MSP SPOTLIGHT: Go Beyond Baseline Security.

Walt Czerminski • August 30, 2023

94% of MSP clients say they would switch MSPs for a better Cybersecurity solution1.

Introduction


As an MSP, you serve a crucial role as a technology partner to small and medium-sized businesses (SMBs), giving them the peace of mind that their business is running efficiently. However, the evolving threat landscape and required digital initiatives have increased the exposure of SMBs to cyber risks, necessitating a higher level of protection, one they may not even realize they need. This blog will explore the challenges MSPs face in providing holistic cybersecurity support to their SMB clients and discuss how a programmatic-optimized approach can help bridge the gap, ensuring enterprise-level protection without breaking the bank for SMBs, while adding revenue opportunities for MSPs.



Current MSP Model


MSPs are indispensable for SMBs, offering valuable IT services and tech strategies that give them the luxury to focus on their core business functions. As cyber threats become more sophisticated, SMBs find themselves in the crosshairs of cybercriminals. In response, they turn to their trusted MSP partners for support and protection. Innovative MSPs are meeting this challenge head-on, offering many of the core cybersecurity technologies as a baseline. But even the most diligent efforts present cost and execution challenges. MSPs have an opportunity to expand their services for SMBs and amp up the level of protection. Increased complexities in the threat landscape along with mounting compliance regulations and disparate technologies have left MSPs in information overload on knowing how best (and easily) they can bring those services to market for their customers.


What are SMB clients asking for?


SMBs, like larger enterprises, face a constant barrage of cyber threats and often must adhere to compliance requirements. In fact, the impact of cyber attacks as a percentage of revenue for SMBs is actually larger than enterprises. They also face exactly the same challenges as enterprises; limited budgets, lack of resources, and a shortage of specialized expertise. This leaves SMBs vulnerable to regulatory fines and a prime target for cyber attacks. For instance, according to the Ransomware Taskforce businesses with fewer than 500 employees were hit by 70% of the ransomware attacks in 2021.)

 

Given the maturity of enterprise cyber programs in today’s landscape, hackers are setting their sights on SMBs as they will likely be easier to penetrate, not to mention having more at stake for a breach and possibly more likely to give in to demands. As these attacks are proliferating, SMBs are left asking “How do I manage my cyber risk without breaking the bank?”

 


2 Distinct, But Interconnected Sides of the Coin


Much like enterprises, and as noted above, SMBs not only have threats to contend with but also adherence to compliance mandates. Regulatory compliance is oftentimes more critical for an SMB depending on their industry or how they fit into part of a supply chain, for example, if they are doing business with the DoD and must comply with CMMC. They typically would need a divide-and-conquer approach (with an already small team) to handle compliance readiness and threat management as two distinct initiatives. This adds an additional strain on already sparse resources and skill sets, plus added tech investments to support both sides of that coin. An integrated approach to Governance, Risk Management, and Compliance (GRC) and Managed Detection and Response (MDR) or Extended Detection and Response (XDR) both from a programmatic and tech perspective can be much more advantageous to any organization, SMB or otherwise.

 


MSPs Face Challenges as Well


MSPs, while committed to providing cybersecurity support, encounter their own set of challenges. They manage multiple clients with diverse complexities related to threats, attacks, and compliance requirements. Their current approach often relies on point solutions such as endpoint security, firewalls, identity management, and compliance tools. However, these fragmented tools offer only a patchwork stopgap solution, are expensive to maintain, and are difficult to scale. Moreover, disparate tools do not provide the holistic visibility required to assess their clients' overall security posture and compliance status.


MSPs are left grappling with critical questions:


  • What should our first action be in response to a cyber incident?
  • What specific cyber and compliance pain points are our clients facing?
  • Where are the security and compliance gaps in our clients' infrastructure?
  • How can the limited resources of SMBs be leveraged to achieve the best outcomes (after all, great security programs require action on the customer’s part!)?
  • Where are their security/compliance gaps?
  • How can we help to reduce their cyber/compliance risk…?




