Until now, all these capabilities were limited to Active Directory passwords. Now, we are introducing the addition of Microsoft Entra ID and Microsoft 365 passwords in IT Glue’s password security features for complete password security. Join us as we delve into the functionalities that make IT Glue a preferred choice for dynamic organizations prioritizing security and compliance.

What is automated password rotation?

Automated password rotation is a security measure where passwords are systematically changed on a scheduled basis without manual intervention. This practice is crucial for minimizing the risks associated with stolen or compromised credentials. The top cause of a data breach is human error, like an employee unwittingly giving a cybercriminal their password.

Why is automated password rotation important?

For IT professionals, ensuring robust security measures translates directly to protecting organizational integrity and customer trust. Automated password rotation plays a pivotal role by preemptively renewing credentials before they can be exploited by cybercriminals, thereby enhancing overall security posture and supporting compliance with industry regulations.

Let’s explore some of the specific benefits of Microsoft Entra ID Password Rotation.

Putting password rotation on autopilot

Putting password rotation on autopilot with IT Glue’s automated feature means simplifying the maintenance of password security while enhancing organizational efficiency. Here’s how automated password rotation can transform your security strategy:

1. Time and resource efficiency: Automate the routine, repetitive task of password changes to save valuable time and resources. This shift allows IT teams to focus on strategic initiatives rather than getting bogged down with manual security maintenance tasks.
2. Elimination of human error: Manual password updates are prone to human error, which can lead to security vulnerabilities. Automated password rotation eliminates this risk by ensuring that passwords are changed accurately and consistently, reducing the likelihood of breaches that stem from human mistakes.
3. Streamlined security operations: With automation, the process of updating passwords becomes seamless and non-disruptive. IT Glue’s system ensures that all credentials are rotated as per the set schedules without any need for manual intervention, thus maintaining continuous security coverage.

Robust security for dynamic organizations

IT Glue’s automated password rotation feature is meticulously designed to provide robust security solutions tailored for dynamic organizations. This capability allows IT administrators to proactively manage and secure their network by setting custom password rotation schedules that align with organizational policies and compliance requirements. Here’s how automated password rotation with IT Glue enhances your security landscape:

1. Customizable schedules and frequencies: Tailor the frequency of password rotations to fit the specific needs of your organization.
2. Minimize risks of cyberattacks: With the ability to customize password complexities and rotation parameters, IT Glue helps minimize the organizational risks associated with potential cyberattacks. By regularly updating credentials, you reduce the window of opportunity for cybercriminals to exploit stale passwords.
3. Bulk password updates: IT Glue facilitates the management of password updates by allowing administrators to select and rotate passwords in bulk. This not only saves time but also significantly reduces the workload of IT staff, allowing them to concentrate on more critical tasks.

4. Adaptability to organizational growth: As organizations grow and evolve, their security needs can change. IT Glue’s password rotation feature is built to scale alongside your organization, providing consistent security measures that adapt to your expanding infrastructure.

Bolstering security and compliance for security conscious organizations

IT Glue’s expansion to include Microsoft Entra ID and Microsoft 365 in its automated password rotation capabilities marks a significant enhancement in securing a broader range of critical assets. Here’s how this feature enhances security and compliance:

1. Comprehensive protection: By including Microsoft Entra ID and Microsoft 365, IT Glue offers a more holistic approach to password security. This integration ensures that key systems are protected by strong, regularly updated credentials, safeguarding sensitive corporate and customer data.
2. Compliance with regulations: Many industries have strict regulations requiring robust data protection measures, including mandatory password changes. IT Glue’s automated password rotation helps organizations meet these compliance requirements more efficiently and without the risk of human error.
3. Prevent unauthorized access: Regularly updating passwords reduces the risk of unauthorized access to sensitive systems and information. Scheduled rotations ensure that even if a password is compromised, its lifespan is limited, significantly reducing the potential impact of a security breach.

Getting started

This feature is available to users subscribed to Network Glue. For more details on setting up and optimizing automated password rotation, click here.

Not a Network Glue Partner yet? Experience the benefits of streamlined and secure password management. Get a demo today and see how IT Glue can transform your organization’s security strategy.

The post Reduce Credential Stealing and Increase Security with Automated Password Rotation appeared first on IT Glue.

