Risk assessments provide customers with a good understanding of their cybersecurity gaps and what they need to do – and provide MSPs with a great business opportunity.

Assessing your customers’ cybersecurity risks can help uncover gaps in their networks, opening the door to bigger conversations and further engagement. Risk assessments can be critical tools for identifying problems, planning remedial strategies, and increasing sales.

“The bottom line is that if you reduce risk, it reduces the potential for lost revenue, and we’re all in business to make money, not lose it,” said Natalie Suarez, Director, Cybersecurity Task Force at ConnectWise and member of the CompTIA ISAO Executive Steering Committee, during a panel at the CompTIA ChannelCon 2022 conference called “Selling cybersecurity from a risk perspective.”

Risk assessments should include the three pillars of cybersecurity – people, process, technology – and provide customers with a good understanding of what they have and what they don’t have to determine next steps.

“If your security posture doesn’t address all three pillars, then you’re not going to properly implement any control,” Suarez said. “The problem is that people only seem to think about technology, and if technology was the answer to all our problems, then we would have solved this problem by now. You have to consider policies and people, both internally and externally. It’s important to have EDR, SIEM, antivirus, firewall, network access, gateway, but it’s not all about security.”

Suarez outlined three methods to help customers assess their cyber posture: risk assessments, third-party vendor risk assessments, and live security awareness training. Here’s a closer look at each:

Risk assessments provide clarity and direction

Risk assessments show you’re an industry leader, know what you’re doing and help build trust with customers, all of which can ultimately improve profit margins, Suarez said.

“There are different types of security assessments, all of which provide a holistic view of an organization’s security tools and their effectiveness, including compliance audits, security assessments, vulnerability testing and penetration testing,” Suarez said.

Chris Lauer, executive vice president and CTO of Solis Security and a member of the CompTIA ISAO Executive Steering Committee, added that MSPs should be familiar with different types of assessments because each customer’s needs can be different.

“It’s good to know these terms, especially pen testing, because that term is used so loosely. Educate yourself on what they mean. There are different degrees of penetration testing, so you need to know what you’re talking about and to what extent your client needs to be tested. The number 1 issue when it comes to this is communication, in terms of what the requirements are and what you’re going to do. Are they trying to check a box or are they trying to do something that provides value?

In fact, many people want a pen test when all they really want is a vulnerability test, which is a very different thing, Suarez said. “The penetration is not necessarily purely technical. You can throw a little social engineering in there – get someone to try to be the cable company that will patch some modem firmware.

Testing by third-party vendors minimizes risks

Third-party vendor risk assessments minimize risk, and MSPs should charge for them because of the value they provide to customers, Suarez said.

“You as an MSP carry risk for customers. You have to demonstrate that you are ready for business, that you take risk seriously,” Suarez said. “Show that you are following certain standards, show examples of your policies. Ask what their other suppliers are doing to ensure their products/services are secure. You have to be aware of their other suppliers.”

Launching a third-party vendor risk assessment program does not need to be done all at once. There are a number of small steps that MSPs can use with customers to demonstrate value and ensure that the assessment is fully met. They include:

  • Create a list of third-party vendors
  • Determine how data is stored, processed and transmitted
  • Prioritize a list of vendors based on critical business needs
  • Request SOC2 or similar report
  • Assess risk and create mitigation for identified conditions
  • Reevaluate annually—add new providers as they come on board
  • Gradually expand to include all third parties

“Remember, it’s not your job to say yes or no to the salesperson. You have to present the information and help them identify the biggest risks and prioritize their remediation,” Suarez said. “This is not a one-time deal either. None of these ratings are. You should reevaluate at least once a year. It’s step by step, one small piece at a time, so it’s not overwhelming for you or your staff.”

More education means less threat

Providing security training for your customers can be a fun (and educational) way to get to know them—and let them get to know you. The training should provide a comprehensive view of the cyber landscape and also be customized to review their policy. Consider offering free training and more in-depth paid training, Suarez said.

“Expose them to the risk inherent in their companies. I recently held a training where I shared the results of our MSP Threat Report and our Cyber ​​Investigations Unit mapped these high-level threats to MITER ATT&CK framework with mitigation steps, Suarez said. “So you can teach people how to mitigate threats. You can talk about the latest common types of violations. According to the FBI’s Internet Crime Report, compromising business email is still high on the list, but theft of your crypto wallet has increased sevenfold since last year.”

Other strategies include teaching customers why they are a target, how the bad guys get in, and what their role is in protecting the company. Also important: make sure you have business owners, leaders and decision makers in the room. “If the owners and the leaders are there, it shows everybody else that this is very important, very serious, we mean it,” Suarez said.