What are Risk Assessments? And Why Should You Provide One to Customers?

Customers can get a clear understanding of their cybersecurity needs and what they can do to fix them. This gives MSPs an excellent business opportunity. Assessment of cybersecurity risks can help customers identify gaps in their networks and open the door to larger conversations and more engagement. Risk assessments can be a critical tool to identify problems and plan for remediation.
“The bottom line is if we mitigate risk that’s going reduce the potential for losing revenues,” said Natalie Suarez (director, cybersecurity task force at ConnectWise) during a panel at CompTIA ChannelCon 2022 conference titled “Selling cybersecurity from a risk perspective.”
Risk assessments should incorporate the three pillars of cybersecurity–people, processes, technology–and provide customers with a good understanding of what they have and don’t have in order to determine next steps.
Suarez stated that if your security posture doesn’t address all three pillars then you won’t be able to properly implement control. “People seem to think only about technology. If technology were the solution to all our problems, then we would have solved them all by now. You must consider policies and people both internally and externally. While it is important to have EDR and SIEM, firewall, web access and gateway, it is not the only way to secure your network.
Suarez described three methods that customers can use to assess their cyber security: risk assessments and third-party vendor risks assessments. Let’s take a closer look at each.
Risk Assessments provide clarity and direction
Suarez stated that risk assessments show that you are an industry leader and that you know your stuff. This helps to build trust with customers which in turn can improve profit margins.
Suarez stated that there are many types of security assessments. They all provide a holistic view on an organization’s security tools and effectiveness.
Chris Loehr, executive vice-president and CTO at Solis Security, and a member the CompTIA ISAO Executive Steering Committee said that MSPs should be familiarized with different types of assessments as each customer’s needs may be different.
“It’s important to be familiar with these terms, especially pen testing as it is often misused. These terms can be confusing so make sure you know what they mean. There are many levels of penetration testing. You need to understand what you’re talking and how your customer needs to be tested. The number one issue is communication. Communication is the number one issue in this area. It’s about what are your requirements and what you’re going do. Is it a checkbox or a value-added activity?
Suarez stated that a lot people ask for pen tests when they really need a vulnerability test. “Penetration doesn’t have to be technical. You can also incorporate social engineering. Have someone pretend to be the cable company that is trying to patch the modem’s firmware.
Third-Party Vendor Testing Minimizes the Risks
Suarez stated that third-party vendor risk assessments reduce risk. MSPs should charge for these services because of the value they provide customers.
“MSPs are bringing risk to clients.” Suarez stated that you must show your business readiness and that you take risk seriously. Show examples of your policies and show that you adhere to certain standards. Ask their vendors what they are doing to ensure their products/services remain secure. It is important to be aware of the other vendors.
It doesn’t take a lot of time to start a third-party vendor assessment program. MSPs have a number of steps they can take with customers to show value and ensure the assessment is completed. These steps include:
Make a list of third-party vendors
Find out how data are stored, processed, and transmitted
Prioritize vendors based upon critical business needs
Request SOC2 or a similar report
Assess risk and devise mitigation strategies for the identified terms
Reevaluate every year, and add new vendors as they are onboarded
Gradually, expand to include all third parties

“Remember, it’s not your job to say yes or non to a vendor. Suarez stated that it is up to you to provide the information and help them identify and prioritize the most dangerous areas and fix them. This is not a one-time deal. None of these assessments is. At least once a year, you should reevaluate. It’s incremental and small steps so it’s not overwhelming to you or your staff.
More Education Means Lessen