12 Difficult Questions MSPs Must Answer

Customers ask questions, and that’s a good thing. It’s even better when you have the answer they need at the ready.

As an MSP, there are many challenging questions that customers and prospects will present to you. Today’s customers are more concerned about cybersecurity than ever.

A startling 70% of consumers will stop doing business with a company after a cyberattack which means it’s a safe bet that some of those questions will be related to security. MSPs need to provide answers that boost consumer confidence, particularly in this area.

Let’s look at a dozen tough questions that dig deep at the underlying cybersecurity skillset of your organization.

Being prepared with answers to these questions directly impacts how your organization presents and might make the difference in closing the deal. 

Spoiler: Number 10 is ESSENTIAL. Not having an answer to this question may put you out of business.

Question 1: Do you have trained, certified subject matter experts in cybersecurity?

This question speaks to the core competency of your MSP organization concerning cybersecurity.

Many MSPs have expertise in areas of technical support and administration but are woefully unskilled in cybersecurity. With how critical cybersecurity is in general IT operations, this is a dangerous oversight.

This also plays a role in whether your business can achieve security accreditation by an organization like CompTIA for their Security Trustmark + rating. 

Question 2: Are you using best-of-breed tools to monitor their systems and yours?

The quality of your toolset speaks loudly about the quality of your service.

To a customer, if you are using substandard or low-quality tools for monitoring, you are likely not observing everything. This can lead to outages and downtime that you could have avoided. 

Question 3: Do you reasonably limit access of their personnel to only those tasks you are required to complete?

This question directly targets whether your organization understands and implements the principle of least privilege. This is highly important for any organization that deals with sensitive data.

With the advent of general data protection regulation (GDPR), sensitive data is no longer limited to healthcare or financial data but includes personal information. 

Question 4: Do you continuously monitor and patch their tools to the latest versions so hackers cannot exploit security holes?

Automated patch management processes are part of “Systems Administration 101,” and whether you have formalized processes or automation in place tells a customer about your MSPs maturity level. 

Question 5: Do you implement Multi-Factor Authentication across their entire network?

The utilization of MFA is no longer just a recommendation. According to Microsoft, it is a critical piece of security infrastructure as it can prevent 99.9% of account attacks.

Customers interested in protecting their data understand this and know that you will provide this for them. 

Question 6: Does their internal security provide multiple layers to thwart hackers who may have made it through one layer?

The layered approach to security is considered a foundational piece of cybersecurity. It is assumed that attackers will break a control at some point, so having multiple layers is crucial.

Whether your company understands this and delivers on it conveys a strong message to customers about your ability to secure their data. 

Question 7: Do you create enough isolation of their systems so a compromised system cannot affect others?

Much like the previous questions, answering this requires showing that you understand it and have delivered on it in the past for other customers. It is also intended to gauge your security maturity as an MSP. 

Question 8: Do you have a formal process in place should an incident occur?

It is straightforward as an MSP to simply answer yes and move forward, but this is an opportunity to show your capabilities.

Have a prepared explanation for what steps are in your process, what types of incidents you address, and data or systems are included. This can help customers feel confident that their data will be protected and recoverable. 

Question 9: Do you have a security training program for your personnel?

Much like the certification question above, this question is meant to determine how ingrained security is in your MSP culture.

It can convey that you take the time to improve the security skills of your technicians so that their skillset is current.

Question 10: Do you work for clients that require compliance under HIPAA, NIST/CMMC, SOX, GDPR, and PCI?

This is a question that is not to be answered without thoroughly examining your MSP capabilities. Even basic customer endpoints are likely to contain sensitive data and have to adhere to compliance mandates.

Saying yes to this means that your MSP has technicians with security skills and, as an organization, can deliver on data security measures for the customer.  

Question 11: Do you have an accredited third party test their security from outside and inside attacks?

