.st0{fill:#FFFFFF;}

Podcast

4 Observations for SMBs and MSPs – Ep 341 

 February 4, 2022

By  Donna Grindle

Share0
Tweet0
Share0

More and more SMBs are turning to MSPs to help secure their networks, protect their assets from cyber attacks and meet compliance obligations. MSPs are looking to add new services to meet the SMB market demand. Today, we review a few of our observations for SMBs and MSPs from a recent report on the focus for small businesses in the next few years.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

4 Observations for SMBs and MSPs- Ep 341

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The Privacy and Security Boot Camp

3.5 day In Person Event

Sep 12, 13, 14 and 15

More details coming soon at prisecbootcamp.com

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Great idea! Share Help Me With HIPAA with one person this week!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Alert for Every Organization from CISA

[06:51] The Cybersecurity and Infrastructure Security Agency (CISA) recently published a “CISA Insights” bulletin listing steps organizations should take to reduce the likelihood and impact of a potentially damaging attack. Every organization, regardless of sector or size should implement cybersecurity measures now to protect against critical threats.

Implement Cybersecurity Measures Now to Protect Against Potential Critical Threats

4 Observations for SMBs and MSPs

[08:30] A report of a study done by Connectwise got our attention in a few places. It’s a report that surveyed small and medium sized businesses and MSPs and they started asking questions like “What do you plan on doing in your business moving forward”, “Where are your challenges”, and “What are you planning to focus on for the next few years?”

This report was conducted by an MSP vendor, but it looked at SMBs (small and medium businesses) and MSPs that service the SMB market to determine what they are concentrating on for the next few years. It put that information together and made several interesting takeaways for MSPs.

Get your own copy here: The SMB Opportunity for MSPs: 2021-2026

The report covers a lot, but here are our 4 observations about SMBs and MSPs that we thought would be good to share.

1 – Everyone needs to deal with the same cybersecurity attacks.

When SMBs were asked what kind of attacks are they dealing with most, they said:

malware downloaded from malicious emails or websites is the most common type of security incident that SMBs are experiencing.

Many SMBs are seeing a wide variety of other attacks, as well, including:

  • Unauthorized access and hacking incidents
  • Theft of customer data, including credit card information
  • Ransomware attacks
  • Theft of critical business data and electronic files by external parties and insiders
  • Attacks against industrial controls and equipment, including (IoT) devices

Sound familiar? These are the same as the top 5 threats facing healthcare in HICP.

  1. Email phishing attacks and social engineering
  2. Ransomware
  3. Loss or theft of devices
  4. Insiders
  5. Connected medical devices

It isn’t just healthcare anymore. We have said many times that HICP can be a guide for most any business just change threat 5 from simply connected medical devices to IoT and OT/ICS. Remember, HICP isn’t a regulation. The things the 405d group is putting out can apply to most any business. The HICP guides do not cover HIPAA regulations. They cover recommendations for cybersecurity protections.

Here are links to the 405d website and podcasts we’ve recorded on HICP and the work of 405d.

405d website: HHS 405(d) Aligning Health Care Industry Security Approaches

HMWH podcast: 5 Threats and 10 Protection Practices – Ep 189

HMWH podcast: Talking HICP with Erik Decker Part 1- Ep 230

HMWH podcast: Erik Decker HICP Discussion Part 2 – Ep 231

HMWH podcast: Erik Decker HICP and Cybersecurity Outlooks – Ep 284

This report also pointed out that the threat landscape is worsening.

About 60% of businesses have experienced a financially damaging cyberattack in the past 12 months.

There are varying levels of severity of the financial damage being reported, but really what you’re trying to do is accept the fact that you’re going to end up in that position one day and you want to minimize the damage. If you can’t guarantee you’re going to mitigate the threat, at least minimize the damage.

2 – The future is now – well hopefully it is finally happening

[18:56] We’ve been working with our clients implementing privacy and security for years. Almost every single one of them eventually says something to the effect of “I have no idea how people do this without your help.”

To address these issues we covered in item 1, the SMBs are now looking at making investments in privacy and security. The report identified the 6 primary reasons SMBs are making investments in these programs and they all involve a need to manage privacy and security formally.

