By Austin Justice, Vice President, Justice IT Consulting and ASCII Group Member Since 2015
The cyber security threat to small and medium businesses is growing at an alarming pace. It’s imperative that, as an IT Solutions Provider or Managed IT Service Provider, you integrate security into your offering as businesses will increase their dependence on your company to protect their data and ability to operate through these treacherous times as a result.
Adding security to your offering does not require large capital investments, a series of security certifications, new specialized staff or a team of white hat hackers. Security can be added to your offering with a few simple changes and product additions.
- Double Down On Your Existing Security Offerings
Managed anti-virus, spam filtering, patch management, and web filtering are all most likely integrated into even your basic service offering. These are the baseline security measures that must be in place to start protecting your clients. While any IT person knows these security measures can be circumvented, no network is protected without them. Once these are in place, optimize the performance and security of each security service. For example, in most anti-virus software, adware and potentially unwanted programs (PUPs) are ignored by default. Make sure these settings are configured to quarantine those threats. Strictly configure the settings on these Keystone Security Offerings, but not so strict you get a call from your client’s CEO.
- Standardize Configurations And Train Your Staff
When taking over networks, we usually find one to two large security gaffes. Most common are keeping the RDP port 3389 on most of the internal network open to the entire WAN rather than limiting the port to one or a two external or internal IP addresses and not having password policies. Training staff with a security mindset and implementing standardized configurations is an excellent way to increase security of client networks. Having security standards and training in place is a very marketable characteristic of an IT service provider.
- Introduce Unified Threat Management Devices Into Your Offering
Every business needs a Unified Threat Management (UTM) Device on the edge of its network. Every business has sensitive data and a risk profile. UTM devices allow for every piece of traffic crossing to and from the network to be cross checked against thousands of preexisting malicious signatures. GEO IP blocking, Intrusion Prevention, Web Filtering, and the cost to risk ratio generally makes this an easy sell for businesses. We find the most success providing these devices and the management and monitoring of it as a monthly service to take the sting of the initial appliance cost out of the equation.
- Train Your End Users
Regular lunch and learns or occasionally attending your client’s companywide meeting is a good way to do this. Implementing the strictest security measures known to man can ultimately be foiled by an employee who has not been trained on the latest phishing or social engineering techniques used by cyber criminals. These are often the most painful attacks on the company’s sense of moral, security, and cash.0
- Consider Backup And Disaster Recovery as a Security Offering
Tornadoes and floods are not the enemy here — organized cyber-crime is. Ransomware and malware variants are a significant threat to any organization. The infection rates of this type of malware are increasing at an exponential rate. A business is significantly more likely to be affected by data loss from a malicious source than it is a natural disaster. It is important to have offsite copies of backups and the ability to restore the data quickly in case of a ransom or similar attack. System uptime and ability to recover data are the most important aspects of Backup and Disaster Recovery.
- Create A Minimum Acceptable Standard For Your Clients
This is often a hot button topic for clients and providers alike. I firmly believe slowly introducing a minimal acceptable standard for your clients is important in protecting them, protecting yourself, and limiting relationship strains in the event of a security breach. This can also serve as a good qualifier and marketing tool if approached correctly. When I am working with vendors, industry partners, and clients, I like to hear them say, “We don’t work with everyone.” It tells me they believe in what they’re offering and their company has a fully matured value system.
Whether it is an automated quarterly software scan, an exhaustive manual review or third party penetration testing, conducting regular security reviews are also important. There is no one-size-fits-all solution for this. Carefully review your client base and determine their security needs. A series of insurance offices have different needs than a base of multi-location banks, but they both handle sensitive personal information.