3 ways MSPs can reduce their security risk and increase revenue
While technology improves our lives in many ways, it certainly isn’t free from drawbacks. And one of the biggest drawbacks is the escalating risk of cyberattacks.
To reduce the risk of cyberattacks for your customers and your MSP business, it’s essential to put protocols in place to strengthen your internal security (we often refer to this as ‘getting your house in order’) and protect your clients.
The truth is, your customers automatically assume that security is integrated into the price of their contract. This means you need to educate them, or risk falling short of their expectations.
Even better, this is a prime opportunity to offer additional services—and increase revenue.
“You don’t want to deliver security services and not have the client invest in those services,” explains George Mach, Founder and CEO of Apex IT Group. “It would impact your MSP in a negative way.”
In our Path to Success Security Spotlight, I sat down with George Mach to discuss how you can define, identify, and reduce the level of risk, and, as a result, boost revenue.
Here are just a few of our tips.
Understand your risk
The first step to reducing risk and providing Security-as-a-Service is understanding the current state of your MSP’s security.
“If you don’t know your own gaps or have good security hygiene in your own MSP, it’s really hard to deliver world-class security services to your client,” Mach says.
As an MSP, you have access to a wealth of sensitive information about your clients, including their passwords, addresses, and names. As such, it’s crucial that your MSP is fully protected. Even the smallest data breach could cause your clients to lose trust in you—damaging your reputation and costing you their business.
Trust, train, and protect your house
To protect your MSP (and by extension, your clients), Mach recommends following three simple steps.
1. Only hire trustworthy people
Of course, it isn’t always easy to spot a wolf in sheep’s clothing, but there are a few measures you can take to safeguard your organization against harmful presences. During the hiring process, this could include conducting a background check and verifying a candidate’s education and employment history. Consider creating an onboarding process and asking employees to sign agreements that go on file, holding them accountable to specific standards.
2. Train everyone at your organization about how to detect potential scammers
This includes staff in non-technical positions. As part of this training, you may also want to conduct a security skills assessment and record that it has taken place. That way, should the worst happen and a client decides to sue following a security breach, you can prove the measures your company took to try and prevent it—thereby protecting your reputation.
“The goal," March says, "is to be in a defensible position if something were to happen."
3. Enforce technical, physical, and administrative controls
Firewalls and endpoint protection are a must. Investing in swipe cards or biometric scanners can also help you strengthen your protection by helping you identify every person who enters and exits your building. And to reduce your legal risk, don’t overlook the importance of nondisclosure agreements (NDAs) and business associate agreements (BAAs).
Follow the NIST Cybersecurity Framework
Once you’ve increased security at your MSP, you can start thinking about how to offer Security-as-a-Service. Following the protocols outlined in the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework is a good place to start. These protocols are: identify, protect, detect, respond, and recover.
By following these protocols, your company can turn secure protection into a competitive advantage. But that’s only possible if you communicate it properly to your clients.
Throughout conversations with your clients, it’s crucial to gain an understanding of their security priorities and the metrics they use to determine their success. Once you’ve identified these factors, you can establish risk thresholds that are closely aligned with your client’s risk tolerance.
Benchmarking your clients’ level of risk against industry standards and using a weighted scoring system to rank it from high to low can make it easier to communicate the value of your services to them—and the impact you’ll have on their business.
Measure risk reduction—then market it
You can use two approaches to measure risk reduction: quantitative and qualitative.
The quantitative approach is more technical and considers a server’s asset value, its exposure factor (which takes into account how often the server is left unattended and whether that server is in a protected environment), and the loss expectancy, which is related to the rate of occurrence of various risks. Taking all these factors into account, you can more accurately price your services—and your clients can make a more informed decision about whether to live with the risk or do something to mitigate it.
The qualitative approach is less complex. It uses available data to calculate the likelihood of a risk. You can then suggest countermeasures to ensure protection.
Whichever approach you choose, explaining your findings and suggested solutions in layman’s terms as well as backing up your claims with evidence helps to build trust with your clients.
It’s this trust that will persuade clients to invest in your security service—and remain satisfied customers for years to come.