Q: We recently signed a new small business customer that doesn’t have a security policy in place. We want to make sure the customer understands why a security policy is so crucial and how we can help keep their business protected. What are the best practices for developing a security policy for an SMB?
Security is a hot topic for managed service providers. Nearly all of our most successful partners have developed formal, documented IT security policies to govern operations both in their offices and in the field. Equally important, they conduct reviews of these policies every few years, and revise them as necessary to adjust to changes in their environments and business practices. Naturally, their customers appreciate their expertise and ability to devise security policies to meet these businesses’ own particular needs.
Security is top of mind for managed service providers like yourself, but it’s also a primary concern for small businesses. They’re reading the news, they’re hearing about the latest malware threats, and they want to protect their business. But some small businesses don’t realize their IT service provider can also be their security provider. So it’s good that you’re looking to leverage the value-add in offering these types of services to your customer.
Educate your customers
Start by talking to your customer about why implementing a security policy is business-critical. Educating your customers could protect their business from a cyber-attack. In fact, your small business customers can sometimes be their own worst enemies, since user error is often to blame for inviting cybercriminals into the system and causing a data breach.
So teach them how to avoid this situation and protect their systems. Andrew Bagrin, CEO of My Digital Shield, suggests that one way MSPs can do this is by sharing “did you know” facts with their customers. For example, did you know that 81 percent of all data breaches happen to SMBs?
Develop a security policy
After you’ve taken the time to educate your customers, you can start to assess current security risks and implement necessary security policies. When we got this question, we knew our VP of Product Management, Chris Crellin, would know the best practices for developing a security policy with your customer. Here’s his advice:
1. Identify roles and responsibilities
First and foremost, find out who currently has access to critical data, infrastructure, and applications. Note your findings and then assess whether or not each person needs the access they’ve been granted. To do this, you need to interview key stakeholders management to fully understand employee’s role relative to this data.
Once you have a better idea of individuals’ roles in the organization, you can begin to limit or reinstate permission to access sensitive information and assets. For example, system administrators should have access to things that contractors should not. Part of your mission is to ensure that there will be no uncertainty about who has access to what.
2. Define data retention parameters
You’ll also need to help the SMB implement a document retention policy. These types of policies are especially important in certain regulated industries that require specific retention parameters. Defining a data retention policy is business-critical because there’s an increased risk of data being stolen or compromised when it’s kept beyond those defined dates.
3. Verify robust encryption technology is being utilized
Setting standards for encoding your customer’s information is another important part of a security policy. You can implement encryption policies like military grade 256-AES (Advanced Encryption Standard) encryption technology to secure customers’ data stored in the cloud and use SSL (Secure Sockets Layer) encryption technology for their data in transit. To make your security policy even stronger, look for a data protection solution that uses private key encryption (PKE) technology.
4. Adhere to compliance regulations
When developing a security policy for your customer, be sure to adhere to their industry’s compliance regulations. Certain industries are more regulated than others, but you should always inform your customers of any pertinent regulations and make sure their security policies addresses all issues to help them stay compliant. HIPAA, for example, requires all covered entities to encrypt all their storage technologies for data at rest. As their IT service provider, you’ll need to determine what they’re liable for and make sure they comply with all requirements.
By applying these four security measures, you’ll contribute significantly to preventing attacks and protecting your customers’ businesses.
Remember: the most important part of developing a security policy is to openly communicate with your customers. According to a recent survey, 29 percent of MSPs only discuss cyber security with customers when a breach or failure occurs. Clearly, this is something that needs to change, and it starts with you. While it sounds like you’re on the right track with this customer, start talking about it with your other customers, too. In the end, it presents a great opportunity for you to reconnect with those customers and upsell your services.
Ask an MSP Expert is a weekly advice column answering common questions from MSPs and IT service providers. It covers topics ranging from pricing and selling to marketing and communications—and everything in between.