For most of us, we don’t think of cyber security for small businesses. Our thoughts typically turn to high profile cases such as the Sony Pictures Entertainment hack and the Edward Snowden NSA leaks. Highly visible instances of valuable data being leaked.
But what does cyber security mean to the average small business?
Judging by my conversations, there’s a prevailing attitude that Cyber Security is a concern for large businesses only.
After all, don’t those committing cyber security crimes want to go after the big fish rather than the minnows?
Cyber Security for Small Businesses
Unfortunately for small businesses, that definitely isn’t the case. Almost weekly, I hear from a Managed Service Provider (MSP) that a Small and Medium (SMB) sized client has suffered a serious cyber security breach.
And I do mean serious.
We’re not talking a small interruption to business. The cases I’m hearing about typically involve the entire business’ IT infrastructure being taken off-line.
This means the owner and their IT provider scramble to stem the damage and restore order. And then there’s the post-breach audit of the data protection breaches.
For the average MSP, how many of your clients could afford that type of impact?
Not many, I suspect.
Cyber Security, Small Businesses and the Impact on MSPs
The impact of poor cyber security for small businesses is, of course, high for the client themselves. But it’s worth being aware of the impact on the MSP who is serving them too.
At best it’s highly stressful for those involved, and at worst can have serious consequences. It can impact an MSP’s ability to deliver projects to other clients and have a knock on effect that lasts for weeks.
So what can MSPs do to mitigate the risk to their clients businesses and in turn, their own business?
There are three broad areas in which MSPs can help their clients become more savvy with cyber-security — tools, policies and education.
Train Small Business Employees on Cybersecurity
Cyber Essentials is a UK Government-backed, industry-supported scheme. It educates SMBs on cyber security and how to protect against threats. If you’re a UK IT business and haven’t got involved — then you should.
But educating clients to the threat of Cyber Security for Small Businesses is an MSP’s role too:
- Share information with your clients through your written, online and in-person communications
- Throw lunch’n’learns to demonstrate how to stay safe on-line
- Offer your help as an IT professional to the local police force
Anti-Virus as a Cyber Security Solution for Small Businesses
Anti-Virus software sits in the background and silently protects client workstations. It also proactively alerts the IT supplier to any emerging issues.
Viruses are not the only threat any more — rootkits, malware, phishing, web threats are too.
Many MSPs inherit all manner of Anti-Virus software from clients. As IT provider, find a single-licence product that:
- Takes care of PCs and Macs
- Protects servers and workstations
- Can be managed from a single web-based management console
- Automatically discovers and deploys to new network computers
- Deploys remotely to machines that aren’t permanently within the office
The Anti-Virus market is very competitive.
Whichever Anti-Virus product you choose, make sure to choose a product and stick with it across your clients, rather than leaving your clients to choose their own product.
Any MSP worth its salt should implement a Remote Monitoring and Management (RMM) product.
Remote visibility of all of your clients infrastructure is an investment, not a cost. I can highly recommend Atera and SuperOps for great RMM solutions. Whichever RMM you choose, invest time in configuring the vulnerability scanning and alerting.
Make sure you understand how to effectively deploy patches.
Many MSPs I know shy away from these features taking a “If ain’t broke, don’t fix it” approach. That’s how products miss patch updates and leads to vulnerabilities being exploited.
Learn how to use the patch management options in your preferred RMM tool. You will reap rewards when you need to rapidly deploy a hotfix or flag a new vulnerability.
Firewalls as Cyber Security for Small Businesses
Most SMBs have a hardware firewall, but many are badly configured through neglect or overly complex configurations.
As an MSP, make sure you:
- Regularly audit the IP ports open on a firewall
- Check which users are allowed VPN access
- Close any ports you open to make a quick fix
- Deactivate any VPN access given to an external contractor
- Standardise on a firewall product that your staff are trained on and familiar with
- Schedule regular audits of your clients’ firewalls
- Backup router configurations regularly
- Ensure the firewall is protecting your client appropriately
Backup and Disaster Recovery
Most small businesses believe a disaster is something that happens to someone else. They think a ‘disaster’ is an earthquake or flood, not a system fault.
An SMB could suffer from a Cryptolocker virus that wipes out their data. And the only way to prevent it is to pay a criminal.
There’s also the possibility of a disgruntled employee deleting critical client files. These are the more mundane, but very real, disasters that affect small businesses worldwide and daily.
As an MSP, don’t tolerate clients who penny pinch with antiquated tape or rotated USB drive backup routines. Any human element such as swapping tapes or drives inevitably leads to failed backups when you need them the most.
Help your clients invest in an automated backup and disaster recovery solution. This will help them get back online quickly and effectively when they need it. Educate your clients that the most valuable element of their business is not hardware, but data.
And it should be protected.
As an MSP, does your business have a policy in place for mobile devices? The tablets, smartphones and laptops that your engineers access client data on?
If you don’t have a mobile device policy in place, then implement one now. Lead by example, and then educate your clients that they need a mobile device policy in place too.
Mobile Device Management is a technical issue that strays dangerously close into HR territory for most small businesses. For instance, what if you remote-wipe a mobile device holding business and personal data?
While these issues might be difficult and not always about technology, they are an opportunity for MSP’s to step beyond being seen as just the “IT guy.”
Instead, they position themselves as being a real business advisor to their clients.
Do you help your clients limit authority to install software, or do you take short cuts?
Sometimes it’s quicker to elevate an end-user to administrator access to resolve an issue.
Limiting the administrative access your clients’ employees have access to is a solid way to mitigate risk of dodgy software being installed and causing untold grief.
And don’t give way to the MD asking for admin access on his laptop. Because you may then have to deal with a virus that’s been installed by accident.
Make sure all of your clients have a password policy.
It should remind employees to use strong, complex passwords. And to change these regularly. It’s not that difficult. Password managers such as LastPass mean that your client stops using the same password on all sites. And they don’t need to remember lots of passwords, either.
Again, it’s all about educating the small business client. Demonstrate how easy it is to use strong passwords.
Highlight the pitfalls to your small business clients in not doing so.
While most small businesses believe cyber security doesn’t apply to them, the reality is that SMBs are being impacted every single day.
As an IT Solution Provider or Managed Service Provider (MSP), your job is to educate your clients about cyber security and the risks of neglecting to protect themselves.
Because at the end of the day, when — not if — a cyber-security breach happens, the impact will not only have a devastating effect on them, but your business too.