Even though many customers will not require this, having an established relationship with a third-party tester that you have worked with before is essential, especially for showing Payment Card Industry Data Security Standards (PCI/DSS) compliance.

It shows the customer that you have the experience to liaison with a penetration testing team throughout the engagement if needed. 

Question 12: Do you have a complete set of security policies that your organization follows consistently?

This question again looks at the maturity of your organization and ability to provide on the customer’s day-to-day security needs.

Answering yes to this can assure the customer that your company has taken the time to consider the security implementation related to your business practices and delivers in a repeatable manner rather than one-offs.

Being Prepared

By thinking about these questions in advance, you may have discovered some details about your service that you had not considered before.

Taking the time to consider whether your MSP can deliver on these questions allows you to make improvements before a customer asks you a difficult question.

Even if the answer is that you cannot provide, being prepared for it will enable you to shine rather than stumble in your response.

Do you provide the best cloud-based cybersecurity solutions to your customers? Click here to book a 15 minute call to learn about Ananda and Actifile.

Why a Cybersecurity Policy is a Must-Have for your MSP in 2022

Does your MSP have a consistent way in which it implements and manages cybersecurity? If not, you are opening yourself and your customers up to a lot more liability than you realize.

Failing to have good practices in place opens your business to risk and liability that can directly affect your bottom line. Security breaches cost an average of $3.83 million to resolve.

Any breach involving your customers that they can link to your security practices spells out major liability concerns for your MSP.  

In this article, we explore why an MSP cybersecurity policy is a must-have in 2022 and how it reduces risk and improves operations.  

Why Cybersecurity Policy Matters to MSPs

Policies are simply a set of rules that outline how an organization manages its operations. These rules are important as they create a baseline for the overall operation.

This is even more important for MSPs as the security policies created to apply to the security of the MSP’s data and the customer’s data.

Having these policies in place expresses that your MSP is doing due diligence in protecting customers’ information, which is essential for reducing potential liability. 

Risk of Lax Policy

Failure to implement strong security policies can cost MSPs. In a recent lawsuit, an MSP was sued by a customer that had fallen prey to a phishing scam.

The attack cost the customer $1.7 Million in damages, and the business sued the MSP because the MSP’s security policies were too relaxed, which led to the breach. 

By creating and following strong security policies, MSPs do not leave any room for customers to place the blame on them for security failures.

This is important for MSPs to consider as any customer data they fail to protect might be covered under compliance regulations such as Sarbanes Oxley (SOX), General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPAA).

These regulations all have strong penalties for failure to comply. Recent studies have shown that the cost of non-compliance can run over $14 million, which is a significant liability that MSPs will want to avoid. 

Benefits of Cybersecurity Policy

Cybersecurity policies prevent one-off solutions for organizational security. Rather than re-developing the wheel every time your organization must address a security need, security policies instead outline the baseline rules that you must follow to meet it.

It creates an overriding vision of security that drives consistency and improves security across your MSP and customer base.  

A good cybersecurity policy that is strictly adhered to can also reduce potential liability for your organization. It is not enough to have a good security policy in place, but it also needs to be adhered to consistently.

This makes it harder for customers to argue that any security failures are the fault of your MSP rather than failings on their part. 

Developing Good Policies

Developing good policies is a combination of art and science. Some prescriptive items should be in all policies, and other factors about how things are stated require a bit of thought for their development.

An example of this is that policies should be developed with high-level guidance about controls and processes so that they are evergreen.

Rather than listing specific technologies to manage a control such as “Actifile for encryption,” they should instead list all sensitive data to be encrypted up to FIPS 140-2 standards.

This way, the baseline of what needs to be done is understood, yet if the technology changes, it does not force a rushed update of policies.

What Should be Included?

Fortunately, the prescriptive items are more of a check box for policy development. For example, all policies need an objective statement and a listing of strategies to meet the objective.

When developing new policies, it’s easy to include sections for this information before defining the steps, so it is never missed.

Other template details are that policies need to be formally accepted by business leadership. This is usually done by including a signature portion at the bottom for key stakeholders such as the COO or Director of Information Security.

This signature is to denote that they had a say in the development of the policy. 

Templates For Rapid Implementation

Regarding templates, even MSPs that have never developed security policies have resources to get them started.

There are several existing security templates available online that are sufficient to get you started.  SANs offers examples of these standardized cybersecurity policy templates.

Templates are divided up by security domain, and they range from generic acceptable use policies to more targeted removable media policies.

These templates have been used widely throughout the industry and will form a solid baseline for your MSP business and its customers. 

A Partner Who Can Help

We-Bridge has the experience to help your organization with solutions that can help grow your organization and secure your clients. Schedule a demo today to learn how We-bridge can help your organization evolve its security posture.  

Top 5 Revenue Streams for MSPs to Explore in 2022

With ransomware on the rise and cyber attacks happening every 39 seconds, Managed Service Providers (MSPs) face a golden opportunity. With the addition of a few key services, MSPs can increase their revenue and improve their clients’ security – it’s a win/win.

Existing MSP customers are woefully under-equipped to handle a full-scale cyber attack. With bad actors installing malware, stealing data, and leaving environments crippled in their wake, customers need protection capabilities that only MSPs can provide. 

Kaysea has found that 90% of high-growth MSPs have added four to five new service offerings to their catalog in the last two years. These services directly target customers’ security gaps – providing anti-virus (AV), patch management, disaster recovery, and data protection. 

In this article, we explore how MSPs can increase their revenue by selling software solutions to meet their customer’s unmet needs and installing and running these solutions for them. 

Top 5 Revenue Streams for MSPs

To Cash Flow!

Endpoint Management

Endpoint management expands the core services of many MSPs by adding on an additional layer of service for the customer. Endpoint management is a value-added service that brings together anti-virus, patch management, and configuration management.

Often, MSP customers either do not have endpoint management solutions or the ones they do have require additional setup and configuration beyond the customers’ capabilities.

MSPs get an additional revenue stream by selling, installing, and managing these software solutions. Still, they are also helping to make the customer environment more secure, which decreases support needs.

Many of these solutions come with a convenient dashboard where MSPs will sell to multiple customers and monitor them all through one cohesive dashboard. This allows the tracking of patch status, inventory, as well as delivering remote support.

Example Products include:

  • Exosphere is a unified threat management solution for small businesses to protect themselves against viruses and malware. Unlike legacy anti-virus systems, this modern software uses multiple techniques to defend against advanced forms of malware. 
  • Manage Engine is a comprehensive endpoint management solution for MSPs to help efficiently manage customer endpoints from a centralized location. It incorporates patch management, asset management, and remote control into one easy-to-use interface. Leverage predefined configurations and scripts to better baseline and manage all varieties of customer environments

Backup and Disaster Recovery Services 

When disaster or ransomware strikes, customers need to get back their data quickly and efficiently. But without solid infrastructure, they could be left high and dry.

Many customers either have no disaster recovery (DR) or legacy DR in place that is insufficient to meet the needs of backing up and recovering all of their essential data quickly and efficiently. 

MSPs can offer disaster recovery as a service (DRaaS) to their clients to help them bridge this gap. As a DRaaS provider, MSPs deliver their process and implementation expertise along with a software solution to the customer.

This added service helps elevate an MSP from simply a service provider to a trusted advisor opening the door for customers requesting future services. 

Example products include: 

  • Exosphere is a multi-purpose solution for your customers. Going beyond simply AV and offering the ability to backup and restore customer endpoint files to rapidly and efficiently recover as a last line of defense against corruption by malware or ransomware. 

User Access Review Solutions

Protecting customer data requires taking a data-centric approach to security. To do this, a customer has to ensure that the right people have the proper access.

This includes making sure that they adhere to the principle of least privilege and only have access to the data they need to complete their jobs.

