Understanding security risk management and security risk assessments
For managed service providers (MSPs), cybersecurity presents both a formidable challenge and an intriguing opportunity for the foreseeable future. Threat actors are becoming increasingly interested in targeting MSPs due to their collective value and the fact that they have special access to dozens, sometimes hundreds, of organizations. According to the 2021 MSP Threat Report from Perch Security, 73% of MSPs said that at least one of their clients had experienced a security incident in the past year.
MSPs who place a strong emphasis on security and strive for continuous improvement not only reduce risk for themselves — they often see increased revenue opportunities by extending their cybersecurity expertise and services to clients. The State of SMB Cybersecurity in 2021 survey conducted by Vanson Bourne and commissioned by ConnectWise found that 92% of organizations would consider moving to a new IT service provider if they offered a cybersecurity solution that fits their needs. What’s more interesting, these organizations are willing to pay an average of 34% more for this enhanced security and peace of mind.
So, how can MSPs reduce the likelihood of a serious security incident for both themselves and their clients? Much of it comes down to effective security risk management. Read on to learn more about the role that security risk management and security risk assessments play in improving overall cybersecurity posture.
What is cybersecurity risk?
Before we can talk about risk management, it’s important to be clear about what we mean by risk. In the context of cybersecurity, risk is the likelihood of a potential security event occurring and the impact that event would have on the organization. We cannot always reduce the likelihood to meet an acceptable level of risk, however organizations can almost always reduce the impact that event might have on the organization. As a rule of thumb, there are three acceptable ways to handle risk:
- Accept – Acknowledge the risk and choose not to transfer or remediate
- Transfer – Assign or move the risk to another party
- Remediate – Take steps to reduce the likelihood of risk impact
It’s also crucial to note that risk ownership should never be shared or ambiguous. If one party doesn’t own certain risk, it can lead to playing the “blame game” if a security incident were to happen. For MSPs, this means having explicit conversations with your customers about what you do and do not cover — and what risk you are willing to take on as part of an expanded contract. This is the discussion where the customer oftentimes discovers as the data owner, they are responsible for the liability and the budget for the security controls the MSP puts in place.
Organizations must manage and reduce risk according to their unique circumstances, IT maturity, and priority. Every organization, including yours, has a different degree of appetite for risk — certain industries are often more risk averse or have greater regulations to reduce risk, such as the healthcare industry or businesses who process credit card transactions (PCI-DSS).
Security risk management and risk management programs
Simply put, security risk management refers to the process of assessing, analyzing, prioritizing, and developing a strategy to mitigate the effects of risk to an acceptable level. By establishing risk objectives and defining a strategy, you will lay the foundation for your risk management program. You must also ensure there is proper context to all risk-based decisions so everyone in your organization is on the same page. That means discussing the following items on a leadership level:
- Risk assumptions about the threats, vulnerabilities, consequences, and likelihood of occurrence that affect how risk is handled over time
- Risk constraints surrounding personnel, technology, processes, and systems
- Risk uncertainty about risk factors you do not know about but may be important
- Risk tolerance, or the levels of risk, types of risk, and degree of risk uncertainty that are acceptable for your organization
- Risk priorities and tradeoffs regarding the relative importance of your business functions, striking a balance among different types of risk that you face, and time frames for addressing risk
Once you have established a foundation for your security risk management program and determined the boundaries for all risk-based decisions, you can focus more closely on three core components of every strong program: assessing, responding, and monitoring.
This component of your risk management program is about identifying the threats to your organization and its clients, pinpointing vulnerabilities, and considering the negative impact that could arise from these threats and vulnerabilities. The end result will be your determination of risk. We’ll discuss security risk assessments more below, but here are a few key points to incorporate:
- Recognize the tools, techniques, and methodologies your business will use to assess risk
- Define clear roles and responsibilities for every risk assessment
- Consider how the assessment information will be collected, processed, and communicated throughout your business
- Talk about how the risk assessment will be conducted within your business and with your clients
- Determine how frequently risk assessments will be conducted (we recommend a quarterly cadence at a minimum)
Responding to risk
Following an internal security risk assessment, your MSP business can move on to addressing how you will act on your findings. This should involve developing plans of action for responding to risk, evaluating alternative courses, delineating response steps based on your risk tolerance, and implementing risk response upon your selected course of action. As mentioned previously, risk response can include a combination of accepting, transferring, and mitigating risk. You must also have a plan for how risk responses are communicated across your organization, your clients, and any external entities such as your supply chain partners.
The third essential component of security risk management, monitoring, addresses how your business monitors risk over time. The purpose of monitoring is to ensure that your planned response measures are implemented successfully and that all information security requirements are satisfied. Your risk management plan should describe how effective cybersecurity defense and compliance is verified and how the ongoing effectiveness of your risk response is determined. If you notice that certain measures are ineffective or difficult to evaluate, circle back to the response phase to find ways to optimize processes and fix what isn’t working.
The value of regular security risk assessments
While all three risk management elements outlined above are critical, productive response and monitoring are not possible without accurate, thorough security risk assessment. Furthermore, risk assessments should be carried out on a regular basis throughout the system development life cycle and across all tiers of the security risk management hierarchy.
When it comes to risk assessments in 2021, there is good news and bad news: The “bad” news is that your MSP’s risk will never be 100% eliminated — assessment, response, and monitoring are an ongoing cycle that you will learn to improve over time. The good news is, while security risk assessments used to be time and resource intensive projects that came with a hefty price tag, today cutting-edge risk assessment software such as ConnectWise Identify can help you conduct quick, comprehensive assessments at a much lower cost.
First, your MSP should conduct a self-assessment to gain a deeper understanding of where your own risks exist — this will help you prepare to secure your business, offer cybersecurity services to clients, and provide clients with risk assessments of their own. Our Identify tool has a free trial featuring two free risk assessments so you can perform one on your business and then assess a customer.
When it comes to having this part of the cybersecurity conversation with your clients, start by asking about their current security posture and how protected they feel in today’s cyber threat landscape (odds are they will have at least some fears and insecurities). From there you can ask when their last risk assessment was performed and what the results were, giving you an opportunity to aid your client in their next assessment process.
Keep in mind that the output of a security risk assessment is meant to be consultative, informative, and educational. A client’s first risk assessment may have a mix of free and fee-based remediation steps to improve their risk posture. For example, helping them draft a security policy may be done free of charge; providing high-level security awareness training could be a one-off charge; and recommendations for ongoing services such as threat detection and network monitoring could be rolled into your managed service agreement for an adjusted fee.
Risk analysis, a vital component of the risk assessment process, determines the importance of the identified risk factors based on the business impact they could have and the likelihood they might occur. At the end of the day, SMB decision makers want to talk about outcomes. Risk assessments put security and analysis findings in a language they understand: the financial impact of security risks. This gives management the information they need to make educated decisions concerning their company’s cybersecurity program.
Keeping your MSP business and its clients protected
Now that you understand the role that security risk management and risk assessments play in becoming a security-first MSP, you can begin to strengthen your own defenses as well as find ways to provide additional value for your clients. We even have a SMB Cybersecurity Checklist featuring 30 essential items to discuss with clients as you help them devise a plan for more robust security. To become a cybersecurity front runner, your MSP business should continue a cycle of assessing, responding to, and monitoring risk, as well as continually looking for ways to keep your clients as protected as possible.