    1. Safeguarding company data, communications and intellectual property: 43%
    2. Guaranteeing customers’ privacy and financial data: 39%
    3. Compliance with regulatory and legal requirements: 32%
    4. Growth of mobile users and connectivity to the corporate network: 29%
    5. Protecting physical assets and infrastructure (e.g., offices, warehouses): 28%
    6. Digitalization of company business processes: 28%

We see many businesses want to strictly focus on #3, compliance regulations. They don’t realize that if you focus on privacy and security, #1 and #2, then compliance will follow. By focusing on compliance, you don’t necessarily get privacy and security. There are other factors involved in protecting data that compliance isn’t looking at. Privacy and security should be the focus. Compliance is then the proof you are doing the bare minimum, particularly in the HIPAA world.

3 – There is a need to fully understand the need.

[29:47] There is an obvious need for people to get that they don’t know what they don’t know. Both SMBs and MSPs. Consider these 3 points from the report on this topic:

Cybersecurity confusion

Many SMBs need help navigating cybersecurity technology options. Over 40% report having difficulty understanding cybersecurity and knowing what solutions to implement and how.

Many times we see where IT or MSP vendors create the cybersecurity confusion for businesses. MSPs need to do a better job at helping their clients understand the shift from “anti-virus software is all you need” to “anti-virus software alone doesn’t cut it anymore, you need multiple layers of protection from cyber threats.” SMB decision makers need to understand what they need and why they need it and why the old way of securing their networks is not enough anymore. If they don’t understand or feel confused, typically they will shut down and not make any decision at all.

Compliance overload

Over 40% of SMBs said they don’t understand how to navigate compliance regulations related to IT, which change frequently.

Actual regulation (those regulated by an authority) does not change frequently, even if it wanted to it couldn’t. What happens is the things around the regulation are changing. For instance, the five threats from HICP aren’t changing, but how they’re being used to attack us are changing.

This also goes back to cybersecurity confusion. MSPs could have different views on how to create a privacy and security program and to meet a client’s compliance obligations. One MSP’s approach might be to focus on meeting the compliance obligations the client has. Another MSP might focus on helping the client build a solid privacy and security program for the business, thereby meeting the compliance obligations. It’s not that the regulations are frequently changing. It’s that the threats and the solutions need to mitigate those threats and the scenarios the regulations apply to are evolving. And sometimes these kinds of things change very quickly.

[40:59]
SMBs need dedicated help to manage compliance.

About 20-25% of SMBs surveyed said they’ve assigned compliance work to an external IT services provider to relieve business management of this responsibility. As more SMBs follow suit, it will be vital for MSPs to master vertical specific compliance issues so that they can liaise effectively with their customers’ senior staff on these matters.

This one scared us. First of all, compliance is not an IT issue. It’s a business management issue. IT can help the business meet some of its compliance requirements, but it cannot be pushed off on IT. MSPs think they are going to master the compliance issue, but again it’s not an IT problem. It’s a big vicious circle and definitely a challenge for SMBs.

There is a need to fully understand the need, from both sides. SMBs are confused and many times are getting mixed messages that they don’t understand from the beginning. MSPs, who are also small businesses, don’t understand the need because many times they aren’t doing their own. If they were doing their own compliance program, they would understand it’s not just an IT problem.

4 – Evaluate where you are and make a plan for where you need to go

[51:43] Both SMBs and MSPs must begin to make certain there is a budget and plan for cybersecurity, technology and managing privacy and security requirements for the business’s sake AND compliance.

We call those SRAs, Assessments, and Risk Management Plans, by the way. These are included in the HIPAA requirements. They are included, in general terms, in the HICP and NIST recommendations. If you want to be successful, everything you do has to start with assessing before you can create a plan. Don’t forget to document, document, document your plans, steps you took, policies in place, documentation on what has been accomplished, etc. You never know when you might need to prove what was in place or what was done 5 or 6 years ago. Documentation is how you prove what happened and what steps were taken.

Go to top

Whether you are working with a small in-house group or with a third party vendor, everyone involved should fully understand the privacy and security needs of the organization, prepare for meeting those needs and handle it properly. Don’t assume everyone understands and is on the same page. If you focus on proper privacy and security, compliance falls in place. Compliance is there to prove your privacy and security program. It’s not just a bunch of paperwork.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: