Cybersecurity strategy mistakes and how to avoid them

When you write a research paper, you usually create an outline first to make sure you know what you are going to cover, what you’ll need to research, and ensure you have a compelling point of view.

Implementing an effective cybersecurity strategy is no different. You must be aware of your client’s business priorities, their network infrastructure, and the largest perceived security threats to identify which software and solutions will be critical for cybersecurity protection.

Lacking a coherent strategy from the start can lead to serious cybersecurity mistakes, including gaps in your clients’ defenses. The result: lost, corrupted, or stolen data, which lead to lost customers and revenue. MSPs must even safeguard their own data, as the rapid growth of the global managed IT services market makes this sector an increasingly attractive target.

What is a cybersecurity strategy and how does it work?

A cybersecurity strategy is a high-level, comprehensive plan to protect an organization’s IT infrastructure—including data, applications, networks, and other assets—from cyberthreats. It is a detailed framework that breaks down your approach to building up defenses, proactively managing risks, and ensuring the integrity and security of IT resources.  Key components include:

• Goals and objectives to guide overall efforts, such as aligning with compliance regulations and minimizing the chances of a breach.
• Security policies and processes over areas such as access authorization, data storage and usage, and backups.
• Security technologies and tools, such as encryption, platforms for monitoring and detection, and antivirus software.
• Risk assessment to identify and evaluate potential vulnerabilities and threats the organization may face.
• Specialized cybersecurity training to help employees develop a security mindset and recognize potential threats.
• Budget and resource requirements and allocation based on the overall strategy.
• Communication and reporting processes to provide insights on activities and findings as well as to function effectively during a security incident.
• An incident response plan to guide team members in quickly addressing, recovering from, and remediating attacks and breaches.

Designing and implementing a cybersecurity strategy requires close attention to the specific security needs of an organization and its infrastructure. It typically begins with a risk assessment to evaluate the current state of organizational security, then evolves into goal setting, policy development, technology selection, and solution implementation. Once the strategy has been executed, your client’s employees will need training on the security requirements and processes.

This process can be time-intensive, but cybersecurity planning should not be rushed. A flawed or incomplete strategy can lead to cybersecurity mistakes which can have disastrous consequences for your clients as well as your business. These include:

• Preventable data breaches.
• Vulnerability to new and emerging threats.
• Operational disruptions or outages.
• Regulatory scrutiny or fines.
• Business downtime and lost revenue.
• Damage to professional reputation and customer trust.

Mistakes that hurt a cybersecurity strategy

Even with comprehensive planning, it can be all too easy to fall victim to common cybersecurity mistakes. These are some issues to be aware of as you work with clients to develop and implement their plans.

Lacking a cybersecurity policy

While a cybersecurity strategy is a high-level plan that outlines an organization’s approach to security, a cybersecurity policy provides specific rules and guidelines to ensure all employees comply with best practices and established processes for daily operations. Yet, half of small to medium-sized businesses still do not have a policy in place.  

MSPs can help clients protect their assets and operations by guiding them in the development of a security policy. In fact, there are endpoint policy management solutions can help guide you in expertly developing an end-to-end protection policy for customer networks, users, apps, and data.

A strong cybersecurity policy should cover:

• Access and user authorization procedures and standards.
• Processes for reporting an incident.
• Data encryption and proper storage.
• Password requirements.
• Any specific regulatory requirements, such as those related to GDPR or HIPAA.

Failing to do comprehensive risk assessments

Risk assessments can proactively identify potential risks and vulnerabilities in your clients’ network infrastructure, applications, and data security. Knowing those risks is essential to building a cybersecurity strategy that provides the most effective protection possible.

Without guidance from an MSP, it may be tempting for organizations to skip this step. They may feel their business is not a target, that their current practices already provide sufficient protection, or that they simply acknowledge the risks at hand. SMBs or mid-size organizations may also be overwhelmed by the scope and complexity involved in conducting a risk assessment. But avoiding this proactive step can lead to much larger costs should a data breach or system failure occur.

Let’s say an online retailer hasn’t done a risk assessment in several years, during which time cyber attacks have become much more sophisticated. A hacker could identify a vulnerability in the retailer’s website and use it to gain access to the customer database, exposing addresses, credit card details, and more.

Risk assessments should be conducted regularly to identify and prioritize vulnerabilities that could be exploited by attackers. Risk assessment tools like threat intelligence can help monitor and assess current and emerging threats and the chances of them being used against your clients.

Ignoring the human factor

We noted in the last chapter that human error is involved in the majority of cybersecurity issues, but effective training and internal processes can help mitigate this risk. Here are a few ways to help prevent cybersecurity mistakes:

• Train clients to recognize potential phishing scams and other attempts at hacking into a system or using social engineering to gain access. Phishing alone accounts for 90% of data breaches.
• Implement security features like privileged access management and multi-factor authorization as added protections for password management. Remote desktop support software can be leveraged to help end users configure device security settings, as well as with detecting and flagging suspicious emails.
• Ensure employees at client organizations know how to quickly report suspected incidents and create a safe environment for them to do so.
• Outlining clear policies that spell out requirements for handling sensitive data.

Finally, outsourcing cybersecurity strategy to an MSP is another way organizations can identify and address potential blind spots to ensure their security program delivers the protection necessary.

Failure to build a comprehensive incident response plan

An incident response plan (IRP) ensures you have an organized and structured approach to addressing and mitigating security events. Clearly defining roles, responsibilities, and processes can help you and your clients respond quickly to contain a breach or defend systems from an attack.

Business leaders may table an IRP in favor of other initiatives deemed higher priority, or they may not believe their organization is not large enough to merit one. However, without a comprehensive, documented plan in place, organizations may take too long to act when a cyberattack or breach does occur. Lack of preparedness can result in lost or leaked data, system corruption, business downtime, and lost revenue.

For example, let’s take a community financial institution that offers investment services to customers. They failed to prepare a thorough incident response plan, assuming their IT team would know what to do should a security threat arise. One day, threat actors use a known vulnerability in outdated software to gain access to customers’ account information and social security numbers.

What’s wrong with this situation? First, their plan lacks guidance about communicating with internal and external stakeholders. Once the organization confirms the scale of the breach and the types of data that was compromised, customers must be informed of the incident. The worst case scenario is having your cybersecurity incident exposed via the media before customers are notified, which will harm your revenue and your reputation.

You can avoid such mistakes by working with clients to:

• Categorize and prioritize steps in responding to incidents.
• Assign roles and responsibilities to teams or individual employees.
• Develop a plan to communicate with internal and external stakeholders and the public.
• Conduct simulations and drills to ensure familiarity with the plan ahead of time.
• Determine what you will do if you need to perform business continuity services from a remote location.

As an additional layer of protection and 24/7 triage, some MSPs choose to partner with a third-party incident response service. Outsourcing incident response support can provide real-time incident management, guidance, and analysis to help MSPs quickly investigate and respond to critical security incidents. And quicker incident remediation results in less client downtime and better security outcomes.   

Not building compliance into your strategy

Compliance requirements are integral to an overall cybersecurity strategy, especially for organizations in highly regulated industries such as finance or healthcare. In these cases, proactively integrating compliance into your cybersecurity strategy is essential to ensuring business continuity.

You can stay ahead of changes in cybersecurity laws and legislation by keeping up with regulating bodies to monitor any changes or updates to compliance requirements. Failing to comply with industry compliance requirements can make organizations more vulnerable to attacks more susceptible to legal action, financial penalties, and public scrutiny. For example, in 2022, Ireland's Data Protection Commissioner (DPC) fined Instagram $403 million for violating GDPR requirements related to children’s privacy.

Integrating compliance standards at the industry and regional level will help safeguard your cybersecurity strategy and allow you to cater to more specialized industries, where compliance know-how can give you a leg up on the competition.

Pricing and packaging flaws

Ineffective pricing and packaging security services can prevent you from providing the level of support or value your clients demand. For example:

• Keep it simple, it helps the client understand, it shortens your sales cycle, makes it easier to pitch.
• A one-size-fits-all pricing model may not reflect the advanced needs of a client with specialized requirements, leading to insufficient measures in critical areas.
• Underestimating the value of your cybersecurity services could lead you to spend too many hours or resources on clients, limiting your ability to provide them with the appropriate level of protection.
• Inflexible pricing structures or hidden costs can strain a company's budget, leading clients to reduce essential services or neglect critical upgrades.

