Conquering Cyber Risk Assessments

By Drew Sanford, ConnectWise

Having worked with hundreds of MSPs and TSPs in my career, I’ve realized that the best-performing partners are those that have mastered the skill of risk assessments. We’ve seen it over and over: these partners attract the highest paying clients, have the highest customer success rate, and deliver better customer support overall. How’s that for motivation? Let’s dig into why assessments are beneficial to client relationships, how partners can conduct them and what to focus on first.

Risks Vs. Vulnerabilities Vs. Threats

Before we dig into best practices, let’s begin by defining a few key terms. It’s important to make the distinction between vulnerabilities, threats, and risks. A vulnerability is a weakness or gap in an organization’s system or protection efforts, a threat is what the organization is trying to protect against, and risk is the intersection of assets, threats, and vulnerabilities.

Risk assessments, then, require partners to carefully collect and analyze threat and vulnerability information to determine which events would adversely impact an organization and how likely that event will occur. Organizations conduct these assessments to determine how risks impact their ability to execute on core missions, business functions, processes, segments, common infrastructure, and support services, or information systems.

Addressing The “Why?”

By performing a regular and routine risk assessment, MSPs are better situated to identify new risks or gaps in their customers’ security coverage in a timely manner. They also can provide a roadmap to resolve these gaps before they become a serious problem. 

Consider that almost 90% of SMBs view cybersecurity as the top, or one of the top five, priorities in their organization—and 84% who don’t currently use an MSP would consider using one if they offered the “right” cybersecurity solution for their organization’s needs. For this reason, risk assessments can help meet customers' demand for ongoing security support.

Risk assessments help on the sales end too. Only 13% of MSPs have cybersecurity-specific conversations with their clients, so providers that do take a proactive approach tend to have a stronger competitive advantage. Upfront risk assessments also help to protect the liability and reputation of an MSP.

Starting Off On The Right Foot

So, what exactly is included in a risk assessment? When it comes to cybersecurity, the simpler the better. It’s not about reinventing the wheel as much as it is sticking to the basics. That simple approach will change the conversations with clients for good. In that regard, there are typically five things that need to be assessed for the TSP or MSP client: users with devices, servers, blinking lights, phones, and connectivity. Within those categories, MSPs must solidify three things: availability, security, and support. 

To get there, a risk assessment will typically focus on four main components: 

1. Regulatory requirements: Are there factors like HIPAA, NIST, or CMMC that must be considered? 
2. Network considerations: Are there parts of the network that should have limited access? Are there any “out-of-the-box” security protocols in use? Is the network accessible to individuals outside the company? 
3. Human errors: Have they accounted for physical security, phishing vulnerabilities, misconfiguration, and other human errors that could leave the door open for attackers? 
4. Software components: Are they using old software that’s no longer being serviced? 

Look Beyond Technology

Most MSPs are already great at assessing their client’s technology—their tool stack, operating system, and the overall environment—but they must move beyond tools to get to the root challenges of an organization. People and processes are often overlooked in the assessment, but things need to be standard among technicians to ensure reliability.

A secure MSP will have documented roles and responsibilities for security and compliance programs. They will have implemented controls of a security program and compliance frameworks and be aware of actions to better protect organizational data and IT systems and have corrective action plans in place when those fail. On the flip side, ad hoc processes will have very few streamlined components and the roles and responsibilities may be disorganized. They may understand the need for security and compliance programs but aren’t so much interested in doing anything about them. Understanding where a partner falls on this spectrum will be key to conducting a proper risk assessment and talking through the results in a way that resonates.

Aligning With The Right Interests And Priorities

It’s also important to understand where a client is on their cybersecurity journey. Having collaborative conversations with them about the level of risk with which they’re comfortable, where their information is stored, who they’ve given access to, and who should or shouldn’t have access in the future are all important preliminary questions to ask. Once that baseline is set, the MSP can once again determine which of these three categories they fit into:

1. Companies that have no choice but to upgrade their security due to some regulatory standard (HIPAA, NIST, CMMC, etc.) that is binding them to a certain standard of privacy or security.
2. Companies that want to upgrade their security. Typically, these are businesses with high-risk profiles and low-risk tolerances like law firms, accounting firms, or payroll processors.
3. Companies that have an urgent need to upgrade their security posture but might be a little less knowledgeable about what that process looks like.

 Understanding where the client is coming from helps the MSP talk to the right person in the right way. They’ll be better able to align the conversation with their interests and priorities.

 Taking It Back To The Client

After the assessment has been done, the MSP will move on to presenting the outcomes and next steps for a client or potential sale. It’s wise to focus on three major things and then build out a plan for a year’s time that lays out the approach to solving those issues. When discussing cybersecurity with their clients, MSPs should stick to the facts, remain realistic and avoid sounding alarmist. If they can communicate their plan to their customer in a calm, clear, and informative manner, their clients will be left with a strong understanding of the issue and have confidence in the MSP from the start.

MSPs should make these assessments a normal part of their relationship with their customers—discussing them in monthly or quarterly business review meetings and continuously monitoring and managing risk to maintain an updated and effective defense strategy. These assessments will provide permanent and definitive information for decision makers to guide and inform responses to information security risks. They’re also a key component of building a cybersecurity-first culture within an organization.

About The Author

Drew Sanford is Senior Director, Global Security Operations at ConnectWise.