Atera’s latest MSP Minds was definitely the most fun you can have while talking about cybersecurity! If you missed the live event, read on for the highlights of A cybersecurity deep-dive for you and your IT customers, hosted by our 4 awesome and experienced cybersecurity experts.
We were joined by Lital Badash, Senior Cloud Solution Architect for Cybersecurity at Microsoft, Yolanda Santana, IT Consultant at All Bits Tech, Kim Bassett, the CTO and co-founder of Jetty IT Solutions, and our very own Technical CSM, Yasmin Simmons, who has 4 years of military security experience in the Israel Defence Force, and was also a Security Engineer at eToro before coming to join the Atera family.
The Impact of COVID-19 on Cybersecurity
Lital spoke to us about how the cybersecurity threat as a result of COVID-19 was triggered by the remote working shift. Companies needed to keep their productivity levels high, and so steps were missed in securing work from home environments. “We saw zero-day exploits rise, more spear-phishing attacks, and how attacks have evolved with great variations over the last year, from URL payloads to brand-new delivery mechanisms.”
For MSPs, this was extremely tough. A lot of our customers and colleagues are now part of this challenge, working from home on their own networks. They could be at home, at a café, or somewhere else entirely. Other people might be able to gain access to their network or systems, and this needed to be managed, with MSPs in the spotlight for getting it done, and helping customers to educate themselves.
Trends and Predictions for 2021 and Beyond
Even pre-COVID-19, the world was already suffering from a lack of security professionals, and 2020 definitely turned the pressure up. Lital’s advice was to look to third-party vendors who can do a lot of the hard work for you, take on the security risk on your behalf with their own best practices. Of course, security is a shared responsibility, but as the skills gap gets worse, SaaS applications and cloud partnerships are safer than on-premises, as we can hand over that responsibility to someone else.
“This is why Forrester says that the future of cybersecurity is in the cloud. The cloud can provide security benefits in and of itself when it configured correctly. This can ease the load on companies who don’t have the resources they need in-house to investigate and protect and update continuously according to the latest research.”
Identifying the Threats that You and Your Customers Should be Aware of
Kim spoke to us about the importance of internal education. “Leverage social media communities, RSS feeds, popular cybersecurity websites, even the news and information from your own colleagues, whether that’s other MSPs or other people in the industry.
This gives you a nice advantage, to get equipped and strategize as early as possible, both for how you can protect yourselves and educate your own employees, and then, through that education you can implement a tactical plan that assists your clients to make sure their company is safe, their software, their own customers. The process is very far-reaching, and it starts by being proactive, not reactive.”
Yolanda agreed that education is key and that at All Bits Tech, she also hosts weekly meetings with her staff to discuss the top threats or things they’ve seen being shared, and then review how their own security might be vulnerable to those issues. They also implement audits on a regular basis to make sure that nothing falls through the cracks. Yolanda also recommended using Microsoft Exchange reports, to make sure that malware and phishing attacks are not coming through, and tightening up anything that needs attention.
Yasmin gave us a great idea that is really actionable as an MSP, to have your employees or clients sign a do’s and don’ts form! This could include anything from “don’t plug in foreign USBs” to “Don’t write your passwords down on a post-it and leave it on your desk!” Kim jumped in to say that the worst one is when clients have all their passwords saved in a file called… passwords! In all seriousness, Lital reiterated that users are still the weakest link in cybersecurity, so awareness and education are so important. Our panel suggested some great ideas for awareness training, such as phishing simulation tools that can show customers exactly where the high-risk users are inside their four walls.
Cybersecurity and Your Customers
Kim spoke to us about how she always tries to have a relational rather than informational conversation with her customers, showing them the context of the security issues in their company, and starting with an audit of everything that they currently do. She asks, How old are your servers? Do you have a firewall? What Antivirus do you use? She then explains where the gaps are, and what the impact could be, before putting together a strategic plan. She may even get their agreement to use an ethical hacker who can physically show them how easy it is to break into their network and the data that could be exposed if that happens by an attacker. “By getting permission first, you establish trust, and then you show them the risks they’re open to.”
We asked our panel, what can you do to get customers on your side about cybersecurity? Kim continued that if your clients are told what they need to do, and they’re still resistant to making small changes that are going to secure their network, you need to be very clear. Tell your customer, if you don’t make these changes, you’re going to be putting us at risk, and our other clients, too. When they realize that this could have a wide-reaching impact, and affect their revenue, their reputation, it opens the door again for that conversation.
We love Yolanda’s advice about talking to every customer on their own level, and with their own language! “We’re so used to being around our peers that we find ourselves talking in acronyms and the customers don’t always get it. Think about how to describe things in their own language, from using a metaphor like how to fix a car, to medical language, or something familiar. This can help to communicate to clients the severity of not following through with cybersecurity protocols.” Yolanda also reminded us that at the end of the day, while our clients might give push-back, if something goes wrong, they will come back to us and blame their MSP for not protecting them better. If the customer doesn’t want to get in line with best-practices, you may need to ask whether you want that client at all.
Lital had her own awesome idea about the onboarding assessment process. She recommends using a number that can identify the security posture of the customer. It doesn’t matter too much what that number is, but it’s a good starting point to be able to say, “This is your starting number, and it’s above average or below average, and here is the number we’re going to try to get you to, and here’s how.” Then you can recommend incident response or protections that will improve that number and give the client something to work towards.
Practical Steps for Supporting Customers with Cybersecurity
Our panel had so many incredible recommendations, we can’t fit them all in! But here are some of the top pieces of advice that came out of our conversation.
Start with a Password Manager: Kim sees this one as an easy starting point for cybersecurity, a gateway to good cybersecurity practices. She encouraged us to tell our customers to start using this for personal passwords as well as business, getting into good habits to make the learning curve easier.
Use Tiers: Both Kim and Yolanda spoke about the importance of using a tiered approach so that clients have control over what services and support they need. Use QBRs or annual reviews to give the customers a chance to revisit and evaluate their tier choices, and expand services as necessary.
Make Security a Priority: We love what Yolanda told us about how she offers her customers extra security tools, whether that’s back-ups, ransomware protection, antivirus, and more, but even if they choose an external vendor, the MSP manages that too. The most important thing is that the client is secure, wherever they get their tools from.
Documentation: This one was shouted loudly by all our panelists! Knowing that you have a plan in place, written down, with no single point of knowledge or failure is KEY. Whether it’s a full-service offering or a few hours here and there, write everything down. Lital reminded us that you can even download policy documentation as a starting point from Microsoft and other vendors, with all the hard work done for you!
Want to hear more insights from our expert group? The full webinar was a home run, and you can find it right here.