In this blog, we will explore the different aspects of vendor management and how you can leverage the process to ensure effective management of your supply chain.

What is vendor management?

Vendor management refers to the processes used by organizations to manage their vendors. This involves various activities like vendor selection, contract negotiation, cost management, service delivery, etc. The whole process aims to create the best vendor management practices to benefit the organization.

Organizations can bring down supplier costs, improve service delivery and mitigate potential risks with proper vendor management. Most importantly, vendor management plays a critical role in meeting business objectives and preventing disruptions that may arise from delivery failures.

What is the difference between procurement and vendor management?

Procurement is all about finding the best deals for an organization and mitigating contractual risks. Procurement people typically scan the market for better opportunities and focus on negotiating lower fixed rates. They also work with new vendors to reduce the overall cost as much as possible.

On the other hand, vendor management focuses on developing relationships with third-party vendors and mitigating risks. When you maintain healthy relationships with your suppliers, you can enjoy flexibility while reducing costs and fostering innovation.

In the bigger picture, both procurement and vendor management focus on securing the organization’s interests. The key difference lies in how they go about it.

What is the role of vendor management?

Many tasks go into vendor management, including controlling costs, negotiating contracts, maintaining relationships with partners, creating procurement standards and sourcing the best vendors. Here is a list of roles and responsibilities in an organization’s vendor management process.

• Developing vendor management policies and procedures
• Working with third-party vendors on a day-to-day basis
• Monitoring the performance of vendors and conducting due diligence
• Identifying the risks associated with vendors following contract execution.
• Communicating with the different business units and departments
• Reporting to senior leadership about the vendor management process

Why is vendor management important?

Vendor management plays a critical role in the success of a company. Businesses need to get the best value for their money if they wish to outperform their competitors in the market. Taking a strategic approach to procurement through vendor management will help manage your suppliers efficiently and bring myriad other benefits.

With effective vendor management, you can mitigate risks, optimize performance, create loyal relationships, boost efficiencies and more. In the long run, it can bring significant value to your brand and prevent any damages arising from your vendor’s actions.

What is the vendor management process?

The vendor management process can be broken down into six key strategies. Each strategy plays a distinct role in solidifying a buyer’s relationship with vendors. Here’s an overview of the six strategies involved.

1. Establish objectives and vendor criteria

The first step in the process is establishing business objectives and determining the criteria for choosing vendors. This stage mainly focuses on aligning the roles of vendors and buyers. Vendors who have a clear knowledge of your business objectives can serve you better and ensure a seamless inventory flow.

2. Vendor selection

Once you have established your business goals, you can choose the right vendors who can meet your expectations. You must research a list of vendors in the market and sort them out based on their experience, size, commitment to quality, etc. Once you have narrowed it down to the last few vendors, you can request quotations or proposals. Price should be a strong factor in vendor selection, but it should not be the only one. Make sure you choose the right vendors based on their track record, capacity to fulfill your requirements and communication.

3. Contract negotiation

After vendor selection, you must negotiate the contract to keep all the terms mutually beneficial. This is also the stage where you establish KPIs for various vendor activities. Understanding a vendor’s business process is essential to ensure proper contract negotiation.

4. Vendor onboarding

In this stage, you must establish the chosen vendor as your supplier. This involves onboarding them on all important things, including how they will get paid, who must be contacted during emergencies, software license details, tax details and insurance details.

5. Vendor monitoring and risk management

When you allow third-party vendors to access your resources, it exposes your organization to certain risks. You must monitor your vendors for various risks, such as compliance breaches, data security threats and intellectual property loss. You must also monitor your vendors for potential risks arising from the non-delivery of products or services that might disrupt your company’s operations.

6. Vendor performance management

To get the most out of your vendors, you must monitor their performance regularly. You must match their actual performance with the KPIs established in the contract. By regularly checking quality and performance, you can build strong strategic relationships with your vendors and leverage them for long-term business gains.

What is a vendor management policy?

Most organizations know their internal risks and take steps to mitigate them. However, they’re often in the dark about the risks arising from external vendors. Your vendors have direct access to some of your mission-critical information. This can significantly increase your exposure to cyberthreats.

Organizations create vendor management policies to identify the risks arising from external vendors. When you know what is at stake, you can implement better controls to mitigate these vendor-related risks. Most importantly, a vendor management policy can also be critical to ensuring compliance.

