With the introduction of cloud and mobile systems, AI and other technologies, the management of cybersecurity has developed many facets as companies deal with the expansion of the threat landscape.
And in many ways, the field of cybersecurity is a reaction to the ways enterprise IT evolves. However, as businesses continue to go through digital transformations and aggressively pursue technological advancements, many continue to put the need to address cybersecurity concerns on the back burner.
During a panel at CompTIA ChannelCon 2023 a group of leading cyber experts detailed the critical role managed services providers (MSPs) play in ensuring that their clients know the importance of cybersecurity and the detrimental repercussions of not protecting themselves against threat actors. Here’s what they had to say.
Encouraging An Organizational Culture Shift
A major problem many MSPs face is being able to get their clients to understand the risk involved when they don’t implement cybersecurity at their company. No one expects to be the next victim of a cybercrime, and all too often business leaders operate under the mindset that they are just a small business with nothing worthwhile to steal, suggested Scott Augenbaum, former FBI agent, cybercrime prevention trainer, author and keynote speaker at CyberSecure Mindset.
But in reality, a cyberattack can happen to a business of any size at any time.
“As someone who serves many 15- to 150-employee companies, many [business owners] say things like, “we’re not going to do anything because what we’ve been doing has worked for years and years, so why should I do anything differently now.” It is a fight every day to convince them that the threat actors are moving down market just like many companies are,” said Jason Slagle, president, CNWR. “We need to stop treating technology like it’s a toaster, where if it breaks you just go buy a new toaster. We need to start treating it like a car that you take for oil changes, that you service and keep it up to date, it’s a mindset shift.”
This mindset shift isn’t just something that needs to happen on an individual level. For change to occur, there must be a shift in organizational culture, where everyone within a company understands the risks, where they’re coming from and does what they can to protect against cyber threats.
“It is an organizational culture issue that is systemic across America. In the same way that in the 50’s people scoffed at having to wear a seatbelt because they had been driving that way with the kids in the back for so long,” said Joy Beland, vice president, partner strategy and cybersecurity education, Summit7. “We have to address this at a human level with people and processes.”
Educating clients in a way that resonates with them is incredibly important, urged Nett Lynch, virtual chief information security officer, VC3. “Part of the conversation about risk is talking to them on a level they’ll understand that means something to them, so if you’re talking with a client and they’re not understanding risk, and they’re looking at it as an expense, talk to them on their level,” Lynch said. “If they want to talk about numbers then quantify every bit of risk they have in the organization.”
By breaking down cybersecurity attacks in ways that make sense to your clients you can help them realize that cybersecurity is no longer a nice-to-have benefit, but a necessity for all business looking to stay secure.
Don’t Get Discouraged—Cybersecurity Is a Journey
It’s no secret that cybercrime is increasing every day, threats are changing monthly, weekly and even daily. And while there are strategies and tactics that MSPs can deploy to mitigate risk and keep themselves and their clients secure, being prepared to protect against threats doesn’t happen overnight.
“There are pathways to success when it comes to cybersecurity, and it comes by iteration, hard work, and blood, sweat and tears. You’ve got to put the hard work in,” said Wes Spencer, vice president of cybersecurity strategy at CyberFox.
And while ensuring the safety and security of data and personal information is no small task, Spencer’s advice to MSPs is not to get discouraged and to understand that cybersecurity is a journey.
A part of this journey explained Slagle is distilling the mentality that many small- medium sized business have where they get frozen in thinking, “I’m just a small business, nothing is going to happen to me.”
“What I’ve found is that clients will buy into what they understand. And a lot of times we don’t do a good enough job getting them to that level of understanding,” Slagle explained.
But how do you do this? Slagle suggested asking your clients questions such as, “Where do you want to go as a business? What do you want to grow into? As well as explaining to them how far a cyber-attack may set them back in their growth plans. This can help put the importance of cybersecurity into perspective for a business of any size.
“One of the things that I discovered that drives me to do what I do is that almost 90% of what I dealt with throughout my career [in the FBI cybercrime unit] could have easily been prevented if my end users were holding onto recovery information,” Augenbaum said.