It’s by no means an understatement to posit that cybersecurity is now a key component of any modern business plan. From the threat of cyberattacks, to adhering to government-regulated compliance requirements to password management, every business should have at least baseline security protections: a minimum standard of processes and procedures for keeping their operations safe.
For managed service providers (MSPs) wanting to become managed security service providers (MSSPs), or even just for those IT providers observing the growing demand for security services, the stakes are rising. You must protect your clients’ business from security threats in addition to your own. But you also need to be focused on your bottom line; while it’s nice to think of yourself as your clients’ protector, you’re still running a business and need to generate revenue.
As with all new ventures, you have to start somewhere. But you won’t be serving your clients adequately with sub-par or incomplete cybersecurity solutions.
This is where the concept of baseline security measures comes in. There are a few key areas to watch out for to ensure your security offering is worthwhile for customers. Covering these key areas can also be considered a baseline of minimum provisions to protect both yours and your clients’ businesses from malicious attacks and unintentional security breaches alike.
All about that base(line security controls)
There are a few different ways to interpret what defines baseline security. According to the National Institute of Standards and Technology (NIST), a “security control baseline” refers to “the set of minimum security controls defined for a low-impact, moderate-impact, or high-impact information system. A set of information security controls that has been established through information security strategic planning activities to address one or more specified security categorizations.”
Meanwhile, the Canadian Centre for Cyber Security defines its Baseline Cyber Security Controls as “a condensed set of advice, guidance, and security controls on how organizations can get the most out of their cyber security investments.”
Microsoft, on the other hand, identifies security baselines simply as standards defined by individual organizations that apps and devices must be compliant with. Microsoft’s own security baselines are groups of recommended configuration settings for different levels of impact, informed by feedback from various stakeholders.
Cutting through all the jargon—think of baseline security as the bare minimum of what a business needs to sufficiently protect itself from vulnerabilities and threats while still being able to work efficiently and effectively. For MSPs, this extends to the bare minimum of security solutions that should be offered to deploy and maintain that protection.
Unfortunately for us all, cybersecurity isn’t a one-size-fits-all, one-and-done type of thing. There’s not some magic cybersecurity easy button we can press to suddenly prevent and deflect all the bad behaviours that can compromise our business data. Good cybersecurity requires vigilance, awareness, training and monitoring. We all need it, no matter how small our business or uninteresting we think we might be as potential targets.
On the bright side, however, it’s not difficult to organize a standard set of policies, procedures and solutions to implement solid baseline security. General areas to focus on include security assessments, security for major productivity suites such as Microsoft 365, endpoint protection, email security and backup and disaster recovery.
You’re only as good as the information you have, and administering cybersecurity assessments is one way MSPs can gather pertinent data about their clients’ environments and current security measures. Conducting thorough, regular assessments can help identify what security measures clients have put in place (if any), and where resources should be allocated to bolster defenses.
There are options out there for building and delivering quality security assessments. However, many are part of expensive packages and services that could be considered overkill when assessing simpler SMB customers. Some of these suites might also tap into areas of cybersecurity that your business isn’t yet ready to tackle. Fortunately, Sherweb offers a free Security Foundation Assessment designed for a quick-but-thorough security review for MSPs and their clients. Deploying a security assessment of any kind should be a key component of your baseline security measures, and we highly suggest you start including such a resource in your toolkit.
Security for Microsoft 365
Of course Microsoft 365 is secure. But many SMBs don’t have the resources to properly educate or monitor staff about every security setting or best practice to follow—they rely on IT providers for that.
Taking a multi-layered approach to cybersecurity is widely recognized as an industry best practice. Deploying third-party security solutions to help safeguard critical business applications like Microsoft 365 is therefore a good plan of action for protecting client systems. Solutions like Office Protect can also greatly simplify cybersecurity management for both you as the service provider, and clients with multiple Microsoft 365 tenants that need to be protected.
Another thing about popular tools like Microsoft 365 is that they also make for popular attack targets. By taking care to include security measures for such tools in your baseline offer, you show value for clients by demonstrating that you’ve taken action to protect what matters most.
People expect to be able to use their own devices at work. Sure it’s convenient, but it’s also usually not secure. Because of this, endpoint protection has become an essential inclusion in baseline security controls.
Antivirus and antimalware solutions (Bitdefender, for example) help keep malicious threats from assaulting client systems. Enabling multi-factor authentication is also recommended to prevent unauthorized access to accounts, files and networks.
Generally speaking, adopting the Zero Trust Security Model is recommend both for sufficient baseline security measures and proactive endpoint protection.
Email is a business’s greatest security threat. It’s a primary vector for malicious activity, which is why it should definitely factor into a service provider’s baseline security stack.
Monitoring, alerts and threat prevention against risks like spam, suspicious links and addresses needs to be the norm to ensure adequate security. Again, a multi-layered approach is recommended. Although Microsoft 365 has many security controls in place to protect mailboxes, additional solutions such as Office Protect and Proofpoint email protection provide extra layers of security to make sure business email compromise is avoided at all costs.
Backup and disaster recovery
Just like how there’s no cybersecurity easy button, there’s also no special shield against unforeseen disasters. Sometimes, secure backups and an effective disaster recovery plan are the only things that can save businesses from total catastrophe.
Acronis Online Backup and Veeam Cloud Connect are staple solutions for business continuity and disaster recovery. By educating and encouraging clients to regularly back up files and data, while simultaneously providing failsafe measures to keep networks up and running in case of an outage, service providers can become essential to their customers by managing the solutions that ultimately keep the lights on.
Develop your baseline and build a quality managed security offer
By at the very least covering the basics described above, MSPs and other cloud resellers can build a baseline security offering that equips clients with a multi-layered defense system that protects against modern threats.
Granted, the above suggestions for baseline security measures are our own recommendations. But Sherweb’s expertise as a value-added cloud solutions provider has been proven to help partners succeed. Check out our Partner Guide for more information about how Sherweb can support your managed services business, including products and solutions for comprehensive cybersecurity.