Going From Cyber Fraud To Cyber Success

In my previous article, Is Your MSP A Fraud?, I covered three deadly sins many MSPs are committing on regular basis regarding cybersecurity. Sins so deadly, they run the risk of branding the MSP as a fraud.

Are you committing any of those sins? Have you repented and now ready to turn things around? Good! Let’s get started!

The first sin was failing to perform a Risk Assessment. This essentially becomes the foundation of our protections and security strategy because it will reveal precisely what’s at risk, what we need to protect, our weak spots, and the impact it could have on our businesses among other things.

Let’s take a look at three key areas that will help us ensure we get the most out of our Risk Assessment:

1. Let the bad stuff flow … even if it’s excruciatingly painful. A Risk Assessment should make us feel vulnerable; after all, it will reveal our weakest points and deepest fears concerning the business. My suggestion is that whatever comes to mind as we look at risk should be put on the table. It doesn’t have to be discussed at that very moment, but it should be there. One of my worst nightmares is that our RMM software is somehow compromised. Since we do not write the software and are not responsible for its code, it makes me feel extremely vulnerable. We place that on our list, then later brainstorm ways to mitigate that risk. What keeps you up at night? What’s your worst-case scenario?
2. Do not go it alone. It is best to go through this exercise with others as they may see things you might not. This rings doubly true if this is your first one as it can be a daunting and involved process, especially if you decided to read the NIST Guidelines on performing one. The great news is there are vendors in our industry that will walk you through the process for a very reasonable fee. Additionally, this can be a great way to develop a relationship with a local cybersecurity consultant or privacy attorney and conduct a joint risk assessment for each other’s firms. The key here is to have trusted eyes on the information and realize that not everyone sees things the same — this leads to a diverse view from multiple points, each looking for different nuances.
3. Pencil in next years’ Risk Assessment now! Remember this isn’t a one-and-done type of activity. Risk Assessments should be conducted annually, at minimum, and when changes are made that exceed a certain threshold (you get to set that threshold based on your Risk Assessment). By pre-scheduling your next Risk Assessment, you have confidence knowing that the time is already blocked off and all parties involved know about it.

This is by no means a comprehensive list of areas to look at. The truth is it’s a big job and there is no way around it; you just have to get it done. Let me say that again, you just have to get it done. There are also additional considerations such as working with legal counsel to get advice on legal protections such as non-disclosure agreements for all parties involved in the process.

Let’s get those Risk Assessments done so we can move on to the other two sins: not having a security plan and having a focus on tools and services. Until next time, stay safe out there!

About The Author

Angel R. Rojas, Jr. is president & CEO of DataCorps Technology Solutions, Inc.