By Jason Rorie, CySA+, PenTest+, MCSE, C|EH, CISM, CCSP, CISSP, Elevated Technologies
First, you have to start with a conversation to understand how the client needs to be protected. The saying is, “How much security is enough”? The answer is just enough. You don’t want them to have vulnerabilities, but you don’t want them so secure that users circumvent the security measures to get their work done. You have to find balance.
From that conversation, the information security policy and procedures are born. This is buy-in from the client on how much security they need and how it will be implemented. Again, some clients will need more than others. For example, not every client will need a SIEM/SOC solution, but those who have compliance regulations might require that type of solution. Make sure you are layering on the technology to the appropriate level.
This is step one in risk mitigation. The goal is to get to a place where the client accepts the residual after the security program is fully implemented. Never promise to eliminate risk because it is impossible. You might find yourself liable if you make these types of claims.
Step two is to put in a trackable, reportable awareness training solution. You want to be able to report back to your client the result of the training or testing to give the client a means for accountability over their staff. For example, if Joe isn’t participating in the training, you can report that, and your client can take up the accountability measures with Joe. With the right technology and training in place, you have taken the necessary steps to mitigate risk as much as you can. Please remember there are other facets of security that are most times out of the MSP’s scope, such as physical security measures. Try to at least consult about best practices.
Now, employees are trained on what not to do, what to look for, and listen for. You have the technology in place that will hopefully stop an incident from happening or spreading if someone does slip up. As we said, you cannot eliminate risk. If an event materializes into a breach, and the client finds themselves facing financial loss due to Ransomware, downtime, legal fees, compliance fines (HIPAA, GLBA, PCI, etc.) they need cyber insurance.
With insurance, you as the MSP need to educate your client on how policy can protect them and how they can potentially recover money in the event of financial loss. Please check with your state laws before getting too detailed talking about insurance coverage. Again, you could be found liable.
Insurance is a way to perform what they call risk transfer. Your client would be transferring the risk of financial loss onto the insurance carrier of choice. Find an Agent you trust! You interview them to ensure they can answer technical questions when it comes to cybersecurity and being compliant. Make sure they know the difference between encryption at rest and disaster recovery plan! You laugh, but most do not! It is so essential for you to be involved in the cyber insurance process because at the end of the day; you are the one they are going to call when it hits the fan!
At this point, if you have implemented the big three (technology, training, insurance), your client should be at an acceptable risk level. After that, you now have the responsibility of the upkeep of the cybersecurity posture of your client's network. You have to keep the network compliant with the requirements of the information security policy, insurance policy, and any other compliance regulations that need to be met.
Cyber Security Program Must Do’s
- Keep to-to-date policies and procedures.
- Ensure the technology, training, and insurance are implemented per the policy requirements
- As the network changes, review the policies and procedures.
- As the insurance policy renews, ensure any significant changes to the network are reflected on the renewal paperwork.
- Test your controls. Show proof of security control testing via vulnerability scans, pen testing, social engineering simulations, etc. Engage a third party if needed. You managing the network, and you auditing the network security is a conflict of interest.
I hope you found this information valuable and will help you form a robust and comprehensive security program for your client.
About The Author
Jason Rorie, CySA+, PenTest+, MCSE, C|EH, CISM, CCSP, CISSP, is founder and CSO of Elevated Technologies, Triad Cyber Security, and Cyber Security Insurance Group.