage solutions can lead to major headaches for your organization, ranging from the inability to access data, to security incidents that can lose the trust of customers, vendors and the general public.
The security of information — especially private and/or valuable data you store within your organization — is one of the most important cybersecurity considerations. Decisions you make regarding the storage of data will determine how secure it is.
You have many options when determining which data storage solution is right for you, including on-premise, Hyperconverged and cloud storage.
To decide what data storage solution fits your organization best, you need to consider your capacity needs, performance requirements, backup strategy and current infrastructure.
Do you have the expertise within your organization to make these decisions, or do you need to turn to an expert to guide you to the right choice to fit within your IT budget? This is where an MSP can help you choose, configure and maintain the right data storage solution to keep your data secure.
Many of the examples above look at cybersecurity in terms of protecting your systems from malicious actors outside your organization. Also important is not to forget another threat to your data: an unexpected disaster. A roof collapse, flood, fire or tornado can ruin a business that is not prepared with disaster recovery and business continuity. Does your organization have a way to keep your business running in the event of the unexpected?
Disaster recovery means being able to pick up the pieces and move forward following a disaster (roof collapse, flood, fire, tornado), and speaks specifically to making your systems work again, making your data available to you, should something go wrong.
Business continuity refers to being able to continue doing business in the event of a disaster. It means you have a plan in place to keep people working and clients attended to even if the worst happens.
Disaster recovery and data storage go hand-in-hand and are part of the same conversation, but for different reasons. The former means having a plan, the latter is the plan itself. The two share the same considerations regarding capacity needs, performance requirements and backup strategy. Like with data storage expertise, an MSP can help you determine disaster recovery and business continuity plans to keep your organization secure no matter what.
Latest News
Managed IT Services Pricing (Cost Guide + Examples)
Originally Published October 2022 Updated February 2024
Navigating the Shift to a New Managed IT Services Provider
As technology continues to evolve at an unprecedented pace, businesses face the imperative to adapt, scale and optimize ...