What should be in a vendor management policy?

To create a vendor management policy, you must list all the vendors in your organization. Ensure you include all third-party suppliers, contractors and associates who are in business with your organization.

Once you have the list of vendors, you need to identify the ones with access to sensitive information in your organization. These vendors must be categorized as critical and monitored with extra care. If these vendors get compromised, it could easily lead to a data breach in your organization and damage your reputation.

What are the benefits of vendor management?

A well-developed vendor management program can bring many significant benefits to an organization from compliance adherence to cost reduction. Some of the key benefits are as follows.

• Improved selection: With proper vendor management, you can choose from a large selection of vendors and get the best offers in the market. You can also have an organized way to promote bidding among multiple vendors and pick the best pricing.
• Better purchasing power: When you have picked the right vendors with the best offers in the market, you can boost your purchasing power by consolidating your volumes.
• Risk mitigation and management: A key benefit of vendor management lies in mitigating risks arising from third-party sources. Once you identify your critical vendors, you can design processes suitable for them to ensure low risk.
• Enhanced performance: Once you clearly understand what to expect from your vendors, you can understand what is working and what is not. This leads to better efficiency in your operations, and you can boost your overall performance.
• Better negotiation strategies: With vendor management, you can develop a strong negotiation strategy in your organization. Strong negotiation helps you win better offers. You can improve all aspects of your negotiation and develop standard procedures for negotiating with new vendors.
• Strengthened relationships: Vendor relationships are highly critical if you wish to have a seamless supply in your organization. You can achieve this by incorporating a solid vendor management program.

What are the challenges in vendor management?

External vendors can help you achieve your strategic objectives by handling complex processes that cannot be done internally. However, vendor management is not without its challenges. Consider these challenges before establishing a vendor management process in your organization.

• Compliance risks: Not all vendors adhere to the compliance regulations set by data privacy laws. In most cases, a lack of compliance from their end could also expose you to compliance risks and penalties. You must choose vendors who meet your compliance standards while also delivering great performance.
• Data security and other threats: When your vendors have easy access to your sensitive information, it makes you vulnerable to data breaches and other security risks. Risk planning is essential if you wish to minimize the risks caused by vendors.
• Administrative costs: Having the proper process for choosing and managing the right vendors comes with a price. When you manage multiple vendors, you are likely to incur overheads related to project management, vendor support and more. It is always better to check your ROI and ensure the vendor management savings offset the costs.
• Lack of visibility: Managing multiple vendors often generates enormous volumes of data. Organizations often do not have a centralized data management solution with complete visibility. You need a robust documentation management solution to improve documentation efficiency and visibility.

Enhance vendor management with IT Glue

IT Glue is a powerful documentation solution that allows you to easily manage your vendor relationships alongside the hardware and software assets that you manage. By leveraging out-of-the-box templates, you can document your vendor information, including name, type, category, importance, risk level, etc. This helps you better understand your vendor relationship with the rest of your IT and gain the most out of it.

The vendor information you store in IT Glue is highly secure. IT Glue also comes with SSO, IP access control, host-proof hosting, MFA, audit trails and more, all within a SOC 2 Type II compliant solution.

To learn more about how IT Glue can help you with vendor management, request a demo!

The post Vendor Management: Ensure Effective Management of Your Supply Chain appeared first on IT Glue.

Learn more about cyberthreats from our free “Cyberattacks Demystified for MSPs” infographic.

Malware

Employee awareness is key when it comes to protecting your organization against various malware. You need to train your employees to spot malicious links and pop-ups that may contain codes for malware. With proper training, you can significantly bring down the chances of hackers infecting your systems.

Besides employee awareness training, you also need to incorporate basic cybersecurity measures, like firewalls, antivirus solutions, patching tools, etc., to mitigate attacks.

Phishing

Phishing attacks are social engineering attacks that prey on weak employees, enticing them to click a malicious link or share their personal information. This can be avoided only by providing regular security training to your staff. You need to help them understand how these social engineering attacks work and what needs to be done when they receive a suspicious email or text message.

You also need to incorporate strong email security measures to prevent phishing emails from reaching your employees’ inboxes.

Distributed Denial of Service (DDoS)

Most victims might find it overwhelming when on the receiving end of a DDoS attack. There aren’t many security solutions that identify fake traffic coming to a network. However, there are some effective mitigation tactics you can apply against a DDoS attack. For instance, IP Access Control, where you block traffic from certain suspicious sources, can be helpful.

