Saturday, July 8, 2023

When Should You Offer Pro Bono Cyber Services? 4 Golden Tips


Just last weekend I wrote a blog about how the Biden Administration has done (and hopefully will continue to do so) a better job with launching Cybersecurity efforts when compared to past Administrations.  In a way, he is trying to forge new business relationships with the private sector, which of course will be a win-win for all involved. 

But yet, there needs to be another key piece of the Cyber puzzle that yet needs to be solved.   That is, relationships have to also forged with the public sector.  Defining this can be a bit tricky, it just depends on what you define as a “Public Sector”.  In my view, these are the smaller governmental agencies that are found at the city and town levels.

Unfortunately, this grouping has long been ignored, due to the fact that they are very low profit margin for the Cyber companies to make money off of.  While the primary goal of any business is to make a profit, there comes a time when one sort of has to bite the bullet in order to serve the greater good.  In this case, these public based entities really have don’t have the money or manpower to truly fortify their defenses.

Because of this, stronger relationships have to be created with the public and private sectors, so that these entities can have some degree of security baked into them.  Remember, the Cyberattacker is not just after the high-net-worth companies of the Fortune 500. 

They are out to get PII datasets wherever they can.  And because those entities that are in the public sector barely have any defenses, they have now become a primary target.

So what can be done about this?  Here are four ways that this can possibly be accomplished:

1)     The private sector Cyber companies have to adjust:

As I had just mentioned, Cyber companies simply do not want to touch nonprofits and the miniscule governmental agencies because they believe that there is no money to be made off of them.  But this is a very shallow way of thinking.  True, you may not do a lot from the outset, but think about it:  This particular entity could very likely come back for more business, on a repeated basis.  That means in the medium to long term, you have a source of recurring revenue, which is what so many Cyber vendors are striving for these days.  Also, if they are happy with your work, they could refer you to other public sector entities that need Cyber help.  So in the end, you could have a book of business that is not only ultimately profitable, but one that will be with you for the long term.

2)     Educate them:

Because of the sheer lack of security defenses that they have, many public sector companies truly have no clue what even to look for in a Phishing email.  This could be a great opportunity for a Cyber vendor to offer all sorts of training services, and to educate a plethora of individuals.  Once again, there may not be a lot of money to be made here, but just think once again of the long term:  As you educate more people in this sector, there are greater chances that word of mouth about your services will spread like wildfire, with the resultant being new business coming in from different directions that you never even thought of before.

3)     Start with the basics:

If you ever get an education engagement, or even get a contract from a public sector company, remember to always keep things as basic as possible.  Quoting an old marketing proverb, “Reduce it to the Ridiculous”.  Meaning, there is no need to talk about Generative AI or the Zero Trust Framework.  Start first with a simple Vulnerability Scan, and from there, point out any gaps or weaknesses that have been found.  From there, show the nonprofit (as an example) what steps are needed to correct them.  This will most likely be using passwords that are very weak, or those that have been used over and over again.  Have them start out with using a Password Manager, and show the benefits it brings by creating longer and more complex passwords, as well as resetting them on a prescribed timetable.  Also, it will be very important to conduct a basic Risk Assessment, just to get an idea of how vulnerable the digital assets could be.  When coming out with a new Cyber strategy, try to use whatever existing security tools that they have and try to reorganize them so that that maximum protection can be offered.  Remember try not to get too many tools (if needed).  Most likely, the nonprofit will not be able to even afford them, much less have the staff to filter through all of those log files.

4)     Share information:

Just like how the Biden Administration is trying to foster a trusting relationship of information sharing between the Federal Government and the private sector, the same holds true for the Cyber Vendor and the nonprofit.  Obviously, you don’t want to give all of your trade secrets away, but simply sharing what you see on the Cyber Threat Landscape good be a great starting point as well.  This will be probably the very first step in creating a trusting relationship that will last for the long haul.

My Thought On This:

There comes the time when a Cyber Vendor sees new market opportunities and you want to seize them, but there is simply not as much money to be made off of them as you would like.  A great example of this is the SMB market. 

For the longest time, this remained an untapped one, for the reason just described.  But now many Cyber Vendors are realizing the opportunities here, and have adjusted their pricing and business models accordingly.

The same will hold true in the public sector, with the smaller governmental agencies and the nonprofits leading the way.  But until this happens, and if you the Cyber Vendor want to tap into it before your competition does, you may have to offer your services “Pro Bono” at least initially.


No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...