Technical controls only take you so far. You need to pay attention to the human element as well. This means setting sound security policies and training both your team and customers on the essentials, like creating strong passwords, recognizing phishing, and exercising caution around transferring data. However, training can’t stop with one or two sessions; people learn and change behavior based on repetition. This requires constant practice. Remember, you want to build a strong security culture both for your customers and for your own team.
For your customers, consider sending periodic email reminders to your customers’ user base reminding them of best security practices. For example, maybe one month you could remind them of the importance of password security, then the following month you could point out the signs of potential phishing scams. This helps to keep your customers safe while also reinforcing your MSP’s value to customers. You could even look for a phishing simulation solution to help send convincing, fake phishing emails to test people’s readiness and offer additional training to those who mistakenly click on them. However, if you do any testing or simulations, consult with legal counsel to make sure you have the appropriate forms and permissions from the customers.
It’s also important to make sure your own technicians prepare for security incidents. You should start out by setting a strong incident response (IR) plan for your MSP. When training your team, they should know what they’ll do during a security crisis, what roles they’ll play, and how they’ll communicate with customers.
Don’t stop there. You also want to practice and drill for these scenarios. In my experience, when people first face a new security challenge (or even their first security incident), they tend to freak out. Even if the incident is minor, new technicians can panic, slowing down response times and increasing the chances of making mistakes. If you want your team calm and clear headed, run through incident response drills by simulating cyberattacks. Not only will this help your team during an actual crisis, you may spot holes in your current IR process. For example, you may find some team members need additional training or they may need additional technology to push out patches more quickly.
Are you forgetting something?
Running an MSP takes a lot of time and energy. Sometimes, you can get so wrapped up in the day-to-day that it’s easy to lose sight of some elements of security. So don’t forget to focus on risk to help strike a balance between security and convenience. Additionally, make sure to periodically remind customers of security best practices, and drill your team on potential incidents before a crisis hits. These tips can help you keep your customers safe, productive, and, hopefully, happy for the long term.
Note: This is part four of our National Cybersecurity Awareness Month series. You can read all the posts so far here.
As mentioned earlier, you need to make sure to protect your riskiest assets and accounts. SolarWinds® Passportal + Documentation Manager is designed to help you prevent unauthorized access to systems by helping enforce password best practices across your team. It lets you automatically generate strong passwords, set password policies such as expirations and password refresh requirements, and quickly grant or revoke access as needed to give your team access on a “need-to-use” basis. Learn more by visiting passportalmsp.com today.
Rani Johnson is chief information officer for SolarWinds