Keeping track of today’s cybersecurity landscape isn’t something you do once a year. It should be integrated into your everyday processes. Implementing effective practices into your cybersecurity program can make it easier to stay a step ahead of threats in cybersecurity and protect your clients—while also positioning your services competitively in the marketplace.
The following are some best practices to follow to take a proactive stance against cybersecurity threats.
1. Proactive threat intelligence
In today’s digital environment, you need to be aware of how threats in cybersecurity are changing or growing to mitigate your clients’ risk. This also helps ensure that you are using all resources as efficiently as possible. Fortunately, there are ample sources for threat intelligence, including:
Government agencies and cybersecurity centers: The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) are just a few of the federal resources available.
Private threat intelligence providers: These offer services and information—such as intelligence feeds, analysis, and consulting--to organizations based on their vulnerabilities and their desired level of security. For example, the ConnectWise Cyber Research Unit is specifically dedicated to informing the MSP industry about relevant updates to the threat intelligence landscape.
Security vendor partnerships: In these agreements, different cybersecurity organizations pool their expertise and resources to boost their ability to identify and address cybersecurity threats and vulnerabilities. For example, ConnectWise’s Cyber Research Unit works with Microsoft Advanced Protection Program and MITRE Sightings to share items like sightings and TTPs to as wide an audience as possible, making the whole community stronger.
Threat intelligence provides up-to-date information that can help guide your cybersecurity strategy and tactics for early detection, risk mitigation, and faster incident response. As an example, the 2020 Summer Olympics in Tokyo was hailed as a cybersecurity success story thanks to organizers’ proactive stance to threat intelligence. Cybersecurity teams and law enforcement concluded foreign intelligence and large groups of threat actors posed the largest threats, and even anticipated multiple likely methods of attack. These included DDoS and brute-force attacks as well as social engineering focused on high-profile athletes and other stakeholders.
Should you build your own threat intelligence team?
It can be tempting to build your own threat intelligence team, but it may not be the most cost-effective option. Finding individuals with the expertise you need can be difficult, and the salaries they can command are high. Consider the median pay for information security analysts in 2022 was $112,000 per year—and you’ll probably need more than just one person. Your team will also need specialized threat intelligence platforms, which may require additional hardware or other infrastructure investments. To truly build a best-in-class team that can cover clients 24/7 and provide proactive service, the cost could be in the millions. Keep in mind, this cost is only going to grow once your business scales.
As a result, it’s best to look for outsourced support along with your internal MSP team, making sure you have the added capability while still having someone to interact with the client. When considering threat intelligence providers, look for professionals with proven ability to effectively identify relevant sources and curate threats for your clients, put threats in context for efficient prioritization, and analyze threat patterns and trends. This ensures your resources are optimized and that you can take appropriate action to proactively defend your clients’ systems and data. For more information on the top cybersecurity professionals to build your team, check out our infographic, The MSP Cybersecurity Team Roster.
2. Threat monitoring and analysis
Establishing a robust threat monitoring and analysis system is essential for detecting and responding to potential attacks or breaches quickly and effectively. A comprehensive strategy against cybersecurity threats incorporates various tools and actions. These can include:
Security Information and Event Management (SIEM) tools: A SIEM platform is the foundation of a strong threat monitoring and analysis strategy. These tools collect and analyze data from various sources and points in a network, such as firewalls, servers, devices, antivirus software, and more. They can detect abnormal or suspicious activities much faster than humans can and generate alerts. SIEM tools can also be integrated with other technologies, such as vulnerability scanners.
User and Entity Behavior Analytics (UEBA): UEBA tools analyze user and entity behavior and actions to identify potential insider cybersecurity threats and compromised accounts.
Network traffic analysis tools: These look for suspicious or malicious activity in traffic flows.
Threat hunting: Some specialized security analysts proactively search for threats and anomalies that may slip by automated platforms.
Other technologies you can leverage include vulnerability management and assessment platforms, asset discovery and inventory tools, network scanning and mapping tools, and web application scanners. Which ones you should use depends on your clients’ specific needs, the complexity of their IT infrastructure and the types of digital assets they have.
To ease the cost and resource burden of executing threat monitoring in-house, many MSPs outsource security operations center (SOC) services, also known as managed SOC. A SOC serves as an extension of your in-house team to provide 24/7/365 threat monitoring and response. Partnering with a SOC provider can add additional layers of expertise, help close security talent gaps, and increase client capacity to support future business growth.
Remember: an effective threat monitoring system adapts to evolving threats and changes in the landscape. Regularly evaluating and fine-tuning your strategy is essential.
3. Risk assessment/vulnerability management
Proactively identifying risks and vulnerabilities can help you reduce the risk of attacks and breaches. These are some general steps that can help you find them.
Inventory all cyber assets. This includes all services, applications, and devices, especially those that are critical to operations. An inventory list will ensure that your risk assessment is complete.
Determine the nature of the threats each client is likely to face. Use credible threat intelligence resources to research current and emerging threats based on each clients’ asset inventory to ensure your information is accurate and up to date. Don’t forget about internal threats, such as a lack of a robust patching process or a lax security policy.
Analyze risks and their impact. For each asset, identify vulnerabilities and consider what could go wrong if a threat actor exploited them. For example, insufficient endpoint security on devices at a pharmaceutical company might allow a cybercriminal to infiltrate a network and gain access to proprietary data related to new medicines. You can use a risk matrix to assign each asset a risk score based on its vulnerabilities, the chances of it being targeted, and the consequences of an attack.
Prioritize risks and vulnerabilities. Assess risks based on potential impact, likelihood of exploitation, and the resources available to mitigate them. Document each one, as well as the appropriate response. Since risk levels and vulnerabilities will change, create a process to make sure documentation is regularly updated.
Create an action plan for mitigating identified risks. Steps you can take include addressing the root causes of risks, deciding which risks can be tolerated if their levels are acceptable, eliminating processes or systems that pose too much risk, or outsourcing certain activities to providers who can offer higher levels of security.
Vulnerability management solutions are an essential addition to your cybersecurity toolkit to ease this process. Not only can they help in terms of quickly identifying threats for you to act on, but by providing customer-facing reports, you can quickly communicate relevant information in a way that’s easy to understand.
4. Incident response planning
Incident response plans function as a roadmap for what to do in case of a suspected breach or cybersecurity attack. Having a documented plan will help you respond to high-pressure and time-sensitive critical security issues quickly and efficiently.
There are four main components to an incident response plan:
This involves defining the types of incidents the plan covers, the responsible teams and individuals, and their roles and responsibilities. Use your asset inventory to make sure critical patches are applied and updates are completed. Regularly back up systems and data to facilitate recovery and minimize downtime should a disaster or outage occur. Lastly, evaluate your current ability to assess threats, which can point to areas where improvement is needed.
Detection and reporting. Investigate ways an intruder might gain access to your network by tracking how and what data flows in and out of your network. Many organizations have had to adjust practices due to the popularity of remote work, which can make networks even more vulnerable. Analyze logs to understand who is accessing your network, how, and when to help identify anomalies or issues. Outline a clear process for reporting potential incidents right away and develop criteria for assessing their severity.
Containment and eradication. Document measures to prevent the attack or breach from spreading, such as isolating affected systems or network segments, or even taking entire systems or operations offline. Identify appropriate methods for addressing the root cause of an incident, such as removing malware or patching vulnerabilities. Build an incident response team and assign responsibilities for each task.
Recovery and remediation. Make sure you have clean backups and other procedures to restore or repair systems and data. For example, keeping copies of large databases offline can help with faster recovery after a ransomware attack. If threat actors have gained access to passwords, you may need to reset system accounts, so make sure you have procedures in place to manage that process. Develop a timeline for restoring normal operations by using backups or other means. Note any compliance or legal requirements you will need to address.
In high-severity incidents that result in major disruptions, it’s common to focus on critical systems and operations first. Less severe incidents may be addressed through routine procedures or routed to lower-priority response teams. To simplify this process, options like the ConnectWise Incident Response Service provide your team with access to an outside team of cybersecurity experts ready to quickly remedy a situation. Help your clients quickly restore operations without the overhead costs of building an internal incident response team.
Incident response planning is a critical function that many MSPs don’t fully consider in their cybersecurity strategies. It’s not enough to just install a tool or set up a team without establishing a proper process and documentation plan. Mature MSPs excel here by collecting that information and using it to inform future cybersecurity action. From a business perspective, it can also serve as a value add to your clients.
On the topic of clients, it’s a good idea to involve them in incident response planning as a method to mitigate threats in cybersecurity. This helps ensure plans are aligned with their organizational processes and roles. It can also help provide them with evidence for setting aside more of their budget to upgrade cybersecurity tools and services to minimize their risk and recover from attacks faster. You should also conduct regular incident response drills and tabletop exercises to train them for real-life situations as well as to identify any inconsistencies, issues, or gaps in your overall plan.
5. Build a security-centric culture
A 2022 study by the World Economic Forum found that human error is involved in 95% of cybersecurity issues—but a fear of severe reprisals can prevent employees from admitting to them. While you can’t completely eliminate human failure, creating a strong security- centric culture can prevent more employees from falling victim to cybercrime tactics.
Workplace culture can be defined as shared attitudes, perceptions, and beliefs. In a security-centric work culture, employees believe that security is everyone’s concern and goal. They are aware of existing and emerging cybersecurity threats and vulnerabilities and know how to recognize them. Leaders make sure that good security practices are ingrained in all aspects of the organization.
Your clients look to you for IT expertise, including cybersecurity guidance. Use this trust and credibility to shore up your clients’ security culture with initiatives such as:
- Holding regular educational and training sessions about new and evolving cybersecurity threats. Using platforms like ConnectWise Certify to help your team gain new relevant certifications.
- Participating in relevant industry-wide events for professional development, like the ITNation Secure cybersecurity conference.
- Encouraging leaders to model good security habits.
- Providing clear communication on how to report threats and breaches.
- Ensuring employees feel comfortable reporting incidents, even if they caused them.
6. Adhere to an effective framework
Cybersecurity frameworks provide a systematic and organized method for managing and mitigating risks, addressing gaps and vulnerabilities, and improving an organization’s overall security posture. Frameworks provide expert guidance to help align your clients’ cybersecurity program with current and evolving standards.
Some frameworks are designed for specific industries or needs, such as payment card processing and healthcare. Some are applicable to many different types of organizations. A few of the most widely used include:
- Center for Internet Security (CIS) Control Framework. This framework provides comprehensive best practices to defend against cybersecurity threats. It includes 20 controls divided into three categories—Basic, Foundational, and Organizational— which allows you to tailor it to specific client needs.
- ISO 27001 and ISO 27002. These are international standards that outline principles and practices to help organizations implement robust security policies across the range of digital operations. ISO 27002 expands on 27001 with more specific and detailed controls.
- Services Organization Control (SOC). This is a standard for third-party auditors to evaluate organizational security. SOC2 is designed specifically for cloud service providers.
- UK Cyber Essentials. Supported by the United Kingdom’s National Cybersecurity Centre, this UK-based framework offers five security controls that can help protect against the majority of common attack methods.
- Essential Eight. This Australian framework creates a general cybersecurity baseline of eight mitigation strategies for organizations to follow.
These frameworks can help you zero in on your clients’ susceptibility to cybersecurity threats and vulnerabilities and take action to protect critical systems and assets. Which one you use depends on the nature of each clients’ needs, industry practices and requirements, and other factors. But note that while they can help you ensure security programs are compliant with regulations and standards, you and your team will still need to do your due diligence to ensure all requirements are met.
7. Invest in cutting-edge cybersecurity solutions
Many of the tactics and best practices for staying ahead of threats are supported by software solutions. And with the growing threat landscape, investing in cybersecurity technology is not a choice—it’s a must.
Carefully evaluate your security tech stack to ensure you have the solutions and features required to help keep client data and systems safe. Some things to look for include:
- Multi-layered threat detection, including malware scanning and behavioral analytics
- Real-time monitoring and alerts
- Advanced endpoint protection
- Integration of threat intelligence feeds and reporting
- Centralized oversight and administration for multiple clients and systems
- Scalability to grow with your business
Solutions powered by automation and responsibly-used artificial intelligence can be a game-changer for your security strategy and improve your ability to catch and remedy issues quickly. AI-powered cybersecurity can adapt in real time to evolving threats and anticipate new ones, driving improvements in scale, speed, efficiency, and client satisfaction. With that said, it’s important that your AI use is tempered with an ethical use policy to ensure data privacy, accurate responses, and compliance with all relevant regulations.
At JD Young, we know building a security stack can be complex, costly, and time- consuming. This is why our comprehensive cybersecurity suite offers MSPs a host of security software and solutions, including 24/7 threat detection monitoring, incident response, and risk assessment tools. After all, keeping your clients protected is the key to operating and growing a successful cybersecurity practice.