Data or Exploit? Focusing in on the risk.

Written by Assaf

January 28, 2021

MSPs leverage cybersecurity tool stacks (or integrated platforms) to address their customers threat landscape (viruses, malware, ransomware, vulnerabilities and exploits) and to help ensure that continuity and disaster recovery are fully addressed.

The best stacks incorporate antimalware and antivirus, URL filtering, vulnerability assessment, threat monitoring services and exploit prevention solutions. Data protection features (like real-time backup) can help protect endpoints from data loss due to disaster like broken hardware and/or ransomware encrypting data. Forensic backup helps auditors figure out what happened if an exploit occurs.

But MSPs are left in the dark in regards to the intrinsic risk associated with their customer’s data (the risk-inherent-in-the-data vs. the risk-to-the-data). And their customers, aware of the magnitude of these risks, are increasing pressure on MSPs to help them address the problem.

The importance of data to cybersecurity and compliance is made patently clear with the ballooning costs associated with exploited vulnerabilities: The costs are proportional to the type and size of compromised data – and not to the type and size of exploit. Being able to limit the data exposed drops the associated costs, and demonstrating sound controls reduces assessed penalties quite considerably. Furthermore, newer regulations make data controls a requisite to participating in tenders – like the DoD’s Cybersecurity Maturity Model Certification – or to securing affordable IT insurance.

Forrester’s Zero Trust article famously said: “The old hierarchical network is a road built to nowhere, so when the road abruptly stopped, users just placed toxic data — credit card numbers, personally identifiable and other sensitive information — at the end of the road and walked away. This left information security professionals with the unenviable duty of cleaning up. We must redress the security implications of yesterday’s networks with a new design that accounts for changing threats and new compliance realities.”

This advice may help enterprises that have privacy officers, CISOs, and CIOs, but has turned worse for customers of MSPs that do not have the knowhow nor bandwidth to “cleanup” and “rebuild from the ground up around data and people and workloads and devices…”.

MSP Data Privacy tools (like Actifile’s multi-tenant data privacy and protection solution) are designed to help MSPs address these data privacy and security concerns, and can enhance the cybersecurity stack by helping center it around toxic data assets and processes:

  1. Discovering multiple types of data (toxic and otherwise)
  2. Discovering applications that make use of the data
  3. Tag devices that store or process a lot of data and thus need extra protection (so called “zero trust data”).
  4. Encrypt excessively risky data on endpoints (such as large collections of PII and ePHI).
  5. Provide compliance context – such as data sources and destinations – that would need business associate agreements.
  6. Help address the new controls that are coming down the pipeline (like CMMC’s NIST 800-171 type controls)

The synergies should be clear: juxtaposing vulnerabilities against the data assets stored and processes executed on a device or server helps create a clear value statement for prioritizing security spend. It helps the MSP show to their not just the technical risk (which is always met with some skepticism by the customer) – but the consequences of the vulnerabilities being exploited (a risk the customer understands).  

You May Also Like…

No Results Found

The page you requested could not be found. Try refining your search, or use the navigation above to locate the post.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *