What Are Risk Assessments and Why Should You Provide Them to Customers?

Assessing your customers’ cybersecurity risks can help uncover gaps in their networks, opening the door for larger conversations and further engagement. Risks assessments can be critical tools to pinpoint problems, plan remediation strategies—and increase sales.

“The bottom line is if you mitigate risk that’s going to lessen the potential for losing revenue, and we’re all in the business to make money, not to lose it,” said Natalie Suarez, director, cybersecurity task force, at ConnectWise and member of the CompTIA ISAO Executive Steering Committee, during a panel at CompTIA’s ChannelCon 2022 conference called “Selling Cybersecurity from a Risk Perspective.”

Risk assessments should incorporate the three pillars of cybersecurity—people, processes, technology—and provide customers with a good understanding of what they have and don’t have in order to determine next steps.

“If your security posture does not address all three pillars, then you’re not going to properly implement any control,” Suarez said. “The issue is people seem to think only of technology, and if technology was the answer to all our woes, then we would have solved this problem by now. You need to consider policies and people, both internally and externally. It’s important to have EDR, SIEM, antivirus, firewall, web access, gateway, but it’s not the end-all, be-all to security.”

Suarez outlined three methods to help customers assess their cyber posture: risk assessments, third-party vendor risk assessments, and live security awareness training. Here’s a closer look at each:

Risk Assessments Provide Clarity, Direction

Risk assessments demonstrate that you’re an industry leader, that you know what you’re doing, and helps to build trust with customers, all of which can ultimately improve profit margins, Suarez said.

“There are different types of security assessments, all of which provide a holistic view of an organizations’ security tools and their effectiveness, including compliance audits, security assessments, vulnerability testing and penetration testing,” Suarez said.

Chris Loehr, executive vice president and CTO of Solis Security and a member of the CompTIA ISAO Executive Steering Committee, added that MSPs should be familiar with various types of assessments because each customer’s need could be different.

“It’s good to know these terms, especially pen testing because that term gets thrown around so loosely. Educate yourself on what these mean. There are different degrees of penetration testing, so you need to know what you’re talking about, and to what degree your customer needs to be tested. The No. 1 issue when it comes to this is communication, in terms of what are requirements and what you’re going to do. Are they trying to check a box or are they trying to do something that provides value?

In fact, a lot of people ask for a pen test when all they really want is a vulnerability test, which is a very different thing, Suarez said. “Penetration isn’t necessarily all technical. You can incorporate some social engineering in there—have someone try to be the cable company coming into patch some firmware on the modem.”

Third-Party Vendor Testing Minimizes Risks

Third-party risk vendor risk assessments minimize risk and MSPs should charge for them because of the value they provide to customers, Suarez said.

“You as an MSP are bringing risk to clients. You need to demonstrate you are business ready, that you’re taking risk seriously,” Suarez said. “Show you comply with certain standards, show examples of your policies. Ask what their other vendors are doing to make sure their products/services are secure. You should be aware of their other vendors.”

Starting a third-party vendor risk assessment program doesn’t have to be accomplished all at once. There are a number of bite-sized steps that MSPs can use with customers to demonstrate value and make sure the assessment is accomplished completely. They include:

• Create list of third-party vendors
• Determine how data is stored, processed and transmitted
• Prioritize list of vendors based on critical business need
• Request SOC2 or similar report
• Evaluate risk and create mitigation for identified terms
• Re-evaluate annually—add new vendors as they’re onboarded
• Gradually expand to include all third parties

“Remember, it’ not for you to say yes or no to a vendor. It’s for you to present the information and help them identify the largest risks and prioritize getting them fixed,” Suarez said. “This is also not a one-time deal. None of these assessments are. You should reevaluate at least annually. It’s step by step, little piece at a time so it’s not overwhelming for you or your staff.”

More Education Means Lessened Threat

Providing security training for your customers can be a fun (and educational) way to get to know them—and to let them get to know you. Training should provide an overall view of the cyber landscape and also be customized for their policy review. Think about offering some training for free and more in-depth paid training, Suarez said.

“Expose to them the risk that inherently is tin their companies. I did a training recently where I shared results of our MSP threat report and our cyber research unit mapped those high-level threats to a MITRE ATT&CK framework with mitigation steps, Suarez said. “So you could teach people how to mitigate threats. You could talk about latest common types of breaches. According to the FBI’s internet crime report, business mail compromise is still high on the list, however stealing from your crypto wallet has increased sevenfold since last year.”

Other strategies include to teach customers why they are a target, how bad guys get in, and what their role is in protecting the company. Also important: ensure that you have the business owners, leaders and decision makers in the room. “If the owners and leaders are there, it shows everyone else that this very important, very serious, we mean it,” Suarez said.