Security questionnaires: How to prepare your SMB clients

SMBs working with regulated clients may need to complete detailed security assessment questionnaires. Managed service providers can help with data security tools and capabilities.

High-stakes testing isn't just for school kids. SMBs looking to ink deals with enterprises in industries governed by increasingly strict regulatory compliance laws are (also increasingly) handed detailed security questionnaires from those businesses to determine a vendor's data security practices and capabilities.

From a compliance standpoint, the questioning helps enterprises across financial services, healthcare and other sectors fulfill their regulatory obligations for ensuring that all vendors, contractors and other providers throughout their supply chains are themselves compliant with current laws -- and that everyone involved will be trustworthy custodians of their data.

For SMBs within the ecosystems of larger enterprises, effective and wholly up-to-date data security is now a requisite of conducting business. SMBs that don't feature security in line with what enterprise questionnaires are specifically looking for will find it more and more difficult -- if not already impossible -- to win new business. At the same time, legacy providers grandfathered into these business relationships will need to meet these same requirements in order for their services to be retained. And, considering the reality that many SMBs are dependent on a few or even a single large-size client for the lion's share of their revenue, the prospect of receiving a security assessment questionnaire from a key client that an SMB is unprepared to answer should be a frightening one.

Given this need, managed service providers (MSPs) supporting these SMBs have a growing opportunity in providing the data security tools and capabilities required to earn and retain their biggest clients. Delivering a security program designed to acutely address industry-specific compliance needs -- and offer the questionnaire responses enterprises need to see -- really calls for solutions covering device security, employee training, and data storage concerns.

Chart showing prevalent attack vectors
MSPs can help SMBs with cybersecurity training to educate employees on phishing scams and other prominent attack vectors.

Data security tools prep clients for security questionnaires

More specifically, security questionnaires now ask for detailed descriptions of the controls in place to protect data on employee-used devices, and to restrict data access as necessary. Data encryption capabilities are essential for demonstrating that an SMB is a good custodian of its client's data. However, with employees accessing sensitive data on portable laptops, phones and tablets, in addition to desktops, SMBs must also demonstrate nuanced access controls for securing data on these devices -- even when they are lost or stolen. For our own example on this, we use Beachhead Solutions' SimplySecure MSP Platform for providing SMBs with encryption, data access controls, and remote data quarantine and elimination tools (which remove access or sensitive data itself when devices are compromised).

But even with effective encryption and access controls in place, the behavior of a company's employees remains the largest single determining factor in whether data remains secure. For this reason, security questionnaires will inquire as to the training employees receive for following data security best practices. Even the most well-meaning employees can fall victim to schemes designed to thwart security safeguards and unwittingly compromise data. Employees must be trained in proper data handling, as well as in how to recognize and avoid malware, malicious websites, phishing emails, phone scams and other threats that too often succeed in fooling untrained personnel.

Security questionnaires now ask for detailed descriptions of the controls in place to protect data on employee-used devices, and to restrict data access as necessary.

To accomplish this, MSPs should provide employee cyber training solutions. With such a solution in place, employees receive the training they need, and must pass a test to become certified as responsible caretakers of sensitive data. Employers can easily track which employees have completed training, and schedule periodic follow-ups to add and reinforce good practices. They can also guarantee that employees have read, understood and agreed to comply with policies covering BYOD devices, access controls and sanctions (and terminations in cases where employees are grossly negligent or even try to steal data).

For this purpose, our own MSP uses Breach Secure Now!, a platform for security risk assessment along with employee cybersecurity training. The assessment maps closely to what is asked in enterprise questionnaires and provides specific insights for strengthening security where necessary. The first step to mitigating security vulnerabilities is to recognize what they are, and given the high stakes for SMBs, it's critical to have this chance to address security needs before an enterprise client's questionnaire arrives. The platform both identifies gaps and makes recommendations -- for example, if the security risk assessment were to determine that mobile devices aren't encrypted, the subsequent work plan would recommend a path to resolving that need.

Email, message archiving

Enterprise client questionnaires also want to know that SMBs demonstrate secure data storage and data loss prevention measures, especially in higher-risk areas such as email, social media, FTP access, etc. While a security risk assessment can help to identity these areas, MSPs should be ready to provide the specific tooling that's often required to fully secure data in those high-risk environments. For an example, we use Global Relay to archive SMBs' emails and messages for compliance purposes, which is especially valuable for clients governed by FINRA in the financial services industry, as well as those in other industries with similar regulations.

By coming to market with the suite of capabilities that SMBs need in order to prepare for data security questionnaires and earn (and retain) revenue from larger enterprises, MSPs can develop and expand their own business prospects as the trusted and effective partner these companies require.

Guy Baroan is founder and president of Baroan Technologies, a managed IT service provider, providing IT consulting and tech support for SMBs.

Dig Deeper on Regulatory compliance for MSPs

Cloud Computing
Data Management
Business Analytics