For most of us, when we think of Cyber Security our thoughts typically turn to high profile cases such as the Sony Pictures Entertainment hack and the Edward Snowden NSA leaks. Highly visible instances of valuable data being leaked.
But what does Cyber Security mean to the average small business? Judging by my conversations with many small business owners, there is a prevailing attitude that Cyber Security is a concern for governments, large corporations and banks — not small businesses. After all, don’t those committing cyber security crimes want to go after the big fish rather than the minnows?
Cyber Security for Small Businesses
Unfortunately for small businesses, that definitely isn’t the case. Rarely a week goes by recently without me speaking to an IT Solution Provider or Managed Service Provider (MSP) who shares with me that one of their clients who they provide outsourced IT for — typically a small business with less than 25 employees — has suffered a serious cyber security breach.
And I do mean serious.
We’re not talking an small interruption to business. The cases I’m hearing about typically involve the entire businesses IT infrastructure being taken off-line as both the business owner and their IT provider scramble to stem the damage and restore order — not to mention the post-breach audit to ascertain the scope of the data protection breaches that have potentially occurred.
According to PwC, the average cost of a small businesses worst breaches costs between £65,000 and £115,000 on average. For the average MSP, how many of your clients could afford that type of impact? Not many, I suspect.
The impact on MSP’s
The impact of poor Cyber Security for Small Businesses is high for the small business client themselves, but it’s worth being aware of the impact on the MSP who is serving them too. At best it is highly stressful for those involved, but at worst I’ve seen it impact an MSP’s ability to deliver projects to other clients and have a knock on effect that lasts for weeks and sometimes month as they throw all available resources at the Cyber Security breach.
So what can MSP’s do to mitigate the risk to their clients businesses and in turn, their own business?
There are three broad areas in which MSP’s can help their small business clients become more savvy with Cyber-Security — tools, policies and above all, education for their clients.
In the UK, Cyber Essentials is a new Government-backed and industry supported scheme to educate on Cyber Security for Small Businesses and guide small businesses in protecting themselves against cyber threats. If you’re a UK IT businesses and haven’t got involved — then you should.
But educating clients to the threat of Cyber Security for Small Businesses is an MSP’s role too. Share information with your clients through Direct Mail (a letter is often more effective than an email), newsletters, social media and importantly, in person.
Throw lunch’n’learns to demonstrate how to stay safe on-line. Nothing motivates people to give up their time and listen more than free Pizza during a lunch hour! Experience shows me that this is time well spent. As well as showing the client you care about their business wellbeing, these sessions actively reduce your own cost of support — the ROI on a Pizza, if you will.
Above that, reach out to your local Police force and offer your help as an IT Professional. I can tell you that Cyber Security is an issue that is landing on many a Chief Superintendent’s desk — and it’s an issue they want help from local businesses in tackling.
Viruses are not the only threat any more — think viruses, rootkits, malware, phishing, web threats and much more.
Many MSP’s inherit all manner of AntiVirus software from clients. As IT provider, find a product that takes care of PCs and Macs, Servers and Workstations under one license structure, and which can be managed from a single web-based management console.
I’d also recommend a product that can automatically discover and deploy to new network computers as they are found, as well as be deployed remotely to machines that aren’t permanently within the office.
A quick look at the AVTest – the Independent IT-Security Institute – shows Bitdefender Small Office Security, created by Bitdefender Antivirus, is the best performing corporate product. It’s a very competitive market.
Whichever AntiVirus product you choose, make sure to choose a product and stick with it across your clients, rather than leaving your clients to choose their own product.
Any MSP worth it’s salt should implement a Remote Monitoring and Management product. Remote visibility of all of your clients infrastructure is an investment, not a cost and is an essential Cyber Security for Small Businesses tool.
The current leader in the UK is MAXfocus and whichever RMM you choose you should invest time in configuring the vulnerability scanning and alerting, and understanding how to effectively deploy patches.
