As a Managed Service Provider (MSP), there are many things you need to focus on to be successful in your business. You have to be a subject matter expert in your particular area in order to convince companies to outsource that function to you, customer service is always important, and response time and time to resolution are critical metrics that organizations will evaluate when deciding whether or not to continue your service. There are other functions that are also very important in the MSP business, such as accurate billing, reporting, and good customer-facing staff.
And with having to keep all of these in mind, cybersecurity often takes a back seat to these other key areas due to lack of time or resources or just plain old “it will never happen to us” type of thinking.
MSPs Are a Target
Unfortunately, it’s been happening more and more to MSPs. Hackers want into your systems not just for your information, but for the data they can steal from all your customers that you have access to. Think about it this way. If you are a thief, would you rather break into one bank or break into the company who had the combinations to the vaults of all of the banks? Clearly, the latter has the potential to pay off way bigger than the former. Cybercrime has become an existential threat for MSP companies and in some cases, a fatal one.
AMCA, the company that lost over 20 million records of clients Quest Diagnostics and LabCorp had to declare bankruptcy after it was clear they could never survive the onslaught of lawsuits that were going to come out of the incident. And, unfortunately, sometimes some MSP customers bite the dust as well. When the MSP handling backup for them was hacked, Brookside ENT and Hearing Services also had to close their doors after the attack erased almost all of their patient records. So having good cybersecurity could mean the difference between life and death for your business and your clients.
MSPs Benefit from Cybersecurity
In the age of expansive privacy laws and similar legislation, organizations are being held responsible for the security of their vendors. Because of this, organizations are holding MSPs and other vendors to higher cybersecurity standards. For example, healthcare entities regulated under the HIPAA and HITECH laws have to sign “Business Associate Agreements” with any vendors that handle their patients Personal Health Information (PHI). These contracts usually stipulate a minimum level of cybersecurity that the vendor must maintain. GDPR, the EU privacy statute also defines Data Processors as entities that transmit, store or otherwise process data for a primary entity and requires them to be compliant as the primary data controllers.
Vendors who have extensive access to client systems, like MSPs are now being asked for documentation of their security posture before contracts are signed. You can expect customers to begin asking more detailed questions about security in the prospecting phase and throughout your customer lifecycle. Being slow or unable to respond with acceptable answers may hurt your chances of a sale or renewal with these customers.
Finally, having the best in breed cybersecurity can become a selling point for forward-thinking MSPs. If all things are roughly equal in a sales comparison, being able to demonstrate that you take your clients’ security very serious could tip the balance in your favor. Eventually, given how important security is becoming for MSPs, having good cybersecurity will table stakes for any deal and being substandard in this area will be a huge negative to new prospective clients.
Best Cybersecurity Practices
Best practices for MSP cybersecurity are similar to what most firms need, with a couple of key differences. Having good internal cybersecurity means focusing on good security policies and procedures (such as detailed onboarding and off-boarding processes for employees) and strong technical controls to back them up. As an MSP, you will also need to protect the credentials used to access client networks that your customers entrust you with. An emerging technology called Privileged Access Management (PAM) can help you protect these logins in secure vaults and provide auditing and review capabilities of their use for your customers. And standardized, secure access into those networks can be achieved with another new technology called Vendor Privileged Access Management (VPAM) which gives you an easy way to access client networks that is also secure, controlled and auditable.
If you are an MSP, your customers count on you for a lot of things. One of them is to adequately protect their data and systems that you access while performing your service. Putting all of the pieces listed above will give you state of the art security that will protect both your company and your clients.
Author: Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds the CISSP, GNSA certifications, and a B.B.A in Management Information Systems. Tony is currently the CISO of SecureLink, a vendor privileged access management company based in Austin.