If you are already facing an attack, you may try blocking all traffic for a short period of time, or rate-limiti traffic to a website to prevent the attack. You can also use a web application firewall to detect suspicious traffic patterns or scatter traffic across a network of servers to reduce the attack’s impact.

Man-in-the-middle attack

As a basic step, you need to encrypt all your enterprise applications including emails, voice traffic, etc. Your protection should not just be limited to sensitive information. This is essential because hackers can insert malware even in non-sensitive communication and infect your IT network. End-to-end encryption is one of the best ways to mitigate these attacks. For remote and hybrid work environments, it is better to use a VPN to access company networks.

Credential stuffing and password spraying

Using a strong password should be a basic requirement in organizational policies. You can use the NIST password guidelines to incorporate a strong password policy in your organization. While strong passwords can certainly help, they can only mitigate these threats to a certain extent. What’s even better is passwordless authentication and multifactor authentication.

There are sophisticated tools that use single sign-on to access various profiles without providing your password in every instance. Make sure you use these tools to avoid the security loopholes caused by weak passwords.

Mobile device attacks

Your mitigation strategies cannot be limited to your workstations and servers. Considering the ubiquitous nature of mobile devices, you need a strong enterprise mobility management (EMM) program as well as mobile device management (MDM) tools that help you protect any company data that may be on your employees’ personal or work devices.

You also need to use identity and access management tools like multifactor authentication to help secure any work applications that contain sensitive information from unauthorized access.

Zero-click attacks

Cybercriminals can also exploit the vulnerabilities in your software and hardware to gain access to your network. You need to make sure your software tools are maintained and up to date with the latest patches. Also, take precautions and examine all permissions when installing new applications. Most importantly, you must enable native encryption features for all sensitive information.

In addition to security measures, you also need to back up your files to secure your data when an attack is inevitable. This helps you get up and running in no time when you eventually fall victim to an attack.

Best practices to boost security

The specific measures listed above can help against those specific attacks. However, there are also some general best practices you must follow to boost security in your organization. Incorporating these measures can help prevent cyberattacks to a great extent.

• Train your employees: Your employees are your first line of defense against various attacks. You must educate them properly about various cyberthreats and how to prevent them. Develop and implement cybersecurity programs designed to stop cyberattacks before they get out of hand. MSPs can use these programs to educate both employees and customers about cyberthreats as well.
• Identify the risks: To mitigate cybersecurity risks the right way, you need to first get an understanding of the different types of risks. Your risk varies based on various factors like the size of the MSP, third-party vendors, types of clients, etc. It is better to perform a comprehensive risk assessment based on the NIST framework to identify the different cyberattacks you are likely to experience.
• Use the right tools: When it comes to security tools, there are various options available in the market. You need to identify the right tools that suit your specific needs. MSPs can integrate cybersecurity tools into their everyday operations, teach employees how to utilize these tools, and minimize the risk of cyberattacks that can contribute to data breaches, downtime and outages.

Demystifying cyberattacks

Cybercrime is at an all-time high right now and the number of organizations affected by cyberattacks is growing every year. Getting an understanding of various threats is important. However, what’s even more important is the implementation of the right strategies to overcome the threats.

To know more about various cyberthreats and how to mitigate them, check out our “Cyberattacks Demystified for MSPs” webinar by clicking the button below.

Click here!

Found this article helpful? Share it with your social network using the icons below.

The post Best Practices to Mitigate Common Cybersecurity Threats appeared first on IT Glue.

MSPs are often targeted by cybercriminals since they can be used as gateways to deploy ransomware into the infrastructure of multiple companies at the same time. In case of an unexpected ransomware attack, simply employing preventive measures isn’t enough. You also need to focus on containing the threat and ensuring business continuity as quickly as possible.

Let’s discuss some of the strategies that can help you get back on track should you experience an unavoidable breach.

Mitigating the Impact of Ransomware

Business continuity is of critical importance no matter what line of business you are in. However, many organizations tend to prioritize other initiatives over IT investments. Sometimes, it can take a full-blown crisis for organizations to take business continuity seriously.