Many MSP’s I know shy away from these features taking a “If ain’t broke, don’t fix it” approach. Sadly, that approach is what leads to products not being patched in a timely fashion and vulnerabilities being exploited.
Spend the time now training up on how to use the patch management options in your preferred RMM tool. It is an investment in time that will reap rewards when you need to rapidly deploy a hotfix to a new vulnerability, or highlight a glaring vulnerability that your engineers may otherwise have missed.
I’d be shocked to find any small business not protected by a hardware firewall nowadays, yet many have firewalls that are badly configured either through neglect or through overly complex configurations.
As an MSP, make sure you regularly audit the IP ports that are open on a Firewall and the users that are allowed VPN access. It’s easy to open a port to get around a short-term problem but then forget to close that port off again, or grant an external contractor VPN access but then forget to deactivate that account when the contractor’s work is done.
Standardise on a Firewall product that your staff are trained on and familiar with.
Schedule regular audits of your clients Firewall. Backup router configurations regularly. Have certainty that the Firewall is protecting your client as it should.
Backup and Disaster Recovery
For UK Small Businesses, the common sentiment I hear is that a disaster is an earthquake, flood or other natural disaster that doesn’t affect the British Isle. In reality a disaster affecting a small business is more likely to be something like a Cryptolocker virus that wipes out an entire businesses data without the payment of a ransom to a shady cyber criminal, or a disgruntled exiting employee deleting critical client files. These are the more mundane, but very real disasters that affect small businesses worldwide on a daily basis.
As an MSP, don’t tolerate clients who penny pinch with antiquated tape or rotated USB drive backup routines. Any human element such as swapping tapes or drives inevitably leads to failed backups when you need them the most.
Help your clients invest in an automated offsite backup and disaster recovery solution which will help them get back online as a business quickly and effectively when they need it. Educate your clients that the most valuable element of their business is not hardware, but data — and it should be protected.
If you don’t have a mobile device policy in place, then implement one now. Lead by example, and then educate your clients as to why they need a mobile device policy in place too.
Mobile Device Management is a technical issue that strays dangerously close into HR territory for most small business. For instance, remote wipe a mobile device that not only contains business data but also a member of staff’s baby photos and guess how that move will be received by the member of staff affected?
While these issues might be difficult and not always about technology, they are an opportunity for MSP’s to step beyond being seen as just the “IT guy” and position themselves as being a real business advisor to their small business clients.
Do you help your clients limit authority to install software, or do you take short cuts when it’s quicker to elevate an end-user to administrator access to resolve some irritating 3rd party Line-of-Business App issue?
Limiting the administrative access your clients employees have access to is old fashioned, for sure, and it remains a solid way to mitigate risk of dodgy software being installed and causing untold grief.
Bonus points for not crumbling in the fact of your clients Managing Director who insists he needs Administrator access on his laptop, only to then complain that the Corporate network is mysteriously infected by a virus after his teenage son used his laptop to download the latest warez.
Some clients might complain, whinge, bitch and piss about the perceived irritation — but having a strong password policy, with complex strong passwords and password changes being regularly required — is important.
It’s not that difficult. Password managers such as LastPass should mean that your client never has to use the same password at multiple web sites or remember dozens of different complex passwords again.
Two-Factor Authentication is now the standard at cloud companies such as Google, Microsoft, Dropbox, Facebook, Evernote and others. If you and your clients have a Smartphone, they can use Two-Factor authentication easily.
Again, it’s all about educating the small business client. Demonstrate how easy it is to use strong passwords. Highlight the pitfalls to your small business clients in not doing so.
While most Small Businesses believe Cyber Security is a concern for governments, banks and large enterprises, the reality is that small businesses are being impacted every single day.
As an IT Solution Provider or Managed Service Provider (MSP), your job is to educate your clients about Cyber Security for Small Businesses and the risks of neglecting to protect themselves.
Because at the end of the day, when — not if — a cyber-security breach happens at your small business client, the impact will not only have a devastating effect on the small business, but your business too.