You can’t fix what you don’t know is broken.
And that in a nutshell sums up why you need to do a security risk assessment (SRA) when it comes to a business and addressing their cybersecurity needs. But of course, there is more to the story, that’s simply the headline. As an MSP, you want to work with your clients to keep them secure and running but starting with an SRA is the first step to identify what should be a long-term partnership together.
As you meet with new and potential clients, doing this audit is one way of creating a mutual business plan together. You identify and show them where they are weak, broken, or lacking in their defense against cybercrime. Then together, you can create a plan to address each of these gaps and remediate them. This plan is a way to outline how you can securely and successfully grow together in your respective businesses. Additionally, with new clients, it provides you with the opportunity to show where you are needed and how you can provide value to them.
The SRA will give you an action plan to work with your client’s budget and any other resource factors that might be in place. These can come in the form of equipment or workforce in addition to budgetary constraints. It can also help you identify high-priority items that need to be addressed immediately.
How Do You Do It?
This will vary based on your relationship with the client or future client. If you’re looking to win the business, you might not have the full access needed to do a complete and comprehensive SRA but you can still provide value to them with some questions.
If you’re working with an existing client, you can include asset tagging and a complete risk profile for those individual assets. Identify what data is stored, transmitted, and generated by each asset and how critical it is to run the business. You can break this down by additional factors like impact on revenue or ability to provide customer response/service. With each risk identified, and the impact on business factors, you can address how to mitigate any gaps and create an action plan to address each weakness over time or how to build up a stronger cybersecurity posture.
And don’t worry, if you skipped over this at the beginning of your relationship with existing clients, it’s never too late to perform an SRA. In fact, doing them on a regular basis can address any hardware and software changes that are ongoing in most business environments. It’s also a great opportunity to review policies and procedures and make any updates to inventory that may have changed since the last assessment.
An SRA is beneficial to you and your client for more than the obvious reasons of providing them with a strong defense against a breach and offsetting your liability should a breach occur if they didn’t act on your advice. it can also improve your relationship and provide a clear communication channel for you to work with them today and into the future.