Security Services: how educating customers develops trust
MSSPs should seek to educate rather than scare their customers about cyber attacks. Take your customers on a security journey by educating them on the threats facing their unique kind of business rather than presenting them with irrelevant facts and figures.
As a managed security services provider (MSSP), your operations centre is continually monitoring all sorts of threats and issues and building rules to detect thousands of attack patterns that could be targeting any your customers. It’s important, therefore, you don’t perpetuate the sensationalism that overwhelms them since this can be dangerous as it serves only to instil fear and nihilism.
Data breach media announcement
It’s a fact that in the next calendar year, a number of businesses will not be hacked. Your MSSP business could go the entire year without a single security incident, especially if you have a small number of clients. Of course, the media will be shouting about the biggest incidents, such as those large Anthem or Sony-sized breaches affecting millions of customers and costing millions of dollars. Whilst this coverage is helpful context for small businesses it is not always directly relevant.
Educating your customers on what the real threat environment is for them and showing them the value of a trusted security advisor will serve to build a strong working relationship.
The Real Cost of a Breach
Attention grabbing headlines and news reports, such as an article from Forbes in 2018, makes the mission of MSSPs much harder, since these headlines serve to sensationalise and exaggerate the true cost cyberattacks. One Forbes article says, “Globally, the impact of a data breach on an organization averages $3.86 million.” The issue for most MSSPs is that these figures are meaningless when calculating the potential cost of a data breach to their business. Yet businesses are scared when they see these headlines as even small companies feel their exposure is an existentially large amount of money.
Averages like these are always skewed towards the high end since mega-breaches cost so much to rectify. For most businesses, however, such as a medium sized manufacturing company or high-street travel agency, they may have an annual revenue $5 million and a small number of customers. They would likely store that customer data, such email addresses, invoices and contact details, as hardcopies in a cabinet, with electronic copies potential stored in a cloud service used for invoice and account management – something like SalesForce perhaps. A breach certainly wouldn’t cost them anywhere near $3.86 million in terms of notifying customers, providing compensation, as well as incident response and systems recovery.
In fact, if the company notified the privacy commissioner (where required) and already had some reasonable security controls installed on their systems, the cost of this breach might be in the lower thousands. This is the reality that you should be explaining to organisations, while pitching the value of your services as a trusted advisor.
Building Trust in the Security Industry
Rather than distracting your prospects with news of mega breaches they can’t relate to, show them exactly what security controls they should focus on and why. By detecting and responding to the threats in their environment, whether they are insider or external threats, will reduce risk.
Making the decision to reduce risk
If you are a service provider already offering managed ICT to organisations it is likely you already support Internet firewalls, antivirus software and computer operating systems. You may also offer additional security services such as taking regular backups (and ensuring they are recoverable), managing remote access systems and ensuring users can only get to the data they are supposed to.
Since most Managed ICT service providers include all of these security controls, it’s not too much of a step to take on the core security service that turns an MSP into an MSSP. In doing so, the customer can come to you with the confidence that you are providing sound, specific and relevant advice to them and they no longer need to worry about unquantified, erroneous and irrelevant threats.
Extending Managed Services with Security
The one security control that really defines a managed security services provider above all else is protective monitoring. Using a security technology, known as a SIEM (security information and event management), you can take all the logs provided by customers firewalls, servers, authentication systems, cloud services, network appliances and applications, and make sense of them.
The next step up to providing a joined up picture of security isn’t as hard as you may think, since the SIEM does most of the heavy lifting. You can model the basic threats, such as ransomware attacks, attacks on databases and applications, and even malicious insiders stealing data in a way that doesn’t scare the customer, rather the customer begins to understand these safeguards and gets into the mindset of helping model the threats in context of their own business.
Over time, you can introduce more rigour and detailed threat modelling into the SIEM so that more complex and esoteric threats can be detected. Your customers will develop an understanding of security in a more structured way and won’t be beholden to media sensationalism, so they will see the true value of engaging with your services, while dismissing the fearmongering for what it is.
Next-generation SIEM software provides many advanced security profiling and threat detection capabilities right out of the box. For example, Behavioural Anomaly Detection (BAD) builds a profile of the network and user behaviour and notifies the SOC when something unusual occurs. You can demonstrate this to your customers once the profile has been established (baselining takes a few weeks to learn what normal looks like).
If you’d like to learn more about next generation SIEM, download the guide below.