Share This:

Threat mitigation is to managed service providers (MSPs) what preventative medicine is to doctors. In other words, threat mitigation is the first line – and often least expensive – defense against cybercriminals. Of course, some of the basic steps include firewalls and patches. For instance, 60 percent of data breaches involve vulnerabilities for which a patch was available but not applied. So, applying patches and installing firewalls are key steps, but MSPs need to go beyond that.

NSA and IBM offer guidance

The National Security Agency (NSA) has published a guide with many actionable steps including:

  • Enforce signed software execution policies. Use a modern operating system that enforces signed software execution policies for scripts, executables, device drivers, and system firmware.
  • Actively manage systems and configurations. Take inventory of network devices and software. Remove unwanted, unneeded, or unexpected hardware and software from the network.
  • Segregate networks using application-aware defenses segregate critical networks and services. Deploy application-aware network defenses to block improperly formed traffic and restrict content, according to policy and legal authorizations.

The entire list of NSA recommendations can be read here.

Sometimes, the challenge can be to identify what kind of risk you are trying to mitigate. IBM breaks it down into three common risk pools:

  • Compliance risk: When an organization violates rules both internal and external, putting its reputation or finances at risk.
  • Legal risk: This is a compliance risk that involves the organization breaking government rules, resulting in a risk of financial and reputational loss.
  • Operational risk: This is when there is a risk of loss from the organization’s regular daily business due to failed or flawed processes.

Often, however, threat mitigation goes beyond simply a list of boxes to check and is instead more individualized.

One size does not fit all

Experts say the right threat mitigation approach depends on various factors and should not include one-size-fits-all solutions; they need to be tailored to the client.

Paul DeMott, Chief Technology Officer at Helium SEO, tells SmarterMSP.com that a comprehensive, layered approach to staying ahead of constantly evolving cyber threats is needed. And understanding the unique risks to an organization is critical. He advises that MSPs should, “Start by conducting a risk assessment that identifies critical assets, vulnerabilities, and potential impact areas. This way, the plan you’re putting together is tailored to the specific landscape you’re working in.”

After you’ve customized your plan, go from there.

“Prioritize threat intelligence and continuous monitoring. Knowing what’s happening in real-time allows for faster response, especially if automated detection systems are in place,” DeMott explains. He goes on to emphasize incident response readiness, not just having a documented plan, but actually testing it with regular drills, is crucial. “Practicing ensures the response process isn’t just theoretical and that key stakeholders know their roles.”

DeMott shares that another major component is ongoing employee education. “This can’t be a one-off,” he says. “Threats are constantly evolving, and so should your training efforts to ensure that everyone, from frontline staff to leadership, knows the latest phishing tactics, social engineering schemes, and ransomware developments. We have seen that keeping security culture top-of-mind not only strengthens defenses but also builds a proactive team approach to risk mitigation.”

He adds that a robust threat mitigation plan combines tailored risk assessment, proactive monitoring, practiced response, and continuous training to stay resilient in an unpredictable landscape.

From risk mitigation to impact mitigation

Alistair Hinchliffe, a cybersecurity and SEO expert, says that “impact mitigation” is equally important. “Having an action plan in place that outlines what the process to follow if your company is the victim of a data breach is something not a lot of businesses do,” he says. “Also, compiling a list of the types of personal data your company collects on hand before a breach is going to dramatically reduce the stress of dealing with a breach.”

Hinchcliffe adds that this is true regardless of the size of the business. If the MSP’s client stores susceptible personal data, the calculation also changes. “All businesses that store susceptible personal data on their website should have a scheduled backup process for their contact form inbox where they migrate the information to a more secure archive away from their website. They should then clear this information from their website,” he says.

Furthermore, Hinchliffe notes that even smaller companies have valuable personal information. “Think about the types of information a law firm might have stored in their contact form inbox within their website backend,” he says.

By prioritizing basic defenses like firewalls and patches and advancing to more comprehensive measures such as tailored risk assessments, continuous monitoring, and employee education, MSPs can significantly enhance their cybersecurity posture.

Photo: one photo / Shutterstock


Share This:
Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *