In today’s fast-paced digital world, cybersecurity is no longer just a compliance checkbox but instead has become a cornerstone of business strategy. With regulatory pressures mounting and the latest updates to the NIST Cybersecurity Framework, organizations are realizing the importance of building resilient, proactive security postures. To delve deeper into this critical topic, Tech Achieve Media spoke with Stephen Nichols, Director of Solution Engineering – NAM at Acronis, to uncover how businesses can effectively navigate this evolving landscape.
Stephen, addressing the growing emphasis on a security-first culture, explained, that security has to be ingrained in the DNA of organizations, and compliance alone doesn’t equate to security. Cybersecurity must be prioritized as a core business strategy, especially as regulatory requirements and cyber insurance demands push companies to move beyond just meeting the minimum standards.
Stephen emphasized that while frameworks like NIST provide a solid foundation, organizations must adopt a proactive approach to secure their operations. During the conversation, Stephen also shed light on the evolving role of cybersecurity in shaping not just protection but also resilience. He shared practical insights into how companies can align technology and culture to address current challenges and prepare for future risks.
TAM: With the recent updates to the NIST Cybersecurity Framework, there’s a renewed emphasis on building a security-first culture. How can MSPs and organizations lay the groundwork for such a culture, and what are the practical steps to ensure it becomes an ingrained part of their operations?
Stephen Nichols: I believe this is particularly important for MSPs because we’ve seen a cultural shift within the MSP community toward prioritizing security. However, the challenge now is figuring out how to get end users to adopt the same security-first mindset. This is something many MSPs are grappling with, but there are a few strategies that can be effective.
First, it’s essential to ensure that every conversation an MSP has with their end customers includes an element of security. Utilizing a framework like the NIST Cybersecurity Framework can be incredibly valuable. This approach allows the conversation to focus not on selling a solution or software but on evaluating the customer’s overall security posture. With this framework, you can assess their current position, identify gaps, and develop a strategy for incremental improvements.
Another practical solution, which is becoming increasingly required by insurers, is security awareness training. When this training includes engaging and compelling content, it can significantly help instill a security-first mindset among end users. Often, the IT department within the customer’s organization starts to adopt security thinking, but spreading that awareness throughout the organization can make a huge difference. Lastly, conducting regular security assessments with customers is crucial. Security shouldn’t be a one-time conversation—it should be an ongoing dialogue, revisited quarterly or even monthly.
TAM: As organizations work toward this security-first approach, the need for integrated solutions becomes even more pressing. How important is it to have interoperable tools within a cybersecurity strategy, and what advantages does this bring in creating a defense against today’s complex threats?
Stephen Nichols: This comes down to a couple of key factors. First, it’s about minimizing the number of screens technicians need to monitor to understand where threats are coming from and how to respond effectively. Integrated tools are crucial in this regard because they reduce the need to switch between multiple screens. Additionally, integration ensures that tools work seamlessly together instead of conflicting. When properly configured, these tools not only reduce false positives but also consolidate alerts, eliminating redundancies across different platforms.
Another critical benefit is having timely and accurate information during investigations, which is especially important when dealing with complex threats. Properly configured tools can complement and support each other, enhancing their overall effectiveness rather than working at cross-purposes.
TAM: Alongside integrated solutions, we see a strong push from regulatory bodies and cyber insurance providers for enhanced security standards. How can companies go beyond simply meeting these compliance requirements to build a proactive, resilient cybersecurity posture that adapts to evolving risks?
Stephen Nichols: I’ve always maintained that simply meeting the minimum requirements—whether for compliance or cyber insurance—is just doing the bare minimum. To draw an analogy, think of car safety regulations. They’re like seatbelts and airbags: essential, but far from comprehensive when it comes to ensuring overall safety.
True security goes beyond just seatbelts and airbags. It’s about adopting a proactive posture rather than merely checking boxes. This is where frameworks come into play. Personally, I’m a big fan of the NIST Cybersecurity Framework, though others, like the CIS Controls, are equally valuable. Frameworks provide a clear structure, helping you assess your current position and identify areas for improvement.
What’s great about using a framework is that it doesn’t demand perfection across the board. Instead, it offers visibility—helping you understand where you are today and the steps you can take to improve. For MSPs, frameworks also shift the tone of conversations with clients.
It’s no longer about, “I’m trying to sell you this software” or “You need to pay for this service.” Instead, it becomes a collaborative discussion about improving the client’s overall security posture. Together, you can map out where they stand now and set measurable goals for becoming more secure in six months or a year.
TAM: Given the shift from perimeter security to endpoint and identity management, particularly in the era of remote work, how can organizations effectively protect user identities?
Stephen Nichols: I was asked recently, maybe a few weeks ago, about what I thought the most interesting risks in 2025 would be. One area that immediately comes to mind is identity. As a community, we’re still trying to nail down best practices in this space.
We’ve come a long way. Initially, security relied on a fortress-like structure—a strong perimeter to keep intruders out. But with the rise of remote work and the “work from anywhere” model, the focus shifted to securing endpoints. Using tools like EDR and implementing robust policies, securing the endpoint has become more manageable. However, identity protection remains an area where we’re still evolving.
We know most attacks begin with email, particularly phishing. These attacks often rely on social engineering, and they don’t always involve malicious payloads or external links. Instead, they exploit trust, tricking individuals into actions like sharing sensitive information.