Here’s a list of best practices you need to incorporate to mitigate the effects of ransomware:

• Use secure remote access tools: This is one of the best methods at the disposal of MSPs to mitigate the impact of ransomware. Always ensure that your remote access tools are as secure as possible. Enforce multifactor authentication (MFA) for all critical applications and consider using IP restrictions to access only secure networks. Also, keep your RMM software up to date since it can help you monitor your IT infrastructure effectively and contain threats before they turn into serious issues.
• Restrict network access: Many ransomware attacks involve stolen credentials, which is something MSPs should be aware of. Know that your credentials could be compromised at any time and implement the necessary controls to mitigate the damage. For instance, adopt the principle of least privilege to ensure only the right people have access to critical information. Also, enforce strict password hygiene to prevent unauthorized entry and prevent lateral movement. Consider using a strong password manager and enforce MFAwherever possible.
• Secure your endpoints: Phishing is still one of the most popular modes of delivery when it comes to deploying all types of malware including ransomware. All it takes is a naïve employee to click a phishing link to compromise an entire network. Secure the endpoints of your employees with measures like email security, web filtering, endpoint security and more.
• Prioritize patch management: Patching is as critical as any other security measure. Many cybercriminals try to exploit vulnerabilities in an outdated software tool to gain entry into a network. You need to keep all your software up to date without fail. Manual patching is no longer an option when managing multiple networks. You need a strong patching engine to automate the patching process and secure your endpoints.
• Set alerts: Mitigating a breach requires getting alerts before something gets out of hand. You need to configure your networks in order to receive proper alerts about unusual activity. This helps you stay ahead of security threats and proactively mitigate risks.
• Create off-site data backup: When an IT infrastructure is compromised, it is more likely that the data backups are also compromised. Ransomware attacks take control of critical business data and encrypt it to hold for a ransom. This is why off-site data backup is crucial for a solid business continuity strategy. Try creating multiple copies and use strategies like 3-2-1 to ensure business continuity after a breach.
• Implement BYOD policies: Company-issued devices are always preferable when it comes to security. However, in this age of remote and hybrid work environments, employees also tend to use their own devices for work. You need a strong policy regarding the use of personal devices. Enforcing network restriction and VPN usage could also curb the use of personal devices for work purposes.
• Develop and test incident response plans: Do you have a plan in place if an unexpected breach occurs? If you don’t, you need to get on it right away. You need to have plans outlined for communication, containment, mitigation and remediation. Your key employees should be aware of this and start recovery procedures immediately.
• Document and review the processes: Documentation plays a significant role when it comes to filling up the gap in your cybersecurity measures. With clearly documented processes, you know what actions need to be taken and how to incorporate them. To keep your documentation up to date, you need to regularly review it and make necessary modifications.

A Resilient Infrastructure

Cyberthreats can come from anywhere in today’s world. A proactive approach is a great way to not only prevent security threats but also contain unavoidable breaches. The stakes are higher than ever for MSPs in this digital world. Make sure you have a strong security foundation that can bounce back from any threat. The time to build a resilient IT infrastructure is now!

Resources

As an MSP, you manage a lot of sensitive client data and protecting this data is of paramount importance. You can use the following resources to mitigate the impact of an attack and secure your critical data:

• Use the MSP Discovery Checklist as a framework to record the critical aspects of your clients’ IT environment.
• Get an overview of business continuity issues with the help of the Business Continuity Planning for MSPs Ebook.
• Check if your IT documentation solution is secure enough with the Secure Documentation Checklist.
• Learn all about IT Glue’s infrastructure, platform, security features and more with the IT Glue Security Whitepaper.
• Do you have the right compliance policies in place? Use our Data Privacy Compliance Checklist  to check it out.
• Download the Quick Start Guide to Data Privacy Compliance and IT Documentation Ebook to develop a strong compliance program.

Request a Demo

Found this article helpful? Share it with your social network using the icons below.

The post Mitigating Ransomware Attack Risks appeared first on IT Glue.

A risk assessment is one of those critical pieces of documentation that can showcase the competitive value your MSP can provide to a client. By providing a sample risk assessment, a prospective client understands how thoroughly you will defend their environment – especially if you identify risks that they were not previously aware of. Quantifying those risks will reinforce this point further. The additional value of risk assessments in revenue generation is that they showcase your professionalism, and allow you to make specific, direct proposals to your prospects that address the issues that concern them. Here’s why this matters:

The MSP industry is becoming increasingly professional, and a couple emerging key trends matter here. First, more MSPs are concerned about price competition. That’s because MSPs are facing an increasingly competitive landscape when trying to close deals. With intensifying competition putting the squeeze on margins, and making it harder to close deals, MSPs need to be better equipped during the prospecting process.

