October 22, 2020
MSPs Share Cautionary Cybersecurity Tales
If you're a managed service provider (MSP), it’s likely you realize security should be a constant focus for businesses. But do your clients feel the same way? If not, you might want to use National Cybersecurity Awareness Month as an opportunity to connect with the businesses you serve and reinforce the need for a cybersecurity strategy.
Some business owners might look at cyberattacks and think, "well, this will never happen to me". But MSPs know there is a real risk. Two of your peers were generous enough to share their cybersecurity stories first-hand. Use these examples and the lessons learned to educate your clients and better your business practices around cybersecurity.
Our first story comes from Samantha Keller, the Director of Marketing and P.R. at EnhancedTECH.
“We always educate clients on the dangers of ransomware, but we had a customer who didn't heed our guidance when it came to security. As a result, they were a victim of a ransomware attack. Because they didn't have a proper backup and business continuity solution, they were at a total loss, and all of their data was gone. Paying the ransom was their only option. Fortunately, they had cybersecurity insurance at the time, but we had to work with a broker and pay the ransom in bitcoin to retrieve the encrypted data. It was a stressful and eye-opening experience for the client.
Fortunately, we had saved our email train with the client documenting our security recommendations and the ramifications of potential threats. Legally, this was an important asset that helped reduce our liability. I would recommend that every MSP keep an archive of your security recommendations to your clients to prepare for situations when clients refuse security solutions.”
We have partners who require their clients sign a waiver when they refuse security solutions. That way, the MSP is not held responsible should a cyber attack occur.
Our second story comes from Mike Bloomfield, President Geek at Tekie Geek.
“Have you ever had to work through a problematic cybersecurity event? If you are an MSP in 2020, I highly doubt you’ve been able to avoid them
We had a client where rather than providing a comprehensive strategy for them, we were only given the opportunity to provide a Datto SIRIS appliance and manage backups. Their IT provider at the time was not protecting the client adequately. As a result, they were a victim of a ransomware attack. With Datto's solution, we got them up and running within a few minutes and worked with their IT provider to schedule the data restore. We restored their data and the very next day, received a call that ransomware had hit yet again. After this second attack, the client asked us to perform a security assessment. We discovered that all 40 employees had Domain Admin access and were able to find the employee who was continuously running a compromised Word document. The two attacks and our assessment findings resulted in the client firing their IT provider and hiring us to handle everything, including full managed services, including business continuity.
Throughout this process, I learned that even if the client thinks they are adequately protected, it's always necessary to perform an assessment. Not only is an assessment of a huge sales opportunity, but it is also a significant step toward properly protecting your client. We proved the previous IT provider was not properly protecting them, and sold our value through our security assessment.
Another item to consider is your technology stack. It's best if you have a multi-faceted stack; endpoint protection is not enough. Your stack has to protect every employee, every time. This goes for email, network, endpoint, access control, privilege control, and on and on. If you're an MSP, make sure you offer a complete security stack and protect all of your clients. Security shouldn’t be optional!”
Looking for better ways to educate your clients on cybersecurity. Take a look at our one-pager for nine tips MSPs can share with clients to help them up their cybersecurity game.