With recent big-name breaches from Yahoo, ADP, and the IRS in the news, security is a top concern for many business owners.
And with the advent of the cloud and evolution of the Internet of Things (IoT), hackers have evolved too. They’re finding increasingly clever ways to exploit technology designed to make doing business easier.
Yet most businesses are using outdated security software and practices, and failing to refresh their cybersecurity solutions/practices to meet the increased risk.
MSPs should take advantage of this trend to safeguard their clients’ networks against potential data breaches while at the same time creating new sources of project and/or recurring revenue, and ensuring retention.
3 Common SMB Security Threats
Most small- and medium-sized business (SMB) owners are very cost-conscious, and won’t spend money on beefing up their IT security unless they understand that they risk more by doing nothing. It’s up to you to educate your clients (and prospects) that ignoring security vulnerabilities won’t make them disappear. Here are a few overlooked vulnerabilities you can address when having the security conversation with SMBs.
1. Outdated security software
This is more common than you might think. Some businesses feel comfortable using a boxed product purchased years ago, others forget to renew expiring licenses, and still others find themselves in the unfortunate position of finding out their own network is blocking routine security updates.
2. Haphazard access control
Making everyone an admin can prove to be just as detrimental as failing to turn off an employee’s access when (s)he leaves your company. Many SMBs need to find a better way to manage access to and control over their systems, network, and data.
3. Leavings passwords out for prying eyes
Yes, even in 2016, people still leave their passwords out for anyone to see. All the IT security technology in the world can’t protect your client against a little slip-up like this. Helping your new clients build—and hold accountability to—stronger security practices can assist in preventing messy data breaches.
A quick and non-invasive IT assessment will quickly flag these obvious vulnerabilities and more. Then, when pitching your security offering to a new client, consider discussing the cost of a breach. Factor in downtime, lost opportunities, clean-up costs, reputation damage, and of course, the big fines. In most cases, the cost of a single breach will be considerably higher than that of a comprehensive security solution.
What Steps to Take as Part of Your Security Risk Assessment
As you prepare to deliver your 360-degree security assessment to win new clients, here are 12 essential tasks we recommend you include:
1. Evaluate inbound firewall configuration and search for known external vulnerabilities
If a managed firewall service is not in place, this report will help you justify the need to implement one. It can also help ensure that the impact of changes made to the external firewall—or exposure of outward-facing applications—is minimized.
2. Review out-bound firewall configuration
The SANS Institute best practices for egress filtering points to the vital role that the blocking of unnecessary traffic plays in eliminating the spread of viruses, worms and Trojans in the environment.
3. Inspect the effectiveness of the current patch management tool
The purpose of this task is to identify systems in which security patches have not been applied in a timely manner.
4. Examine antivirus and anti-spyware deployment
This activity determines where antivirus and anti-spyware is not deployed or is out of date.
5. Conduct administrator review
This review validates, through interview(s) with the business owner(s), the list of users with administrative privileges.
6. Share permission review
This action validates which users have access to critical business data through interview(s) with the business owner(s).
7. Perform physical security walk-through
This in-person walk-through of the office helps you identify issues a network assessment tool can’t—like employees leaving their passwords in plain sight.
8. Run an internal vulnerability scan
By scanning the client's network for internal security vulnerabilities that could be exploited once an attacker gains access, you’ll have a better understanding of what you’re up against.
9. Look for anomalous logins
This task is intended to review security audit logs for suspicious logins or log-in attempts.
10. Perform a security policy review
Review default Group Policy and applicable Local Security Policies for consistency and alignment with best practices.
11. Do an IT administrator review
Review user, computers, and Layer 2/3 detail with the in-house administrator to identify possible defunct or rogue users and systems.
12. Check compliance with basic standards
For all companies, even if they are not required to comply with a compliance standard such as HIPAA or PCI, a compliance-level audit is beneficial in finding security-related, best-practice violations.
For more information and specific details on how to perform these tasks, send an email to firstname.lastname@example.org, and put the words “White Paper” in the subject line. We’ll send you a detailed blueprint of how to build and price security offerings.
By Paula Rhea
By Gretchen Hoffman