Doing this requires conducting organized access reviews, identifying existing users’ access, and validating whether that is still necessary through the data owner. 

There are multiple solutions that MSPs can provide to help customers assess their user access and help them meet their compliance needs. Products such as Saviynt, SailPoint, SecureEnds, and ClearSkye offer in-depth identity governance and administration capabilities that extend from on-premise to the cloud. 

Data Protection

Not to be confused with backup and DR (though there is some overlap), data protection ensures that organizations know where their data is being used. Part of this is covered in data loss prevention and partially in data leak prevention.

One helps in cases of ransomware and accidental (or malicious) deletion, and the other ensures that sensitive data does not leave the organization. 

Example products include:

  • Actifile helps organizations find and protect their most sensitive data. It automates data risk assessments, monitors sensitive data, and applies direct protection and encryption against internal and external threats.
  • Stealthbits protects not only an organization’s sensitive data but also the credentials that supply access to it. Stealthbits discovers where data lives and then classifies, monitors, and secures it. It integrates governance into the process, so security, compliance, and operations work as one.

Compliance & Assessment Services

MSPs can help their clients achieve and maintain regulatory compliance. Many clients cannot attain this independently, and MSPs can provide solutions that help them meet these goals.

Each solution listed brings capabilities required for different compliance frameworks such as vulnerability assessment, Zero Trust, and AV/DR functionality. 

Some products to help achieve compliance:

  • BeSecure is a vulnerability assessment and management tool for networks, hosts, and web apps. It helps organizations cover major compliance mandates such as PCI-DSS, HIPAA, ISO-2700x, and more. 
  • Ananda connects users, devices, and cloud services using a secure Zero-Trust model. Zero Trust offers in-depth monitoring, access control, and implementation of true least privilege. Each of these can help meet compliance mandates such as HIPAA, SoX, and PCI.

One-Stop Shop for MSP Software

We-bridgexYou

Increasing revenue as an MSP requires going beyond your existing services and providing additional solutions to meet your customer’s needs.

By selling and implementing software solutions that cover customer gaps, you increase revenue and improve the customer experience. 

We-Bridge partners with only the best companies to serve you a complete and curated platform of cyber security solutions. Our offerings are trusted solutions with scalable resale models to help meet your customer’s needs no matter their size. Contact us today for a short demo.

Stop using VPN! Why Zero Trust Is A Better Solution

Though Virtual Private Networking (VPN) has been used for many years by businesses to keep proprietary information and sensitive communications secure, it’s more used in 2021 than ever before with the new-age of remote work. 

Once the de facto standard solution for allowing end-users to access internal network resources from remote locations securely, they can no longer keep up with modern security needs. Gartner predicts that by 2023, 60% of enterprises will phase out VPNs in favor of Zero Trust Network Access. Driving this change is the rise of internal threats and the fact that 37% of all breaches are credential theft. 

Organizations need to take control of what resources are accessible via remote access. An essential part of doing this is to narrow the scope of access to the least privileges. Applying least privilege is a double win because it reduces the attack surface and meets compliance mandates like HIPAA, PCI, and SoX. Then even if attackers do happen to get in, the overall 

In this article we take a look at the weaknesses of a VPN and why companies should switch to a Zero Trust model of security.

The Problem With VPN

Hacker

With an increasingly global market and widespread remote work still being the norm, more traffic than ever is going over VPN. This added traffic makes it harder to detect malicious actions of bad actors. Attackers use credential stuffing and stolen credentials to access internal networks because the controls are often weaker once they’ve gotten inside the secure perimeter. 

A VPN provides only basic protection for an organization. It allows access from a remote location while masking a user’s IP address by tunneling traffic through a 3rd party data center. This creates multiple points of failure: 

Failure #1: VPN Data Center

When you connect to a VPN, all of your data goes through a 3rd party data center. VPN providers claim they do not keep user logs or data, however there are little to no laws or regulations in place to protect your data. 

