With cyberattacks on the rise, consider these strategies for expanding your managed IT business.
Is it even possible for businesses to truly stay safe in cyberspace anymore? Weeks prior to Russia’s invasion of Ukraine in late February, Moscow already had begun a hybrid war before any battalions entered the country. “Ukrainian officials say that Russia stepped up a destabilization campaign involving cyberattacks, economic disruption, and new tactics,” reported the Wall Street Journal. “The new misinformation methods, such as a deluge of emailed bomb threats and texts to residents informing them that [bank] ATMs are down, can cause panic.” The British Broadcasting Corp. wrote about a group of patriotic Russian hackers that revels in causing chaos with cyberattacks on Ukraine.
With all the hype around cybercrime and exploitive hackers, security should be an easy tech service to sell to office equipment clients. There may be no better time for dealers to market cybersecurity services than right now as accounts of cybercrime and data breaches are commonplace. “They’re not ‘news’ anymore,” noted Gene Abramov, VP of security services at All Covered, the IT services division of Konica Minolta Business Solutions U.S.A.
The pervasive environment presents a golden opportunity for the dealer channel. “Everybody likes catching bad guys,” said Abramov, who also serves as CEO of cybersecurity consulting firm Depth Security, which he co-founded in 2006 and Konica Minolta acquired in August 2020. So, what is the best approach for IT sales reps when pitching cyber-safe services, and what should they avoid doing?
Dark web cyber-criminals are clever and have narrowed their sights from “big fish,” such as the FBI and U.S. Department of Homeland Security, to small local governments and even small businesses. The average total cost of a data breach soared in 2021, according to an IBM research report: rising to $4.24 million (USD) from $3.86 million. Not to sound paranoid, but “every piece of hardware and software could be vulnerable,” warns Jay Ryerse, CISSP and VP of global security sales at ConnectWise.
How many of your clients and prospects can afford a $4 million hit to their accounting books? The monetary damage caused by cyber exposure can be even worse for businesses linked to the healthcare, pharmaceutical, energy and financial sectors. Will cyber-insurance liability policies cover these losses? Is a 20% exposure rate acceptable? Are the data-backup systems in place sufficient?
Fear Motivates
Small and medium-sized businesses (SMBs) have become frequent targets precisely “because they are perceived by cyber criminals as less prepared,” Forbes reported back in 2020. In the past, average small businesses were unlikely targets for sophisticated cyberattacks. But now, dealers may want to encourage customers and prospects to ponder this statistic from a Forbes study: Despite 57% of SMBs believing they won’t be targeted by online criminals, nearly 20% experienced an attack in the past year.
“Fear, uncertainty and doubt are powerful emotions,” said self-proclaimed cybersecurity “Sherpa” Jennifer Bleam. As CEO of MSP Sales Revolution, she pointed out that leadership teams at too many SMBs are in denial. Using a wake-up-call tactic, Bleam encourages her clients to compile libraries of local, regional, and national articles as proof that cybersecurity fears are not unfounded.
In fairness to business owners, they do not know what they don’t know. Many people assume that “our IT team has it covered” without really understanding the difference between a cyber attack and, say, their network going down for an hour. “They can lose access to critical data, systems, everything,” said Ryerse adding, “for five days, 12 days, 18 days. Just getting operations back to minimal functionality can be challenging.” Then there’s having to pay a $1 million ransom to get back the data. So, yeah, fear is real—and fear works.
All Covered’s Abramov agreed, adding that cybersecurity concerns are “way scarier today than 10 or 15 years ago. Nowadays, you can get a [computer] virus simply by clicking to a website.”
Bleam insists she’s an optimist but believes, in this case, that accentuating the negative helps drive home the point. Balance the sour doom and gloom with the proactive promise of sugar: The sweet upside is that customers will be able to sleep at night, not worrying about cyber crises. And, if a problem does rear its ugly head, they will be better able to respond with minimal, adverse impact. Flowers, fairies, and unicorns aside, “there really isn’t a utopia that you can paint,” she said. “It’s best to be blunt.”
The most common threats are phishing, malware, ransomware, data breaches, and compromised passwords. However, these five are but the tip of the proverbial iceberg, warns ConnectWise’s Ryerse, who is a certified information systems security professional (CISSP) analyst. What we know about is scary enough, but what we don’t know and can’t foresee below the surface is even more frightening.
Unknown or “zero-day” software vulnerabilities are discovered by attackers before the vendor becomes aware of them, or before a corrective patch has been developed to remedy the situation. One recent example: On February 25, 2022, administrators of WatchGuard firewalls were warned to search for signs of compromise after the publication of a report of malware distributed by a threat group believed to be run by Russian army intelligence, according to IT World Canada. The report, issued by U.S. and U.K. cyber intelligence agencies, said the group known as Sandworm (also called APT28 or Voodoo Bear by some researchers) deployed Cyclops Blink malware through a botnet of exploited network devices, including small office/home office (SOHO) routers and network-attached storage (NAS) devices. Cyclops Blink is a replacement for similar malware called VPNFilter.
As the security game evolves and the rules change, how do we know what’s next on the threat list, especially when the target keeps moving?