You can avoid these kinds of cybersecurity mistakes by:

• Following the most popular package today, per user or per device pricing, however, you may find yourself implementing a “good, better, best” scenario.
• Offering tiered service levels based on security requirements, such as gold, silver, and bronze.
• Customizing service packages for different industries, such as healthcare, businesses that work with the government, or retail.
• Review customer cybersecurity insurance forms, and ensure your packages align with “checking the important boxes.”
• Incentivizing proactive planning as a more cost-effective solution.

Overall, it’s vital to be transparent about your pricing strategy and communicate clearly with clients about the services they will receive and the value of said services. Clients don’t want to be nickel-and-dimed for smaller services or things they don’t need. Providing detailed information about your pricing structure can make clients feel more confident about your services and their decision.

Watch our webinar, Cybersecurity Pricing and Packaging Techniques, for more tips on developing an effective pricing strategy.

Assuming clients are tech experts

When you’re immersed in a topic, it’s common to assume that others know what you’re talking about. But assuming clients are current with the latest threats, technologies, and even industry jargon can be a cybersecurity faux pas.

Communicating clearly with clients can help you understand what their needs are, while helping them understand exactly how your services will keep their digital assets safe. Focus on their pain points and protection needs, then make an informed recommendation. To make sure you are communicating effectively, consider these practices:

• Aim to solve business problems with solutions.
• Keep it simple.
• Determine your clients’ level of technical knowledge and preferences for receiving information, such as visuals versus written content.
• Focus on concrete steps and outcomes instead of technical processes.
• Optimize talking points and materials for readability and comprehension by the average person–not the average IT tech.
• Review plans and documents with clients in real time and encourage them to ask questions about anything they don’t understand.

Failing to hold yourself to the same standards you apply to clients

MSPs must lead by example. This means you should hold your cybersecurity strategy to the same standards you would for your clients. Aside from the hypocrisy of failing to practice what you preach, MSPs are susceptible to many of the same threats they are protecting clients from. It happened: in 2022, someone on a hacker forum bragged about gaining access to 50 US businesses through an MSP.

Investing in new or improved infrastructure or applications can be necessary as your business grows. As legacy software can no longer keep up with the evolving threat landscape, your security stack may need to evolve, as well. Partnering with a 3^rd party MSP software and solution provider can help remove some of the complexities of building a cybersecurity stack internally while delivering improved security protection.

If it’s not a habit already, stay abreast of developments and updated best practices via industry resources and forums, specialized training, communities like The ITNation, and other educational resources. The ConnectWise Cyber Research Unit is another great resource to help keep you informed on the latest in threat intelligence.

Inability to adapt (or adapting for the wrong reasons)

In our last chapter, we covered how to adapt to the changing threat landscape in cybersecurity. However, changes should be founded on reliable information and be able to be carried out swiftly.

For example, threat intelligence is only useful if the learnings from these efforts are implemented before an attack occurs. To encourage quick adoption and implementation practices, consider integrating adaptation into your service offerings. This service can be promoted as a method of continuous improvement that keeps your clients safer and prevents cybersecurity mistakes from happening.

Of course, staying on top of new technologies, including the role of automation and AI security, is key to future-proofing your cybersecurity practice. Ignoring AI makes your clients more vulnerable to attacks and puts your MSP at risk of falling behind client and market demands.

Cybersecurity solutions to help avoid strategy mistakes

A flawed strategy and its resulting mistakes are often the result of limited resources, cost limitations, or teams simply being stretched too thin. With the right mix of training, processes, and technologies in place, your MSP will be able to deliver superior security protection for your clients while supporting future scale. 

A sound cybersecurity strategy requires software and solutions you can trust to protect your clients’ critical data, and your reputation. From automated threat detection and endpoint response to dark web monitoring, the ConnectWise Cybersecurity Management platform is equipped with the solutions to take your business to the next level. Learn more about the benefits of building your cybersecurity practice with ConnectWise by starting a free demo of our cybersecurity suite today.