Why MSPs Should Focus on Cyber Resilience, Not Just Security

In the language of protecting businesses against cyber threats, terms have evolved. While “cyber security” is still a critical core issue, it describes only the attempts to keep systems safe with no specific outcome. And while “cyber certainty” is currently an impossibility for a functional organization, there should be a significant effort to create “cyber resilience,” or a framework to allow a company to weather a threat, bending instead of breaking in the face of an attack.

What Is Cyber Resilience?

Cyber resilience describes an organization’s ability to carry on with critical core business functions and protect business continuity and data security even in the event of an attack, outage, user error, or another serious incident with the potential to interrupt operations. The goal of cyber resilience is achieved through cybersecurity and monitoring and represents an important element of business continuity and disaster recovery (BCDR) functionality. Many organizations that have achieved cyber resilience have done so using the National Institute of Standards and Technology (NIST) framework, which is based on five core functions: Identify, Protect, Detect, Respond, and Recover.

cyber 5 step assessment diagram from NISTSource: NIST

Businesses of all sizes need a robust cyber resilience framework to protect systems and data if they’re to weather twenty-first-century threats that may result in adverse events. It’s unrealistic to expect an organization will never face a threat, today or in the future. What’s important is to design a solution that’s fault-tolerant for when the inevitable happens.

A Continuous Improvement Process

For managed service providers, it’s essential to help clients understand that cyber resilience is a continuous improvement process rather than a product, or even a one-and-done service. Threats are continually changing, and any framework to combat them will, by definition, need to continually evolve in all three critical areas of cyber resilience: people, processes, and technology.

Security experts recommend that companies have a dedicated talent pool to maintain the cyber resilience process. While this is impractical for many small to medium-sized businesses (SMBs), this is where MSPs can gain a valuable foothold in selling the idea of an ongoing and dedicated cyber resilience initiative to clients. MSPs have an opportunity to craft continuous protection programs for cyber resilience that will empower their clients while at the same time generating highly profitable, recurring revenue.

The Competitive Advantage for MSPs

Today’s successful managed services providers often establish cyber resilience programs for their own organizations to prevent negative fallout from events like ransomware or data theft. It’s not simply about evangelizing a service they have the potential to sell to customers: the advantage is that MSPs are already experts based on their own in-house efforts. This expertise can go a long way toward persuading client companies that cyber resilience is best put into the hands of their MSP, which already has in-depth knowledge of the client company’s IT operations.

Small to medium-sized businesses that do not have dedicated cybersecurity personnel who keep a continual eye on adapting to threat potentials may not understand how pervasive the danger of an attack is. An important point to communicate to customers is that they may feel confident in their cyber resilience because they have a product in place, but there’s a reason that the word “technology” comes last in the phrase “people, processes, and technology.” Ultimately, cyber resilience is people-driven, and over-confidence in a solution and automation can be a grave error without human intelligence to adapt the technology and processes to evolving threats. The personnel involved in threat monitoring need to be experienced, threat-aware, and educated in best practices.

Raising Client Awareness of Cyber Resilience

One of the best ways to help clients understand why they need an ongoing cyber resilience program is to offer to carry out a threat analysis. This vulnerability review will involve auditing the client’s cybersecurity positions to identify potential gaps and a lack of failover capability. This audit could be performed by the MSP’s own employees or in conjunction with CISA, the Cybersecurity, and Infrastructure Security Agency.

CISA offers a voluntary, non-technical assessment at no cost to companies that seek it. The review – either a self-assessment or an onsite procedure conducted by DHS personnel — assesses an organization’s operational resilience and cybersecurity practices, including risk management, incident management, service continuity, and more, to measure existing organizational resilience and provide a gap analysis for improvement.

With an assessment complete, MSPs are well-positioned to help clients understand the need for additional people, processes, and technology to raise the company to the level of cyber resilience. This may include a revamp of technologies such as firewalls, VPNs, anti-malware solutions, patching and firmware, remote monitoring and management, and a dedicated team of personnel who can ensure technology and processes are as robust as possible.

Spending Money to Save Money

During an audit is the perfect time to help clients understand the benefits of migrating cyber resilience processes to the cloud to remain vigilant about ongoing threats and build a program of proactive defense that will protect them against the high costs of downtime in the future. Research conducted by Accenture has found that organizations identified as “cyber champions,” or companies with a high level of cyber resiliency, have reduced the cost of breaches by between 48 to 71 percent compared to a more vulnerable organization. This is evidence that elevating their cyber resilience performance, in the long run, is a smart financial move.

Clients should understand that a dual approach is necessary: a cyber security solution will help block many attacks, but when one inevitably slips through the net, a cyber resilience strategy will be in place to minimize the impact of that attack and forestall negative fallout on the business.

Utilize a Cybersecurity Playbook as Your Guide for Incident Response

A cybersecurity playbook is an all-encompassing, organization-wide manual that dictates precisely what actions to take when data loss occurs. It combines an incident response checklist and plan (IR plan) with a business continuity plan (BCP) to guide you through a cyber incident from initial discovery to preventing a reoccurrence. Sometimes these plans can be incorrectly referred to interchangeably, but the significance of differences is key to creating an ironclad cybersecurity playbook.

Many MSPs think incident response, or a disaster recovery plan, is good enough. In fact, a cybersecurity playbook is necessary to ensure true business continuity before, during, and after an event. Incident response defines the processes for identifying an issue, reporting on it, and how communicating. A cybersecurity playbook includes incident response and then goes above and beyond. Playbooks are comprehensive across an organization and are reviewed and practiced quarterly. Regular upkeep identifies new threats; ensures information accuracy; confirms the ability to adequately address current business needs; and serves as a complete manual and map for preventing, addressing, and recovering from incidents varying in criticality. There are five critical pieces addressed in a cybersecurity playbook:

  1. Protection
  2. Detection
  3. Communication
  4. Response
  5. Recovery

And don’t forget to test – your disaster recovery process should be as tight as possible.   Check out Axcient’s Disaster Recovery Planning and Testing Playbook for best practices and tips on building a structured planning and testing framework. This comprehensive guide includes a curated list of current security policies, frameworks, and standards, common pitfalls to avoid, guidance for supporting remote workforces, and MSP-centric DR Testing tips, including free tools.

Ready to Advance Beyond Backups?

The steady rise in sophisticated cyber threats means attacks are more frequent and recovery more complex, and state regulators and cyber insurance companies are pressuring MSPs to up their security game – or face significant consequences. Download our eBook, 10 Ways for MSPs to Level Up From Backup to Business Continuity, to explore how MSPs can improve the overall dependability and profitability of their backup and BDR offerings.

Get the eBook: Backup is Dead: Long Live Business Continuity

More Great Stuff From Our Blog:

Check out some other interesting pieces from our blog: Check out Part One of our Sales and Marketing Quick Guide for MSPs: Lunch and Learns,  Learn how DRaaS Opens New Opportunities for Managed Services Providers, and get the skinny on how Axcient supports partners with No-cost Onboarding and Ongoing Trainingwe dove into how chain-based backup works and why chain-free is the way to be, we talked with Jason Phelps from Huntress Labs about planning for the next ransomware attack, our CEO David Bennett explains why the current cybersecurity landscape means traditional backup is dead, or learn how you can ditch pricey on-site appliances with Local Cache for Direct-to-Cloud BCDR.