The risk assessment can get you on the same page as your clients and facilitate early buy-in, even before they sign. This is a key component to having a smoother time migrating the new client’s stack. If you don’t get this buy-in, you’ll probably face a lot more pushback. This is the shared accountability model, and it allows you to put your new clients on the path to a standardized stack right away, for the benefit of everybody.

Remember that if you get your clients all on the same stack, your service costs will go down, and service standards will go up. If you’re using the best stack, then you can highlight the risks associated with the legacy tech the prospect is using.

Despite their value, risk assessments can’t achieve this alone, but they are a valuable tool you can use to support the arguments you’re making. To learn more about documenting risk in IT Glue, please check out the other posts in the risk management series, or sign up for a demo.

Yes, sign me up for a demo!

IT Glue’s award-winning documentation platform allows for efficient storage and retrieval of all the documentation you need to help managed service providers increase efficiency.

The post Using Risk Assessments in Sales appeared first on IT Glue.

Whether the SLA review is part of a quarterly business review or not, risk assessments can be used to showcase a few different things for your clients. First, the risk assessment can be used to highlight opportunities for improvement. Now, clients aren’t inherently receptive to risk mitigation, especially when doing so increases work on their end (hands up if you’ve had extended “debates” with a client about the merits of 2FA).

In situations like this, you can show how making hardware or software changes would improve your tech’s ability to hit SLA targets while simultaneously reducing risk for the client. “Noisy” environments tend to create more risk, because it is harder to service clients with a wide variety of overlapping tech. If a little extra work on the client end reduces downtime and resolution time, the risk assessment can be part of the supporting evidence to make your case.

A quarterly business review (QBR) is a more formal conversation, one that should beyond just the SLA review. The QBR is a great place to highlight the shared accountability model – your clients are also responsible for security and performance, because they have to sign off on the decisions that you make. Continuous improvement projects can be moved forward more easily if you have formal risk assessments that you can present as a precursor to the discussion about the solutions you wish to implement.

This conversation based on risk assessments and an evaluation of which changes need to be made to reduce needless risk, should occur regularly, and be a key driver for change. One of the biggest values of risk assessments is that they lie right at the heart of your clients’ business objectives. They want uptime, they want fast resolution of problems, and they are looking for you to deliver these things. If your recommendations can be tied back to these overall objectives in a formal way, you’ll have a much easier time motivating your clients’ senior management to adopt your recommendations. It turns what would otherwise be a sales conversation into a service conversation, which for most MSPs is an easier conversation to have.

The risk assessment, when used in SLA reviews and QBRs, can be an effective means of supporting the decisions you want your client to make. They are evidence that illustrates that you are on top of your clients’ environments and working proactively so that you never have to face a crisis together. That’s powerful value.

Next week, we’ll continue this series by taking a look at how risk assessments in sales conversations. There’s nothing better than making the sales conversation easier, so be sure to check back in a week for that.

To learn more about how IT Glue can provide a springboard for meeting all of your documentation needs, why not take a look at our demo.

Yes, sign me up for a demo!

IT Glue’s award-winning documentation platform allows for efficient storage and retrieval of all the documentation you need to help managed service providers increase efficiency.

The post Using Risk Assessments in QBRs and SLA Reviews appeared first on IT Glue.

The Four Pillars

There are four pieces of information that should be included in every risk assessment. They are importance, category, RPO/RTO and impact.

Pillar #1: Importance
The best way to define importance is by the amount of time lost if the event occurs. The reason is simple – the biggest cost your clients is downtime. Downtime affects your clients’ capacity to sell, market, and run their operations. If your client loses its system for taking credit card payments online, and it has a major e-commerce business, then any downtime to the credit card payment system is critical. Other systems may not be as important. Prioritize risks by how important the affected item is to the business.

Pillar #2: Category
Category reflects the functional line of the business. If possible, risks should be broken down by functional line, and the functional lines should be confirmed with your clients’ management. This helps you guide the conversation so you can talk to the right manager about the risks that they, specifically, face.

Pillar #3: RPO/RTO
Recovery point objective (RPO) and recovery time objective (RTO) should be included in every risk assessment. As the service provider, you need to know what standards the client is going to judge your performance by. If those standards are not realistic, knowing ahead of time gives you an opportunity to get in front of that conversation. But more important, having RPO and RTO standards documented means that your techs understand the client’s business from the client’s perspective, and can act accordingly.

Pillar #4: Business Impact
The final piece of the risk assessment structure is the business impact. Again, this is a matter of asking your client this question, and listening to their answer. They know better than anybody what the business impact of something might be. Losing Salesforce or 365 for an hour could cripple one client, and not matter that much to another. Understanding the business impact allows you to put your clients’ reactions to problems into proper perspective.

Documenting Risk Assessments

This simple four-part structure can be documented easily in IT Glue, or in Excel should you prefer the old school approach. But no matter how you document it, ensuring that your risk assessments are easy to find, easy to understand, and have been written with substantial input from key stakeholders at your clients makes all the difference in the world in terms of optimizing your risk management program.

To learn more about how IT Glue can help streamline risk management at your MSP or internal IT team, we invite you to demo our full documentation platform. Are you in?

Yes, sign me up for a demo!

IT Glue is an award-winning documentation platform that allows for efficient storage and retrieval of all the documentation you need to help your MSP run better. By integrating PSA and RMM data, we can help increase your efficiency, and reduce onboarding times by even more. By eliminating wasted time from your business, IT Glue gives you more time to focus on what matters – growing your business.

The post How to Structure Risk Assessments appeared first on IT Glue.

When a client tells you that, you know you’re going to have a fantastic conversation. That’s because something bad happened, and revealed a common disconnect between IT service providers and their clients. The client assumes that the IT service provider handles every single aspect of IT service, including everything security related. You, the IT service provider, probably have a more realistic view.

But in a way, the client has a point. It’s not their fault that if they are unaware of the risks. And how would they know what you are handling if you don’t tell them? This is where the risk assessment comes into play. The first stage of the risk assessment is identifying and tracking risk.

Not All Risk is Created Equal

To appropriately understand risk, examine the two dimensions – odds of it happening and outcomes if it does. Outcomes can be graded in terms of their impact on your client’s business or brand. Consider the following scale:

Once you’ve categorized each risk by its business impact, you can start to look at likelihoods. We know, for example, that a Datto survey found that 91% of MSPs had a client hit by ransomware in the prior 12 months, so those odds are, uh, not good. If the business impact is high or critical, then ransomware protection has to be a high priority item for that client.

Tracking Risk

There are a couple of ways to track risk. The old-fashioned way, of course, is the good ol’ Excel spreadsheet. It’s your spreadsheet is in O365 or Google Docs, you can share it with key stakeholders and everything. Right on.

We recommend using IT Glue. Risk can be tracked by organization, using a custom Flexible Asset. Here’s an example.

This can also be shared with key stakeholders, it’s easy to search, and it lives with the rest of your documentation. That’s important because it’s a lot easier to find a risk profile in IT Glue than a spreadsheet buried deep in some folder tree, and having it in the same place as all your other documentation means it’s only a click away.

Using a consistent format to track risk also makes it easier to have the risk conversation with your clients. Consistency means that if someone’s done it once, they can do it again. It’s a repeatable process.

So how do you have the risk conversation? We’ll talk about that next week.

To learn more about how IT Glue can improve the quality of your documentation, including risk profiles, sign up for a demo today!

Yes, sign me up for a demo!

IT Glue is an award-winning documentation platform that allows for efficient storage and retrieval of all the documentation you need to help your MSP run better. By integrating PSA and RMM data, we can help increase your efficiency, and reduce onboarding times by even more. By eliminating wasted time from your business, IT Glue gives you more time to focus on what matters – growing your business.

The post How to Track Risk appeared first on IT Glue.

Do we really understand the risk?

If you categorize Wannacry as simple ransomware, the impact wasn’t as bad as other outbreaks. Yes, it spread quickly, but anti-virus vendors were quick to respond and its progress was greatly slowed by a lucky researcher.

But Wannacry isn’t just a simple ransomware outbreak. It’s the first of something new.