“There are hundreds of new vulnerabilities every day,” Ryerse said. There’s just no way to keep up with it all, which is why companies need a trained, specialized partner, an expert, to help navigate the treacherous cybersecurity waters. “Security truly is a team sport,” emphasized Ryerse.
Just how severe have the threats to businesses evolved? “When competing vendors are sharing threat intelligence, you know it’s bad,” he noted.
All Covered’s Abramov concurred, warning, “It’s going to get worse before it gets better.” So, dealers need to do their homework and not get lazy when it comes to selecting a competent, third-party security partner. “Talk to people and check references,” he suggested.
Risky Remote Work
The average global cost of a data breach is up 10% compared to 2019 due to “drastic operational shifts,” according to IBM. The culprit caused by the COVID-19 pandemic is the shift towards remote work, especially during government-imposed lockdowns, and the cybersecurity risks associated with this work model. It should come as no surprise that nearly three-fourths of C-suite and IT leaders agree that telecommuters pose a greater security risk than office workers. Main reasons include, but are not limited to, password sharing, using personal devices, and accessing public Wi-Fi, according to the Center for Internet Security, Inc. (CIS), which is a nonprofit organization.
The hybrid work trend presents opportunities for hackers as more firms scale up remote desktops outside of on-premise firewalls, according to Abramov. From company-owned laptops accessing VPNs (virtual private networks) and software as a service (SaaS) subscriptions in the cloud, vulnerability abounds. Many cybersecurity firms, including All Covered, employ ethical hackers who can break in and test customer networks from remote locations. He referred to this technique as basic blocking and tackling: Simulating sophisticated adversaries can be a very effective way to find flaws and fill holes.
Point-in-time penetration “pen” testing (see sidebar) is another sound method for identifying critical cyber risks. Abramov also advocates deploying “red-teams” to play devil’s advocate and, potentially, uncover security flaws that may have eluded a client’s security team and even its chief security officer.
Companies need to be proactive to address security risks and ensure safety for remote employees. When working from home, “the perimeter of the network gets disintegrated,” explained Ryerse. “The level of security often is compromised, and there can be a lot of complexity and cost involved. A lot of it isn’t necessarily common knowledge, and it can be a train wreck.”
MSP’s Bleam added that employees working from home are not behind the company firewall with protections in place. Even if they’re not using their home computers, usually the home WI-FI network and home router is not locked down the way systems are at the office.
The other problem, Bleam pointed out, is that at home, workers are in a different environment fraught with distractions. You have people trying to empty their inboxes, meet a deadline or answer an urgent question while a child may be peering over their shoulder doing school work, a dog is barking to go outside, or a delivery person is ringing the doorbell. Even if trained in security prevention, he or she may be less aware at home and click on a link that they normally wouldn’t click on. Bleam warned: “A distracted worker is a dangerous worker! They’re out of their norm, and muscle memory can fail you. Things you wouldn’t do in the office, you’re going to be tempted to do.”
Bleam agreed with Ryerse that it is virtually impossible to keep up with insidious hackers and anticipate what evil tech they might have in store. “Certainly, we should study trends and be aware of what’s coming down the pike,” she said while adding that establishing a handful of CIS controls can help mitigate over 80% of risk. “Security is not a zero-sum game,” Bleam insisted. “It is a risk-mitigation goal: Reduce the risk as much as you can. So, if you are putting these CIS controls in place, you’re in a great position for whatever the hackers may have in store – certainly in the near term and possibly even the long-term.”
How to Position a Security Audit
Cyber audits are a great way to generate fear, uncertainty, and doubt among clientele, according to Bleam. However, the information they provide can be invaluable to the organization being audited. But should dealers charge for security audits? And, if so, how much?
“If the solution is software-driven and largely automated—not requiring a whole lot of manual labor–then you probably should give it away,” she recommended. An ethical hack via a mini “pen” (penetration) test could have a market value of between $1,000 and $2,000. (Note: Pen tests are not to be confused with a vulnerability assessment.) Abramov of All Covered believes project-based pen tests should not pontificate, instead appeal to clients’ real-world sensibilities. “Show, don’t tell,” he advised: “Show them how to close the holes. Pen test results can miss findings. Some vendors do bad work, which is why you need to be discerning when choosing a partner.”
On the flip side, Bleam said if dealers do charge for audits, fewer people will agree to pay for it, but the leads are of a higher quality. If you do decide to work together, you can apply that investment as a credit to their first month’s agreement. “Never make an offer that is out of line with the amount of trust you have with a particular prospect,” she recommended. “There needs to be a level of professional trust from the prospect to the dealer. They need to see you as a thought leader. If you’ve earned or created that trust, then make your offer.”
Ryerse suggested that dealers offer audits gratis (at no charge) to a small number of customers – at first. Once the service is established, then consider charging using these guidelines from ConnectWise:
- $100 for every “quart of ice:” router, server, switch, and firewall
- Plus $25 per user/employee
“We could spend up to two days of labor assessing the environment,” said Ryerse. “Then, the action plan could be a three- to six-month rollout.”
“The key is to provide value: actionable items,” Bleam concluded. “Don’t just give them a technical report.”
Access Related Content
