The sophistication of both ransomware attacks and techniques for compromising passwords continues to increase. As such, it is more critical than ever for organizations to have a strong security strategy. Oftentimes, companies turn to their managed service provider partner as the expert on implementing or updating their security platforms—and that requires understanding the specific needs for each business you serve.
Building a security platform is much like building a house—you develop it from the ground up. Built poorly, you risk cracks and fractures. Similarly, an incomplete security strategy could leave holes that allow vulnerabilities to leak through. As the architect of your SMB customer’s security platform, your job is to ensure that does not happen.
Before beginning a house, architects must be certain they are properly prepared. The same is true for MSPs. You can’t take on the role of managing an organization’s security—no matter the customer size—if your own environment is not secure, so start by ensuring your own infrastructure is properly protected and monitored.
Next, gather a complete understanding of the customer, their risk profile, and what they are looking to implement. What “”holes in the foundation”” are they most worried about—data loss, data corruption, service outage, etc.? This will influence how you approach their security needs.
Similarly, the size of the company will impact the complexity of the technology strategies to be truly effective, so keep in mind the unique considerations for SMB customers. It can be easy to get caught up in multileveled, flashy solutions that could be too complex for what a smaller business needs.
One way to avoid this is by focusing, first and foremost, on the fundamentals:
Designate Roles
As you would with any project—be it building a technology strategy or a house—it’s important to establish clear lines of responsibility from the beginning. Ensure there is no confusion between you and your customer when it comes to roles and responsibilities.
Larger enterprises often have a dedicated security team, but that may not be the case for SMB customers. Therefore, communication between you and the customer is even more important to align on those responsibilities.
Of course, no matter the solution at hand, clearly designated roles help with processes and efficiency. But for security strategies in particular, this also provides an added level of protection by eliminating the risk of overlap or gaps.
Draw a Clear Picture
Just like with architectural sketches, you should first get a thorough understanding of the environment you are working to secure. Without question, you’ll need to understand the customer’s devices, applications, and services, but it goes beyond that.
You must have a clear understanding of your own infrastructure as well. There is an old adage that you can’t secure what you can’t see, and, unfortunately, it is accurate. Most organizations would be shocked to discover how many touchpoints there actually are to secure. So, as you go through identifying everything in the customer’s network that needs securing, it’s also critical to identify all your own entry points.
Think of it this way: The more people with keys to the house, the more risk there is. SMBs turn to MSPs because they trust them with those keys, so it’s your responsibility to make sure you are keeping them safe, no matter what. That includes in the keyholder’s own home … or in this case, on your own network.
Lay the Right Foundation
Again, understanding the unique needs of an SMB customer is critical for identifying and implementing the right security framework. There are unique budget, time, and bandwidth considerations that will impact which framework fits best.
For SMBs, the best place to start is the CIS (Center for Internet Security) Controls. While customers may be more familiar with the National Institute of Standards and Technology Cybersecurity Framework (NIST), it could be a bit much for what SMBs need at first—much like putting up walls before the foundation has set.
Remind them that the CIS Controls can serve as a starting point. CIS maps to NIST, International Organization for Standardization (ISO), and other frameworks, which positions the SMB well for continued growth. These options also provide a strong foundation should you need to add to the security strategy.
Find the Key
Once the foundation is laid and the walls are built, it’s time to consider how users will access this new secure house you have architected. A simple password and login are hardly enough these days. Fortunately, there is a wide variety of multifactor authentication (MFA) tools now readily available and within various budget ranges to protect valuable assets within the network.
There are multiple ways to approach MFA, so work closely with the organization to determine a strategy that makes the most sense for their business. For example, combine a traditional password with a code sent to the user’s smartphone to authenticate their identity. Or a more advanced approach could implement biometrics such as fingerprints to identify the user.
And although a truly passwordless world may be in our future, the security strategies being built today often still rely on them. Therefore, a password manager combined with MFA can create a very strong authentication strategy. With a good password manager, there is a limited risk of password reuse, and it encourages users to leverage more randomized logins, without hindering the overall user experience.
These guidelines can help lay the critical groundwork for a strong security foundation. And as with any good development, a true architect will build the strategy with room to grow, so that as the business grows, so does its security network.
In the end, your role is to be a true partner. This begins with a thorough understanding of each customer’s needs. From there, a focus on fundamentals will ensure a solid—and secure—future.
RON TEMSKE is vice president of cybersecurity, network, and workplace solutions at LogicalisUS.