Time to Rethink: How can we better serve our SMB clients?


To address the challenges faced by SMBs and MSPs alike, a paradigm shift is necessary. Instead of relying solely on point solutions, MSPs should adopt a programmatic approach to managed services. This approach offers a multitude of benefits, including:


Better Visibility and Enhanced Protection: A programmatic approach allows you to gain comprehensive visibility into your clients' network and security environment, enabling you to offer better protection against cyber threats.


Reducing Cyber and Compliance Risk: By gaining a holistic view of your clients' infrastructure, you can clearly and easily isolate gaps – and address how to close them. You can identify vulnerabilities, provide actionable insights, and help your clients implement effective cybersecurity strategies.


Increasing Bottom-line Revenue: Understanding the specific gaps and requirements of your clients allows you to streamline workloads and offer tailored services. This, in turn, leads to increased revenue and long-term client satisfaction.


Gaining a Competitive Edge: Adopting an advanced cybersecurity approach will set you apart from your competitors. Clients are more likely to choose MSPs that can provide comprehensive protection and strategic guidance, and approach cyber risk from both a business and technical lens.


Enterprise-Level Protection at a Fraction of the Cost: With a programmatic approach, you can offer SMB clients enterprise-level protection without the need for exorbitant investments in multiple point solutions, or plug into what you already have in place to maximize existing investments.




The Future of Cybersecurity for MSPs. Give your SMB clients the enterprise-level cybersecurity protection they need.


MSPs must evolve their cybersecurity support for SMBs to address the growing threat landscape effectively. By shifting from a fragmented approach to a programmatic model, MSPs can offer better protection, reduce cyber risk, increase revenue, and gain a competitive edge.


GRC + MDR/XDR. Cost effective. Easy to implement.


For MSPs looking for a turnkey solution to provide enterprise-level protection easily and affordably, Cytellix offers a comprehensive cybersecurity platform with its Cytellix Cyber Watch Platform (CCWP™). It is the ONLY place where GRC and MDR/XDR are delivered as a single integrated solution for a holistic, real-time, view of your client’s cybersecurity posture. Cytellix was recently recognized as a sample vendor in the Gartner® Hype Cycle™ for Cyber Risk Management, 2023. Cytellix's advanced capabilities empower MSPs to deliver integrated cybersecurity and compliance support, making them invaluable partners for their SMB clients.


In a world where cyber threats continue to evolve, MSPs play a crucial role in safeguarding SMBs. By embracing innovation and adopting a programmatic-optimized approach, MSPs can ensure that their clients receive the protection they need without straining their budgets. The time to act is now, and with Cytellix, MSPs can be the trusted cybersecurity allies that SMBs rely on to navigate the digital landscape securely while growing their business.



1 Source: Vanson Borne Report - The State of SMB Cybersecurity in 2022

The Clock is Ticking for CMMC 2.0: Here’s Everything You Need to Know – START NOW

