Greg Jones, Business Development Director, EMEA at Datto, explains how to build a robust cyber resilience strategy that extends beyond the cyber threat landscape
Small and medium-sized enterprises (SMEs) are turning to managed service providers (MSPs) at an accelerated pace to combat the growing risk of cybercrime, while increasing their investment in a broader range of services and support.
Growing customer numbers and additional responsibilities, plus the transition to the cloud being undertaken by most SMEs, are creating additional complexity and challenges for MSPs at a time when they are also under pressure to provide exceptional customer support. In a world where brownouts and cyberattacks are increasing in frequency and sophistication are MSPs equipped to take on this additional load?
To address these increasingly complex issues many MSPs are building cyber resiliency plans that extend beyond the cyber threat landscape and enable them to prepare for, respond to and recover from any technology outage or issue, including brownouts.
A robust strategy needs to combine the practices of cybersecurity, business continuity and incident response, with capabilities in five functional areas: identify, protect, detect, respond, and recover. MSPs cannot purchase these capabilities but need to build them by bringing together people, processes and technology.
Having the right cyber resilience capabilities in place will better enable MSPs to protect their customers from unknown threats, minimise the impact of an attack and reduce downtime.
Since disaster events, such as IT failure, natural disaster, terrorist attack or sophisticated hack, all differ in profile, area, duration and scope, MSPs need to have a multi-tier disaster recovery strategy in place.
Consider, for example, what is involved in recovery from a natural disaster versus recovery from a cyberattack. In the case of a natural disaster, such as an earthquake, an SME’s entire data centre, including local disaster recovery systems, may be completely wiped out. For a major disaster such as this, MSPs need to have a remote, cloud-based recovery solution located some distance from production systems.
Were an SME to fall prey to a malicious action, the recovery process would depend on having a remote, cloud-based recovery solution, plus security-related actions to eliminate potential sabotage of the backup and disaster recovery infrastructure. Regardless of the type of incident, MSPs should have at least three copies of a backup – two should be in different locations and one should be immutable.
To assist MSPs in building a robust cyber resilience strategy there are many free, vendor-neutral frameworks. A good starting point is the National Institute of Standards and Technology (NIST), which provides information to help MSPs better understand, manage and reduce cybersecurity risks and determine which activities are most important to assure critical operations and service delivery.
In addition, MSPs should engage their vendors to provide support. Many backup, recovery and business continuity vendors provide free assistance and training to help MSP partners build out a cyber resiliency plan.
Know the health of your cyber resiliency plan
Recovery needs to start in advance of an attack, with MSPs working with their SME clients to evaluate their IT and security budgets to ensure they have the funds to implement advanced security and data management capabilities.
While having a business continuity and disaster recovery solution in place is effective in preventing loss of data following an event and in enabling rapid retrieval of data to avoid costly downtime, the people component of the strategy is critical.
The biggest risk to any SME is always people, and education plays a pivotal role in de-risking that vulnerability. As employees are on the frontline of defence, MSP best practice should include providing SME customers with frequent training and education. This will help to ensure employees have a better understanding of the company’s policies and processes for managing and handling data.
In addition, SMEs should consider implementing security awareness training; internal phishing campaigns to evaluate potentially risky employees; an endpoint detection and response solution; and proper network segmentation.
A true test of an SME’s cyber resiliency health is to test it before it is needed. To get a clear picture of whether the plan will be successful in the event of an incident, MSPs should perform an exercise similar to the following:
- Without advanced warning, the MSP calls for an emergency meeting that will take place within the next 30 to 60 minutes;
- Attendees should have no advanced knowledge of the reason for the meeting;
- At the start of the meeting, the MSP announces that the company has been hit by a significant cyberattack and that all systems are offline;
- This is followed by the question ‘What do we do next?’;
- For the next 30 to 60 minutes, the MSP discusses and documents suggested next steps.
The information provided by attendees will inform the MSP what areas need additional work and highlight any gaps in the cyber resilience plan. It’s important for MSPs and their clients to remember that while having a cyber resilience plan is essential, it will only be effective if everybody understands it.