Cutting The Loss – What To Do When Clients Won't Address Cyber Risk
By Angel R. Rojas, Jr., DataCorps Technology Solutions, Inc.
We live in a brave new world where cyber risk is everywhere we look. Armed with breach prevention tools such as anti-phishing campaigns, weekly/monthly/annual training and quizzes, dark web searches, the most outstandingly marketed endpoint security solutions, and firewalls that are said to be “intelligent” about scanning network traffic, we now have an arsenal of tools, and we are ready and even eager to deploy them. Yet, as the owner of a Managed Service Provider (MSP), I know first-hand that there are problems.
Clients are not buying it.
Prospects are balking at it.
It seems that everyone wants to be protected but few businesses are willing to take matters seriously and do the work. I recently had the opportunity to discuss this with Dave Summitt, who was most recently the CISO of Moffitt Cancer Center and is now the owner of Alpha Omega Advisors, a cybersecurity risk assessment and advising company. We discussed the adoption of good cyber hygiene and how to approach a situation where clients just won’t address the issue.
Work? What Work?
“Meaningful, effective, and true cybersecurity is a team sport where all the stakeholders are at the table communicating with transparency and clarity. It is a continuous process that involves the entire organization and is only successful when it becomes a part of the culture,” Mr. Summitt shared.
Securing an organization is work, hard work, and it requires buy-in and a willingness to implement new skills - from everyone in the organization, beginning with its executives, who should be modeling best security practices as a matter of leadership. “In many ways, securing a large organization such as Moffitt can be similar to securing small businesses, because it begins with people and culture,” Summitt says. This means that leadership buy-in and involvement will set the tone of the entire effort. If it is lacking, then an even greater challenge exists.
When asked what happens when leadership throws their full support behind cybersecurity, Mr. Summitt enthusiastically responded, “everything just falls into place.”
So, What If There’s No Buy-In?
Coming from a small-business background, I regularly face resistance from business owners to implementing the necessary steps to protect their business. This led me to ask Mr. Summitt what MSPs should do when their clients refuse to address cyber risk.
“Sometimes you have to ‘cut the loss,’” was Summitt’s response. “The risk of a cyber incident crippling your client and, in turn, involving your MSP business in a lengthy process for which you may or may not be compensated is far too great. And if such an event were to occur, your reputation as an MSP will take a hit regardless of all the recommendations or risk area documentation you provided,” he continued.
The statistics are not in small businesses’ favor either. Consider that according to the 2021 Cyberthreat Defense Report by the CyberEdge Group, LLC, 50%-60% of cyberattacks target small businesses. So, taking an MSP’s recommendations and guidance should be a given. Those that are prepared struggle through the recovery process, and of those that are not prepared, few can survive the financial and reputational loss – especially if their own negligence contributed to the loss.
Turning The Tide
For far too long, cybersecurity has been a profit center for MSPs and many others within the tech industry. It has been seen as an upsell. Mr. Summitt feels that it should be standard. “Cars don’t come with safety features as optional, and neither should cybersecurity be optional with IT services,” he said.
The way forward for MSPs is to focus on those clients and prospects who are ready, willing, and able to do the work and divesting of those that are satisfied with taking the risk on their own. With a geometrically proliferating threat environment, we have little choice but to shed risk and focus on protecting ourselves and our clients who consider security to be a core business activity.
About The Author
Angel R. Rojas, Jr. is President & CEO of DataCorps Technology Solutions, Inc.