By Brian Berger August 23, 2023
The Department of Defense (DoD) has formally presented the CMMC regulation for official evaluation, marking the start of its journey toward formal announcement. Every regulation proposed by the executive branch, including this one, undergoes scrutiny by OIRA, a division of the Office of Management and Budget (OMB). The significance of this step is that the previously mentioned "delays" in the CMMC process were due to the time taken for the DoD to forward the rule to OIRA. With this action now taken, the subsequent stages of the rulemaking procedure are underway. Nevertheless, due to the intricate nature of federal rulemaking, several more stages need to be navigated before the CMMC becomes a part of contracts. The following scenarios should be considered for preparation for compliance and certification for the Defense Industrial Base (DIB). Scenario 1: Proposed Rule Submission to OIRA: The Department of Defense (DoD) has officially submitted the CMMC rule for regulatory review to the Office of Information and Regulatory Affairs (OIRA). Review and Publication: After OIRA's review, which takes an average of 66 business days, the CMMC rule is expected to be published in late October 2023. Public Comment Period: A standard 60-day public comment period will follow, ending in December 2023. Finalization: The CMMC rule will be published as a "proposed rule", which means it will only become effective after the agency responds to public comments in a final rule. Based on historical data, the average time for DoD proposed rules to be published as final rules is 333 business days. This means the CMMC final rule is expected between February and April 2025 . Phased Roll-Out: The DoD plans a 3-year phased roll-out for CMMC contract clauses. Assuming the final rule is published in Q1 2025, all relevant DoD contracts will contain CMMC by 2028. Scenario 2: Interim Final Rule Immediate Effectiveness : If the CMMC rule is published as an "interim final rule", it will be effective before the agency responds to public comments . This means the rule would be in effect and appear in contracts in Q1 2024 . Rarity of Interim Final Rules: Such rules are rare and bypass the usual democratic process of "notice and comment" rulemaking. They are typically granted in urgent situations, like the need to enhance national security. So when should you start preparing? Before we start with the background and changes, let’s talk about the "Big Elephant” in the room. Clearly, the updated compliance and certification process developed by the DoD and the non-profit organization liaisons has been long overdue with a lot of anticipated deadlines that never materialized. And with the latest announcements it does seem to be mildly reminiscent of the movie comedy and colloquial meaning of Groundhog Day. Since the Library of Congress selected the film for preservation in the National Film Registry I found humor in relativity, not cynicism. Opinion: This is different and the information we have in the DoD supply chain must be protected from our adversaries. This is a serious issue and needs clear and precise guidelines as the supply chain will not spend money on the protection of the information that protects national security unless they must as it is deemed as a complex undertaking. That’s an unfortunate reality. We have seen the start and restart of the cyber programs for DoD for the past 5-years, what makes this different? The implementation of the CMMC rule in contracts will be phased in over a period of 3 years, with all relevant DoD Defense Industrial Base (DIB) contracts containing CMMC by 2028. For a company with 50-100 employees operating in the DoD supply chain, it takes an average of 12-18 months to prepare for assessment and audit for eventual certification, with certification being the ultimate requirement for compliance. Therefore, the time is now to start the process if you plan to hold government contracts in 2024/2025. There are also varied flow down requirements that need to also be taken into consideration. Understanding Plan of Action and Milestones (POAM) There is now the ability to present interim status vs 100% compliance as we have with the current DFARS and NIST requirements. These interim reports can be handled in the traditional manner by presenting a Plan of Action and Milestones (POAM) that have a less than 180-day completion date for allowed baseline gaps. Unallowed gaps will have a “No POAM” designation and need to be implemented. If you have any doubts, work with a highly skilled 3 rd party who has expertise in these standards and a track record of enabling comprehensive successful standards-based cyber programs. The information presented by the suppliers in POAM’s or claiming 100% compliance will be evaluated and can and will likely trigger audits if certain high-level cyber controls are not met or the 100% compliance score creates suspicion of a false claim. Be careful to present accurate and validated information. So, what does this all mean? You must be compliant with DFARS clause 252.204.7012 and NIST 800-171 today. This is a requirement of your current contracts, and the False Claims Act applies to all cyber compliance representations. If you are not compliant, you could be subject to civil penalties and criminal charges. You need to start preparing for CMMC 2.0 today. The deadline for the final rule is 18 months from now, and it will take an average company in the DoD supply chain 12-18 months to become assessment ready. Waiting is not an option. Waiting is a bad idea. Why you ask? It is very clear that most suppliers and Small and Medium Businesses are not cyber ready and nowhere near compliant with any cyber framework. The timeframe for a typical business to understand, develop and implement full compliance is more than 1-year assuming they have the skills and personnel to complete the objectives. CMMC 2.0 clearly aligns with DFARS and NIST, so it is the best way to protect your organization's sensitive data. Don't delay, start preparing today! *If you have any questions, please reach out to our experts – [email protected]

Cytellix® Names Security Industry Veteran Walt Czerminski as CEO

November 30, 2022
Seasoned C-suite executive brings over 25 years of leadership experience to drive growth of Cytellix's revolutionary SaaS cybersecurity platform.