Failure #2: One key to access everything

Once you log into a VPN, you can access everything. It assumes everything inside the network is secure and everyone accessing it should have the same level of access as if they were physically in an office building. If a hacker gains credentials to the network, there’s no additional protection for your data once they are inside the network. 

Failure #3: Assuming hackers aren’t inside your organization

We’d like to assume our employees aren’t out to harm us – but it’s not safe to assume. When using a VPN, there is no way to limit access. Your data may be at risk even inside your organization and your network should be completely secure and monitored. 

What is Zero Trust?

A Zero Trust Network does exactly what its name suggests – never trust. Instead of one authentication method to access everything, zero trust offers multiple authentication requirements for every operating system no matter where the request comes from. 

Let’s look at the problems with VPN listed above, and how a Zero Trust Network solves those problems. 

Failure #1: VPN Data Center – no data center used here. All data is authenticated, authorized and encrypted without the use of a 3rd party data center. 

Failure #2: One key to access everything – even if a hacker gains access to a network they will not have access to other data without further authorization. Everything is also constantly monitored for potential breaches. 

Failure #3: Assuming hackers aren’t inside your organization – users can be assigned different levels of access. A CFO and an account executive don’t need the same level of access to your organization’s data. 

Ananda Networks – The Best Zero Trust Network 

Ananda Networks

There are many Zero Trust Network providers – the majority of which will come with additional hardware, hidden fees, no integration capabilities and complex deployment processes. That’s where Ananda Networks is different.

Unlike other solutions, Ananda is 100% software based. There’s no additional hardware you need to purchase, and no complicated setup. This keeps your overhead low and lets you transition from your VPN in just 15 minutes. 

Integration with your SaaS applications and identity provider is easier than ever using SAML and cloud connectors to set up a direct connection. This makes it even easier to deploy a zero trust network. 

Ananda also uses machine learning to bypass cloud protocols and offer bandwidth optimization by continuously searching for the fastest connection route. No bandwidth or protocol limitations means up to 25x faster than what you’re experiencing with a VPN.

If you’d like to learn more about what Ananda Networks can do for you, click here to schedule a demo with us today. 

Top 10 Cyber Security Software Solutions for MSPs in 2022

Managed services providers (MSPs) that deal with sensitive data on behalf of their customers face many challenges. To stay competitive, they must stay up to date with emerging technologies and offer only the best cybersecurity software for their clients. 

In 2022, MSPs need to offer solutions for a multitude of complex security problems – including risk assessment and management, network security, ticket and asset management, and more. 

We’ve created a list of the top 10 cybersecurity products that MSPs can offer their customers. To make the list, the software must meet the following strict criteria: 

  • Software only – When added hardware is involved it makes the solution complicated and expensive to set up. 
  • Extremely secure – The product must be the most secure offering compared to its competitors. 
  • Affordable – Products on this list must be low-cost compared to other solutions.
  • Reliable – Both the product and the company must be reliable so your customers can stick with it long term. 

2022 is sure to bring a number of challenges for your MSP—here are some of the best tools on the market today that will make your MSP business stand out from the competition.

Top 10 Cyber Security Software Solutions for MSPs in 2022

Here We Go

beSECURE

beSECURE is a vulnerability assessment and management tool for networks, hosts, and web apps. It runs continuous or periodic scans, automated attacks, and compliance scans. 

This tool is safe to run in production environments. It helps organizations cover major compliance mandates such as PCI-DSS, HIPAA, ISO-2700x, and more. It’s fast to deploy and can be used on internal and external resources.

beSECURE is an excellent tool for helping take a proactive approach to secure your customer’s digital environment. Identifying and closing security gaps makes your client a more challenging target for attackers – decreasing the risk of an attack and minimizing the time your organization will need for remediation and clean-up after a cyber attack.

