Do you know your security risk?

| By:
John Ford

The hard truth is your customers think you’re already protecting them from all security related disasters, but you’re likely not providing the necessary services to prevent a breach, and you’re probably not being compensated to provide them either. So, it should be understood that based on your current agreement/contract, you’re not to blame in the event they get breached, right? Wrong.

Yes, you’re providing what they’re paying for, but your customers don’t really understand their risk exposure, and you can’t just leave them to fend for themselves—when disaster strikes, you’ll be on the hook. Nearly 70% of SMBs have already experienced a cyberattack. You need to step up to the plate and take control of the security conversation.

Recalibrating the security discussion

Your customers don’t know what they don’t know about their security. They look to you to be their security expert. We’re here to help you get there. Based on over 20 years of global information security experience, here are the requirements to have a successful conversation about security:

    • Must have a shared understanding of risk

Your customers won’t understand the need to pay for more security services if they don’t know what’s at stake. They think they’re already paying you to keep them secure. You need to show them what the risks are, how to prevent and remediate them as they arise, and what the cost of doing so will be.

    • Need a common understanding of the ownership of the risk

If you don’t have a conversation about who owns the risk with your customers, then the risk will ultimately fall on you, which could be a huge liability. Ultimately, you’ll need a plan to mitigate their risks or transfer the risk to your customer.

    • Must have a common language to talk about security

The NIST Cybersecurity Framework, created by the National Institute of Standards and Technology (NIST), provides a common language which is being adopted globally. It provides a framework to keep everyone on the same page regarding what it takes to be secure. Today, antivirus and anti-malware aren’t enough.

The foundation: risk assessment

The use of a risk assessment is a foundational element of security which will cover creating a common understanding of risk severity and ownership.

Your customers don’t truly know their risk exposure; a risk assessment bridges the gap by revealing the risks as a measurable component. This knowledge makes it easy for them to understand where they’re vulnerable and make appropriate remediation decisions around those vulnerabilities.

Imagine driving your car, and you notice your check engine light is on. This is a signal for you to get someone to look at your car to assess what work needs to be done. In this scenario, your car is at risk of not being functional. The check engine light is like a red flag. In the same way, the risk assessment will identify some red flags or areas that need attention.

We highly recommend using a risk assessment to gain the following benefits:

  • Determine risk baseline
  • Establish ownership of the risk
  • Limit your liability as the MSP
  • Create a plan of action for the customer (upsell opportunity for you)
Can I monetize this?

You can directly turn the results from the risk assessment into a statement of work. Mechanics do a great job at this. They assess your car, find all the things that need to be fixed, tell you the level of importance for each change, and you can decide which things you’d like to pay for. The same process applies here for your risk assessment; a unique and fully justified upsell opportunity while at the same time transferring risk.

There’s money to be made in providing security services. IDC estimates that total security spend by 2021 will be in excess of $120B. An on-site risk assessment for an Enterprise company typically costs between $50,000 - $70,000 and take weeks of consultation on-site and hours of employee time. The risk assessment we’ve brought to market for MSPs allows you to perform risk assessments for your customers in a fraction of the cost and time. Many MSPs are already monetizing this assessment and charging their customers between $500 and $2800. The assessment report provides remediation activities which can result in great revenue opportunities.

Don’t be late to the risk assessment train

The importance and value of a risk assessment will grow in the future with the expectation that the insurance industry will use risk assessment data.

Without a risk assessment, insurance companies don’t know the amount of risk they are taking on by covering Company A vs. Company B. The knowledge of known or perceived risks at a company can affect insurance premiums for better or worse.

Let’s look at car insurance, for example. Teenage boys pay more for auto insurance because insurance companies have the data to support there is more risk involved to insure this group of drivers.

Protect your house

Your customers are exposed to security risks first by not being secure themselves, but they’re also exposed if you, as their MSP, aren’t secure as well. MSPs are an ideal target for hackers because they get access to an entire database of customers if they hit one MSP.

“Place the Oxygen Mask on Yourself First Before Helping Others”

Before you start educating and offering security services to your customers, you need to ensure that you practice what you preach. With a free trial of ConnectWise Identify®, you get two free risk assessments; we recommend doing one for yourself first and then one for a customer.