ChannelTrends: Scary Considerations for Building a Security Practice

With Halloween almost here, what could be scarier than building a cybersecurity practice? Those who go down that road should certainly approach it with eyes wide open. Risk will undoubtedly increase. That’s what happens when you take on such a crucial responsibility for clients; they expect nothing bad will happen to their data or their networks. Those expectations should drive higher margins ̶ but they have to be able to deliver to reap the rewards.

There are many things that “go bump in the night” for small business owners. Between financial liabilities, customer issues, delivery problems and a myriad of other concerns that weigh on their mind, there is literally something weighing on their minds at all times. As some would say, that’s the nature of “the beast.” You can’t simply cast them aside. Successful entrepreneurs learn how to deal with all those responsibilities and to manage the “hairiest, scariest” of those concerns on a daily basis. If they don’t, they’ll burn out and likely fail.

Events like the recent DDoS attack on several popular U.S. websites (Larry Wash’s article, IoT Attacks Open New Cybersecurity Front offers a great synopsis) reinforce the concerns and fears of business owners. Or how about the large California hospital that was targeted with ransomware earlier this year, and had to pay a substantial fee to regain access to its files? If those major players can’t protect themselves, how can a small bank or local manufacturer expect to keep their systems safe and secure?

Those same issues hold true for IT service providers ̶ except many actually double-down on the risks and responsibilities. Not only do they have to build, manage and protect their own organization, but they have to support the business-critical operations of a number of other organizations. A simple misstep by one employee at one client site could bring both companies crashing down. That may seem overly dramatic, but it can and does happen. Especially with cybersecurity.

Those who build IT practices focused on data and network protection need to approach it with eyes wide open. Your organization’s risk will undoubtedly increase. That’s what happens when you take on such a crucial responsibility for clients; they expect nothing bad will happen to their data or their networks. Those expectations should drive higher margins ̶ but you have to deliver to reap the rewards.

What’s the first step providers should take when considering a cybersecurity specialization? Contact your business insurance agent. Minimize your company’s exposure by increasing its coverage. The dollar amount of that protection will vary between states and industries served, so lean on the expertise of more than one qualified agent (get multiple quotes) and validate it with peers who have similar practices. The key is to ensure liability coverage will protect your company for any potential damages and lawsuits if a breach were to occur with one of your clients. Insurance coverage may not be the most popular topic among IT service providers, but it’s an issue everyone needs to address ̶ and a crucial self-preservation step for those offering advanced security protection.

Adequate insurance coverage reduces some but not all of the “fear-factors” associated with running a cybersecurity practice. The most frightening issue is how reliant businesses are on those who secure and protect some of their most valued assets, including their customer data and employee information. Consider it from an end user’s perspective. Have you ever been working on a computer when malware infected it, freezing the screen or shutting down an application? Think about that moment the panic that sets in, when you know a crucial work file may be corrupted or lost.

Providers who can alleviate that agony by repairing or restoring that information are most highly valued today. But those who can minimize or stop those issues from ever happening, and can effectively remind their customers what those “pain points” feel like from time to time, will be even more cherished. It’s not about scaring clients into a sale. The vast majority of business customers will find more value in proactive discussions around cybersecurity, uncovering their true risks and devising ways to avoid costly and embarrassing breaches and other potential vulnerabilities.

How else can IT services providers minimize their clients’ security fears? They can start by downloading and reviewing the industry best practices highlighted in the CompTIA Channel Standard for Cybersecurity. Based on the National Institute of Standards and Technology’s Cybersecurity Framework, the program and accompanying workbook cover the five focus areas providers need to support: identify, detect, protect, respond and recover.

A significant number of providers have started offering network assessments and security process evaluations. Each helps them uncover existing and potential vulnerabilities in their clients’ systems, and highlight those that may present major concerns for compliance and business continuity. An effective assessment will essentially map out their required security enhancements and set priorities for the things that need more immediate attention and investments.

Based on audits and evaluations, they design individual protection plans for each client, with a variety of measures customized to meet their specific business needs. That includes backup and data recover processes, as well as reporting procedures in case the client’s data is compromised (such as a hack, ransomware attack or lost device). Emphasis on the response and recovery is crucial today, since both have become key components of industry guidelines and government regulations. While a business may not avoid being fined if an attack should occur, by showing these measures are in place and periodically tested, the severity of those damages may be reduced.     

IT security experts take that process much further. They offer non-traditional options such as CompTIA’s CyberSecure end user training program, security audits and penetration (pen) testing services. Basically, they do anything they can to protect their clients, either on their own or through partnerships with other providers. In the end, one of the biggest value-adds you can offer your customers is alleviating their fears when it comes to data security. Whether it’s Halloween, President’s Day or just a Tuesday, those who understand the risks associated with information management today will be willing to pay a higher price for high quality protection.  

Brian Sherman is Chief Content Officer at GetChanneled, a channel business development and marketing firm. He served previously as chief editor at Business Solutions magazine and senior director of industry alliances with Autotask. Contact Brian at Bsherman@getchanneled.com

Email us at blogeditor@comptia.org for inquiries related to contributed articles, link building and other web content needs.

Read More from the CompTIA Blog

Leave a Comment