There are several steps MSPs and end customers can take to address this. First, it’s about adopting a security-first mindset, as we’ve discussed. Balancing security with business operations is key, but a healthy dose of skepticism is necessary. For example, if you receive an unusual or urgent request to transfer money, verify it through a channel outside of email—like picking up the phone and calling the sender.
From an identity protection perspective, here are three critical steps MSPs can take:
- Email Security: Email is one of the most vulnerable entry points, and phishing remains a primary method of attack. Implementing strong email security solutions is essential.
- Security Awareness Training: Educating end users helps foster a security-first mindset, enabling them to recognize and respond to threats more effectively.
- Zero Trust Policies: Ensure systems like Active Directory are locked down. Adopt zero trust principles by limiting access to only what’s necessary for each user’s role and implementing robust policies to secure permissions and access points.
It’s important to note that while Microsoft 365 is a fantastic platform, it’s not inherently secure out of the box. Organizations need to either manually configure and harden settings or leverage third-party solutions to enhance security.
Finally, visibility is crucial. Implementing tools like EDR—and now XDR for identity—can help detect unusual behavior and anomalies. This includes monitoring identity changes, mailbox settings, and other behaviors that might indicate a threat. By combining these measures, we can significantly improve identity protection and reduce the risk of attacks.
TAM: With the prevalence of phishing attacks and the sophisticated use of AI by threat actors, what strategies can help companies safeguard their most vulnerable entry points?
Stephen Nichols: There’s no question that threat actors have mastered the use of AI. Think back to the early days of spam emails—like the infamous “Nigerian Prince” scams. Back then, those emails were often obvious, with poor grammar and glaring red flags. Most of us today would easily recognize them as illegitimate. But the game has changed. Now, attackers can replicate login pages for platforms like Microsoft with astonishing accuracy. Their emails are grammatically correct, well-punctuated, and professional-looking, making them almost indistinguishable from legitimate ones. This makes it incredibly difficult for the human eye to detect fraud at a glance.
If I gave you two emails—one real and one fake—you might spot the difference. But when your inbox is flooded, and you’re processing emails quickly as part of your daily routine, it’s much easier for something malicious to slip through unnoticed.
That’s why using AI and automation in email security is no longer optional for MSPs. A robust email security solution—like the one from Acronis—leverages AI to detect these sophisticated threats. The reality is, the only way to combat AI-driven attacks is with AI-powered defenses. These solutions can identify nuances that human eyes might miss. For instance, an uppercase “I” and a lowercase “L” look nearly identical in a URL, which could trick a person but not an AI system. AI detects such subtle differences by analyzing underlying ASCII codes, ensuring no detail is overlooked.
Beyond technology, skepticism plays a critical role. If something feels off, trust your instincts. Verify the legitimacy of an email by contacting the sender through a separate channel—whether it’s a phone call, a message on Teams, or another method. Always confirm before acting on requests for sensitive information, money transfers, or unusual actions.
Equally important is comprehensive device protection. Every device in your organization must be secured with EDR (Endpoint Detection and Response). Threat actors are skilled at exploiting even the smallest vulnerabilities, so leaving just one device unprotected can jeopardize the entire network.
To address this, solutions like Device Sense have been introduced. Device Sense enables organizations to detect all devices within a network, providing visibility into which devices are unprotected. This proactive approach ensures you can secure your network just as effectively as threat actors aim to exploit it. By combining advanced AI-driven tools, a healthy dose of skepticism, and comprehensive device protection, organizations can stay one step ahead of modern cyber threats.
TAM: Finally, when it comes to ransomware and data protection, how does backup fit into this security narrative? What role does an integrated backup and security approach play in ensuring data resilience and recovery, particularly in high-stakes incidents where swift response is crucial?
Stephen Nichols: I’ve heard many people say, “Backup is dead; long live backup.” The truth is, while backup alone isn’t a comprehensive strategy against ransomware, it remains a crucial pillar within that strategy. Referring back to the NIST Cybersecurity Framework, recovery is one of the core pillars, and for good reason. Even if you pay the ransom after a ransomware attack, recovery isn’t guaranteed. Threat actors often engage in double encryption, where they encrypt your data once, then apply another encryption layer on top. On average, this process results in about 10% of your data becoming corrupted. This makes having reliable backups essential.
Another critical consideration, closely tied to backup, is your business continuity and disaster recovery strategy. Many businesses overlook this until they experience an incident. For instance, when law enforcement or insurance companies get involved, they may seize or freeze some assets for investigation. One of the most significant risks following an attack is reputational damage. If your business is offline for an extended period, it becomes incredibly difficult to sustain operations and retain customer trust. That’s why having full system backups and the ability to restore quickly—whether from the cloud or a local site—is vital. Without solid backups, business continuity simply isn’t possible.
Our integrated solutions address these challenges head-on. We began with data protection and later added security features, ensuring all components work seamlessly together. For example, during an EDR (Endpoint Detection and Response) incident, you can not only roll back malicious changes but also fail over to the cloud or perform a full device recovery.
When we talk about security, it’s ultimately about protecting data—the most valuable asset. Whether it’s personally identifiable information (PII) or trade secrets, the goal is twofold: to deny access to unauthorized individuals and to ensure availability for those who need it. Security and data protection must work hand-in-hand to achieve this.
Interestingly, some attacks actively try to protect themselves. Malicious code running on a live system can hide or avoid detection. However, when you back up the system and scan it in a rest state, you have a better chance of detecting those threats.
This highlights the importance of integration—bringing together all the components of the NIST Cybersecurity Framework. By covering all its pillars, you create a robust security posture that protects both data and endpoints effectively.