The National Cyber Security Alliance and the U.S. Department of Homeland Security have declared every October National Cybersecurity Awareness Month (NCSAM). But here’s the thing: When you’re in the cybersecurity space, isn’t every month “cybersecurity awareness” month?
Look, we now know the following: Hackers — especially those associated with foreign governments — are targeting MSPs and their customers.
For example, CISA has informed us on several occasions about the tactics, techniques and procedures Chinese government cyber threat actors are using to exploit MSPs and their customers.
What these cyber threat actors have learned is MSPs are a lot easier to hack than Fortune 500 companies, so instead of going after larger companies, which are, of course, limited in number, hackers are targeting the larger market — MSPs and their customers.
This is why securing your MSP and your customers should be your top priority. To secure networks and systems properly, you as an MSP must not only invest in the right security tools, but also ensure you’re applying the latest security standards to every customer environment under your supervision.
When it comes to industry standards, myITprocess, an all-in-one tool we designed to help with creating and managing your vCIO process, comes preloaded with many of them. Some of which are derived from the National Institute of Standards and Technology (NIST), a non-regulatory federal agency focused on enhancing economic security in the country by advancing measurement science, standards and technology.
We apply three sets of standards from NIST:
- SP 800-53 — defines security and privacy controls for federal agencies.
- SP 800-171 — outlines how to protect information in nonfederal systems.
- Cybersecurity Framework — assists with improving cybersecurity risk management.
Now, many of these texts are subjective, but they were written that way for a reason.
The level of security and risk management depends on the organization, so even with NIST’s standards, there’s no one-size-fits-all approach to properly securing organizations from threats.
NIST’s standards enable you to perform a baseline evaluation of an organization's security risks and helps you with reducing those risks using "reasonable and appropriate mitigation techniques."
Your goal should be to implement what's necessary based on a customer’s industry and amount of risk. These standards enable MSPs to mitigate risk. However, standards alone aren’t enough.
It’s your job as an MSP to align your customers if they’re out of alignment. If you can’t, you’re going to run into many issues, and as a result, your clients are going to suffer.
For example, misalignment of a customer’s environment can lead to severe downtime, increased chances of data breaches and loss of revenue.
Performing alignment reviews and showing customers the business impact of areas where they are out of compliance take time and discipline. However, myITprocess streamlines this process.
We're working with NIST and other industry experts on developing an MSP security self-assessment in myITprocess, which will allow MSPs to gauge their preparedness. (Expect this at some point in Q4.)
While it’s a good thing there's an entire month dedicated to cybersecurity awareness, we can do better, especially when cybersecurity is a top concern for businesses of all sizes.
It’s our job as IT professionals to educate customers on why every month is cybersecurity awareness month. If we can do this, everybody will be a lot safer and our businesses will prosper.