NinjaRMM

NinjaRMM is an IT Service Management (ITSM) tool that helps MSPs manage their customer infrastructure. Get up-to-the-minute statuses on customer endpoints to quickly see what needs attention. 

Growing your MSP requires efficiency, speed and automation wherever possible. Tools such as NinjaRMM enable your organization to streamline most tasks, freeing up time for your staff to handle more critical jobs.

Actifile

Actifile helps organizations find and protect their most sensitive data. It automates data risk assessments, monitors sensitive data, and applies direct protection against internal and external threats.

Actifile is about more than simply encrypting data to protect against threats. By identifying where sensitive data lies, you can take additional measures to protect it. Doing this also helps you help your customer meet compliance requirements such as HIPAA, SoX, and PCI.

ConnectWise Command

ConnectWise Command helps MSPs efficiently scale. It uses intelligent monitoring and alerting to consolidate events into single tickets. It also streamlines patch management and deployment with automation. 

Your staff has more important things to do than sit in front of a management console waiting for tickets to appear. ConnectWise Command’s automated alert system allows them to go about their day-to-day tasks while still being aware of problems as soon as they happen. 

Exosphere

Exosphere is a unified threat management solution for small businesses to protect themselves against viruses and malware. Unlike legacy anti-virus systems, this modern software uses multiple techniques to defend against advanced forms of malware. 

Ransomware is on the rise and getting more complex. MSPs today must be able to protect their clients beyond basic attacks. Exosphere can catch existing malware and new varieties as they are created. This gives you an edge on bad actors and helps protect against tomorrow’s attacks today. 

Logic Monitor

LogicMonitor monitors everything in your IT stack, in one platform, automatically correlating data to provide answers on how to model, avoid issues and optimize your IT environment.

More and more customers are leveraging the cloud every day. Not every solution can handle this dynamic environment where nodes are continually created and destroyed when scaling. LogicMonitor gives you the ability to watch the cloud without constantly reconfiguring to track changes. 

Ananda

VPNs are an outdated solution for allowing remote access to digital environments. Zero Trust Networks are the modern and most secure way to solve this problem. Ananda connects users, devices, and cloud services using a secure zero-trust model. 

Ananda enables businesses to create their own private, high-performance, low-latency network that allows them to connect their distributed workforce with unparalleled speed, security, and simplicity.

Ananda also uses machine learning to bypass cloud protocols and offer bandwidth optimization by continuously searching for the fastest connection route. No bandwidth or protocol limitations means up to 25x faster than what you’re experiencing with a VPN.

Confluence

Confluence helps your workforce connect and share information no matter where they may be located. Confluence is a centralized information repository to create a single source of truth for your organization. Document solutions and projects with easy templates and share securely with group-based permissions. 

With proper documentation, MSPs can avoid having to solve the same problems twice. Using groups and role-based permissions lets you provide customers with self-help documentation targeted toward their organization while keeping internal notes and data private.  

DeltaForce

DeltaForce provides deep insight into applications to solve a wide range of issues. Automatic code documentation, pinpointing changes in application or source code, mapping dependencies, and inspecting code quality all lead to a drastic improvement in productivity. 

DeltaForce has documented productivity improvements of as much as 75% with customers who have integrated it. 

ITGlue

ITGlue helps your organization control the information sprawl of documentation. It maps relationships in documentation to make it easier to find information related to what is being accessed. 

It also integrates an easy-to-use password management tool to simplify access for teams without having to store shared passwords in easy-to-steal documents. This increases security tenfold.

Choosing MSP-built solutions

Custom

When evaluating products to offer as an MSP, don’t discount the importance of choosing solutions designed with MSPs in mind. Unlike standard businesses, MSPs need to manage multiple customers simultaneously. Cyber security software must have this ability baked into their product for it to be useful.

We-Bridge partners with only the best companies to serve you a complete and curated platform of cyber security solutions. Our offerings are crafted specifically for the needs of MSPs and their clients. Contact us today for a short demo.