Onboarding a new client must be thoughtfully done, and security needs to be built in every step of the way.
The challenge
You have probably heard the adage that “before they hire you, the only thing a prospective client knows about you is your marketing”. But, once a client signs, the first thing they will experience is your onboarding. Onboarding is your only chance to make a great first impression, and there are books and even entire consultancies focused on this process.
You may believe you have the onboarding process nailed down, but I certainly did not. To improve things, I have broken it down into three phases—discovery and enumeration, ingestion and integration, and explaining the mechanics of how to work with us. Security is not mentioned here, because security must be woven into each one of these steps.
Discovery and enumeration
This begins during your first phone call, email, or social media exchange, and goes on well past the actual onboarding process. During our initial call or video meeting, I greatly stress just how critical security is to every step of our process, and how important it is to any business that any provider they engage with behaves this way.
During the call, I let them know I will follow up with an email summarizing our discussion. I let them know what email address it will come from and what the subject line will be so that they know they can safely open any attachments. I spend time probing for information about perceived issues, IT support history (if any), and plans for business and growth.
This lays the groundwork for me to talk about the mindset of Operational Security (OpSec) that they need to develop, and how to make the leap to a modern, stable, and secure operation. I then provide a brief, bulleted report outlining the major issues we identified, categorized based on severity.
It is only after discussing all the above, on the second visit, that we will run any software tools, such as network enumeration or threat hunting utilities, to gather even more information. We do skip this process for very small networks or if we are doing a “forklift operation” (replacing everything), but there is, of course, more risk associated with skipping those steps.
Ingestion and integration
This is the technical part of the effort that only begins after the dust has settled and the paperwork has been signed. How this plays out is determined by the nature of their relationship with their existing provider, assuming there is one. Best case, we get all we need in terms of information and access, but the worst case can be very challenging.
This is when you begin to address the weaknesses you’ve identified through your “visual survey” or the findings of your tools. With every such discovery, be sure to stress the risks you are mitigating. Few small businesses care about firewalls, MDR, SOC services, and the like, but they all care about the safety of their business, protecting their reputation, and retiring someday.
It is important to communicate well throughout this process, as part of your effort to change how they perceive risk. You might wonder why, as they have already agreed to pay for all of this. The simple answer is that with many things we do to secure our sites, the biggest “cost” is not monetary, but perceived inconvenience. Teaching them to value IT security starts here.
The welcome mat
This is where we, and many others, come up short. Ask yourself whether you have a complete, documented, effective process of introducing your new sites to your way of doing business. Do they know how to open tickets, and who can open tickets? Do they know your normal and “premium” hours, or how to reach you for after-hours support?
Do they all know your staff or how to verify if the emails or phone calls coming from your staff are legitimate? What to do about client turnover? Do you have a process for updating your documentation to manage that? Do you inform them of your staffing changes? This is all part of creating a secure onboarding process.
Final analysis
Onboarding is a broad and deep process that nobody can do justice to in a brief piece such as this. But approaching each phase with a security-first attitude will help set the proper tone. It may also help you avoid serious issues that would otherwise hurt your relationship from the outset. Ultimately, it will enable you to do a better job of fully securing your new client as well. Of course, setting expectations, communicating openly, and installing a mindset of OpSec from the outset is our brand.
Is it yours too?