Hackers and their ilk have been becoming more mature and sophisticated for a long time, but groups like the Shadow Brokers are taking it to a much scarier level. Their recent announcement of a 0-day vulnerability subscription service should increase your cyber-risk level to an all-new level.

The good news

For all the hair-on-fire and running-around-in-circles caused by Wannacry, when you take a breath and look back, it’s clearly an opportunity for companies and MSPs to make space in the budget and put the right protection in place. Sometimes you need a big scare to change.

The fear and pain are still fresh. It’s the right time to review security controls with your client and make recommendations to reduce the risk.

What we need to do better

It’s interesting when you look at the statistics for this attack and try to break out what we need to do better.

Better road-mapping and retirement of old operating systems? 98% of the infections were on Windows 7 systems, which is still supported by Microsoft.

Improve antivirus? Anti-spam? If you’re using a tier 1 vendor, they were catching Wannacry very quickly. Symantec blocked more than 22,000,000 infection attempts across 300,000 endpoints.

The answer is not one of technology. Technology isn’t the root cause of the spread. It’s not where some of us fell down.

We need to improve our security processes and better train people.  

Incident response planning

What do you do when an incident like Wannacry happens to a client? How do you respond quickly and effectively? 

Even if you didn’t get infected, as soon as Wannacry started to spread, your risk level should have gone to an 11. What did you do to ensure that your clients were safe? How did you communicate that safety to them?

If your client(s) did get infected, what did you do to lock down the issue quickly and get them back up and running? How quick was the recovery? How did you resolve the root cause of the issue?

Incident response planning is very important for MSPs. Develop clear process maps for your incident response process, including the technical, communications and human elements and write SOPs for every stage (store it all in IT Glue, of course).

Just writing SOPs isn’t effective though – run practice sessions regularly so you team knows what to do. If you’re really keen, do some tabletop gaming of incidents. Done right, tabletop gaming is both incredibly effective and a ton of fun for your team.

Security Operations

There’s many key security operations that MSPs need to be doing very well to ensure their clients are safe.

Patching needs to be at the forefront. With Wannacry, Microsoft had released patches for most operating systems months before. Strangely, I heard of many late-night emergency patching processes from several companies. Patching doesn’t just mean workstations and servers – all systems need to be included. Firewalls, websites, productivity applications, IoT devices, and anything with an external IP. PCI-DSS requires that critical patches be installed within 2 weeks. We should aim for better to ensure our clients stay safe.

Are you sure the front door is closed and locked? If you’re not doing external vulnerability scanning for your clients, you should be. There’s many vendors that provide this service – it’s even built into Network Detective, which many MSPs already use.

For many businesses, even if they didn’t get infected, confidence is shaken. This is when having good security conversations is vitally important. If you’re already doing quarterly reviews and don’t have a strong security component in it, it’s time to develop one.

Security Awareness Training

Forewarned is forearmed.

The bad guys focus on what gets results – and people are the weakest link. Why put in the effort at breaching a firewall when 30% of phishing emails are opened, and 12% of links clicked?

It’s vital that we train staff of all levels to recognize cybersecurity threats and know their role in the security puzzle.

Launch a cybersecurity awareness program for your clients. Do lunch and learns, webinars, and/or newsletters. According to a survey by ISACA, using multiple mediums is the most effective.

Do a post-mortem yourself

Now that the incident is past, you should be doing an internal post-mortem for yourself.

The normal parts of a post mortem include:

• Summarize what happened
  • Include impact analysis where possible.
  • Do not blame-storm! This is about being self-reflective and improving process. If it’s someone’s fault, the team will disengage completely.
• Determine root cause
  • “Uhh wannacry?” is not a root cause. Look at each impact and determine why that impact occurred.
• Review actions
  • What was done during the incident?
  • Include every part of the incident response, including communications with clients, processes and technological factors.
• Learnings
  • What could we do better? How do we ensure this doesn’t happen again?
  • Be open to ideas and inclusive through this process.

Post-mortems are a vital part of incident response. Doing them well can massively reduce the impact of incidents and improve the effectiveness of your whole team.

About the Author

Mike Knapp is an IT Project Superhero and Cyber-Security Simplifier focused on helping business increase success through technology and reducing the risk of cyber-attacks. He is a partner with Incrementa Consulting and the founder of Simple Security.

The post Wannacry Post-Mortem: Lessons for MSPs appeared first on IT Glue.