How to offer a cybersecurity risk assessment to clients

| By:
Jay Ryerse

Cybersecurity threats come in all shapes and sizes. An innocent-looking email from a trusted colleague can introduce harmful viruses and other malware — such as ransomware — or lead to a phishing attempt that compromises an organization’s information. Clicking a bad link can do the same. 

And it’s not just big brand names at risk; small to mid-sized businesses (SMBs) are the target of cyber attacks, too. So it’s no surprise that many SMBs have cybersecurity on their minds. In fact, our 2021 ConnectWise State of SMB Cybersecurity study found that 79% of respondents were concerned about experiencing a cyberattack within the next 6 months.

While SMBs may want to protect themselves, they all too often face challenges in resourcing a strong cybersecurity program, such as:

  • Lack of internal cybersecurity experience
  • Not having enough (or any) IT professionals in-house
  • Budget constraints around purchasing enterprise-grade cybersecurity solutions

This is where managed service providers (MSPs) can be a huge help. MSPs have the IT infrastructure, staff, access to expertise, and industry knowledge to help SMBs with their IT and cybersecurity needs. By bringing on an MSP to assist with IT and cybersecurity, SMBs can affordably take steps to protect themselves against threats.

One of the best ways for an MSP to engage with an existing or new SMB client on this topic is with a cybersecurity risk assessment. In fact, understanding risk is the basis of any good cybersecurity program. A risk assessment can reveal vulnerabilities and uncover opportunities for your MSP business to provide new services and support.

However, there’s an art to creating a cybersecurity assessment, with a right and wrong way to position risks and next steps. Let’s dig into some of the core characteristics of a good assessment.

First, know your own risk 

Before we dive into how MSPs can help clients, let’s ask ourselves: is your own house protected? 

Before any MSP can talk up cybersecurity support to their clients, they should ensure their own business is walking the walk. Like any other business, MSPs can be the target of cybersecurity threats. Make sure your own business has all the right tools and processes in place to protect your data and IT systems. 

A helpful place to start is our SMB Cybersecurity Checklist. With 30+ key areas for cybersecurity, this checklist can help your MSP get oriented. To take things one step further, consider using risk assessment tools like ConnectWise Identify to assess your MSP business against the National Institute of Standards and Technology (NIST)’s framework. (You can see a sample assessment here.)

With a firm understanding of your own business’ risks, you will be better prepared to secure your MSP business, provide service to clients, and help clients tackle their own cybersecurity risk assessments. You can also use our cybersecurity journey self assessment to understand how ready you are to offer cybersecurity services and assessments.

Skip the fear tactics 

When you conduct a cybersecurity risk assessment for customers, you should base the report in fact. Use clear, direct language. And whatever you do, don’t use fear, uncertainty, and doubt (FUD). 

Cybersecurity threats are a reality of doing business today. It’s scary enough to think of a cybersecurity incident impacting your business. By spinning up a scary story for clients, the report becomes less believable and, ultimately, the partnership is based on fear rather than strategic, level-headed collaboration. 

Instead, focus your report on helping clients know their risk—and what to do about it. Include proactive steps that clients don’t have to decode to improve their security. 

Determine priority protections

To be clear with your client, you must understand their unique risks, risk tolerance, and which protections to prioritize. Different industries face different challenges.

For example, U.S. clients in the healthcare industry may be subject to the Healthcare Insurance Portability and Accountability Act (HIPAA), which introduces certain compliance needs and risks. Healthcare organizations are frequent targets of cyberattacks, and so they may have a very specific risk profile as opposed to other clients, such as a chain of local bakeries or a small law office.

When creating a risk assessment, be sure to examine the most urgent areas needed to secure the client. Offer your clients thoughts on:

  • Protections needed immediately
  • Technology purchases for the future

By prioritizing the most important protections first, you can help your clients plug the biggest gaps in their defenses in the near term and strategically plan for the long term.

Offer a clear action plan

A good way to avoid FUD is to include very clear next steps. This can include a phased approach—such as phase 1, phase 2, phase 3—with advice on what to tackle first. 

A plan of action could include recommendations around:

  • Internal policies around privacy and data
  • Awareness training for employees
  • Technology investments such as a virtual private network (VPN), secure email gateway (SEG), and other tools (prioritized, of course, as noted above)
  • Steps to harden systems
  • And more

Your recommendations will likely vary depending on your client’s relative maturity, risk profile, and knowledge. No matter the case, offer them clear next steps on how they can improve and how your MSP business can help.

Starting strong with a cybersecurity risk assessment 

A cybersecurity risk assessment is a good way to begin engaging with clients around security. While, as noted, many SMBs are concerned about cybersecurity risks, many of your clients may not be fully aware of the dangers to their business. A risk assessment tool like ConnectWise Identify can conduct the assessment for you, offer plain-English results, and share recommendations to fix any gaps.

By engaging in a risk assessment and educating clients, your MSP has the opportunity to provide more services, such as:

  • Threat detection and response
  • Automated patch management
  • Network monitoring
  • Backup and disaster recovery
  • And more

To tackle cybersecurity in a strategic way, organizations need to first understand their risks. With a risk assessment, MSPs and their clients can get on the same page, make a plan, and start strengthening security.