Transcript
I think, a good enough job at properly protecting their customers from all the different cyber attacks that we're seeing. And that is in turn unwillingly causing exponential risk for the MSP, because weak customer security leads to weak MSP security. And so from a program design standpoint, another question that I get asked quite regularly is, how many programs should I have? How many tiers? How many levels should I have? Does that bronze, silver, gold tier structure still work? And my answer has always been, you don't want to create different levels of programs for the sake of creating different levels of programs. You really do want to think about, what's the philosophy around the program offering? And what are you looking to achieve with each distinct level? If you are thinking you need to offer multiple programs or multiple tiers. And with our new program design structure that I'm going to be going through, we want our priority to be focused on mitigating that insider risk, mitigating the risk that the human element inherently brings to an organization when it comes to managing cyber threats. And I know a lot of the times, you know, and what I've said a lot so far, you know, security, I've been talking about security, cybersecurity, but the conversation that MSPs really need to be having with their customers really shouldn't be so much on security, but more about risk. Risk identification, risk tolerance, risk mitigation, and then who's ultimately going to own that risk. Because security does tend to be binary, you know, are you secure or are you not secure? And that's not really the conversation that we want to be having, because it really isn't so much around whether a business is secure or not. It's really about how much risk are they exposed to, and how much ownership of that risk do they want to manage themselves versus how much of the risk do they want to offload and transfer over to you as their MSP? And then you as their MSP, are you willing to take on and accept that risk on behalf of your customers? And if you are, at what price? And so much of that business risk does come down to the end user, because we know that, you know, at least in one stat, 82% of the time, employees tend to be the cause, a lot of the reported breaches, because there is a lot of potential risk that happens between, you know, kind of this chair and that keyboard. And so really want to design our programs so that you're doing as much as you can to kind of bubble wrap end users to avoid a breach from occurring. But besides the insider risk, there's other risks that we need to factor in as well, when we are trying to determine a company's overall risk rating. So we want to also look at the industry that they're in, whether that industry is regulated or not. We want to look at the annual revenues, their employee size, the amount and type of data that they're going to be collecting. We're also interested in what types of vendor partnerships they may have. And then we use all of this information that we have to then determine, you know, what would be the best programs that we have to put in place to help mitigate this risk. So we look at risk as being on a scale, you know, we have low risk businesses, medium risk businesses and high risk businesses and an organization's risk rating. It's really going to depend on their industry, their compliance requirements, their size, the revenues and the type of data that they're collecting, the partnerships that they have. And so some businesses, because of the vertical that they're in, the size of their annual revenues, they are going to be exposed to higher levels of risk and therefore they're going to need a much more advanced or comprehensive type of security package, while you may have other businesses that you're coming across or that you may serve today that have lower levels of risk and they may not require such an extensive package. And so the key to program design really comes down to understanding your customers. Or maybe you're looking at changing markets, so having a good understanding of the new markets that you want to target so that you can understand their business, their industry, their compliance requirements, their business risk exposure, and then use all that knowledge to figure out, you know, what programs do I need to build that's going to help mitigate and lower that risk and that breach impact accordingly. But again, a lot of MSPs, they're kind of shying away from having these security and risk conversations because they're just afraid of the pushback and the objections that they're going to get from their customers and having their recommendations rejected. And that's why I'm going to have a bootcamp coming up on how to address that, because this is part of your job as their MSP. You have a role to play in all of this. Given the environment today, it is important that we are having these difficult conversations with their customers and we don't want to avoid them. So I want to, you know, have a whole bootcamp dedicated to how do you deal with the pushback in a confident as manner as possible, because it is part of your due diligence. It is part of your role to educate your customers on how they can avoid becoming a potential target for attack, especially if you know that there's gaps or there's deficiencies or holes in their coverage. And that is, you know, changes are going to be needed and how to better protect them. And I think the big message that I like to give is that we can no longer absolve clients of their bad decisions, you know, if they don't want to listen and implement your new security recommendations. So part of the program design process, kind of the first step, if you're looking at starting all of this, is to conduct a review of your customer base first, so that you can assess each client's overall risk rating and their risk tolerance, because this exercise is then going to help you determine how many program levels you may need to build and go to market with. And so it doesn't have to be anything extensive, it's just basically, you know, pulling up a blank spreadsheet, listing out all of your customers along the side, and then just putting a simple risk rating along the top of high, medium and low with respect to their risk level. And so just to kind of help with that categorization, how do you determine who's low risk, who's medium risk, who's high risk, I define a high risk business. And therefore, any high risk business would require a more comprehensive, advanced, higher end security package. It would be any business that has to adhere to any type of regulatory compliance standard. So any business that resides in banking, financial, healthcare, educational sector, I would consider a high risk business. Or any business that is large in size, and therefore they've accumulated vast amounts of data that would be attractive to adversaries. And if they have a large base of employees that would have access to this highly sensitive system and have access to this vast amount of customer data, I would consider those high risk businesses. A high risk businesses would be considered if they have extensive partnerships or relationships with other key businesses or organizations. So by extension, you could think that their employees would also have access to this information as well. And a high risk business would be a business that should they get breached, or should they experience some sort of ransomware attack that was successful in stealing their data, it would be detrimental to that business. And it could possibly result in irreparable harm, or even put them out of business. So it could be an extinction event for them. A medium risk business, and I still think a medium risk business would probably tend towards more of an advanced or a higher end program, but a medium risk business, they do have attractive data, they do have attractive relationships, partnerships, but they just kind of have a smaller footprint in terms of their data volume, their company size and overall revenues. But I think they would still be considered a target just because of the type of data or the access to data that the employees would have. And then I would classify a lower risk business, and therefore they would probably just need kind of an essentials security package. These would be, you know, kind of smaller firms in terms of their size, they typically have a smaller number of employees, they may have limited partnerships, they're collecting, storing limited amounts of data, likely because a lot of their processing, especially financial processing, is likely outsourced to a third party company, so it's not completed in house. It's also a company that doesn't find itself falling under any sort of regulatory compliance standard, and if they were breached, likely won't be detrimental to their business. Their business would likely survive, so the breach impact would be low. But in saying all of that, CISA's finding that small businesses are actually three times more likely to be targeted by threat actors than larger organizations. So just because, you know, we might be thinking that they're low risk, they're still very much on the radar of the bad guys, and they remain on the radar of the bad guys, because attackers know that these types of companies are not making the proper investment in their cybersecurity protection coverage like they should. And they are the ones that MSPs are still accommodating, and MSPs are still allowing them to kind of keep with the status quo, because they fear on losing the money. They fear on losing that revenue that they're earning from them. And so these smaller companies, they're actually seen as being very easy targets for the bad guys to go after, and they're having really good success, because these are the organizations that are pretty laxed in terms of their security, and unfortunately their MSPs are allowing them and accommodating this ability. And so although, again, we may have low risk type of customers in our segmentation process, there is still a minimum level of security that has to be implemented and enforced by you.
