MSPs and security: Put on your own oxygen mask first
Customers put a lot of trust in managed service providers (MSPs). In giving MSPs privileged access to part or all of their data, systems and networks, customers trust – and expect – that MSPs will use their data responsibly and ethically, and do everything possible to protect their own environment.
But, as usual, cyber criminals are a step ahead and are increasingly exploiting this trust relationship through vulnerabilities in the security chain. Crooks know that if they can breach an MSP’s network and steal privileged credentials, they can creep unnoticed into every customer’s network. Imagine the collateral damage if those customers specialised in critical vertical industries, like healthcare, energy, communication or government.
Keys to the kingdom
The global managed services market is expected to grow from $180.5 billion in 2018 to $282.0 billion by 2023, as more businesses lean on specialised cloud services to drive productivity, reduce costs and scale with ease.
To realise these benefits, businesses must hand over a certain level of control, access and information to an MSP or other outsourced IT provider. This has not gone unnoticed by cyber criminals: if they can get to the assets of potentially thousands of sector-specific companies with just one hack, you can bet they’ll keep trying.
Gregg Lalle, senior VP of international sales and strategy at ConnectWise, says MSPs need a strategy to protect not only their own infrastructure and environments, but also their trust relationships with customers.
Protect your house
“During a flight safety demonstration, passengers are told to put on their own oxygen masks before helping anyone else. Managed services is the same. MSPs must protect their own houses before they can have the security conversation with their customers,” says Lalle.
He says more MSPs are using the US National Institute of Standards and Technology’s (NIST’s) best practice Cybersecurity Framework to help identify their security gaps. The framework focuses on the ability to identify, protect, detect, respond to and recover from various types of attacks.
“There are also free scans available that analyse networks, focusing on the five core tenants of the NIST Framework,” says Lalle. “A scan will give a quick sense of strengths and weaknesses, and provide advice on improvements to top risk areas.”
Having been through this security exercise themselves and having locked down their own data and systems, MSPs can then have meaningful, healthy and impactful security conversations with their customers, to help get them into better shape.”
The security conversation
Often, the security conversation between customer and MSP is based on fear. But this is an ineffective way to add value and build trust, says Lalle.
Rather than taking a fear-based approach to the security conversation, he says MSPs should take a holistic approach, incorporating people, process and technology.
“Too many MSPs have built their businesses on technology fear. They run scans, create noise and try to scare businesses into action. Yes, factual data is relevant. But security needs a broader approach because technology is just one element. Many attacks are caused by human error, or people, and the lack of a contingency plan or process.
“When they understand a customer’s entire risk landscape, MSPs will know where the gaps are and how to fill them. They can then propose a 12-, 24-, or 36-month plan that not only mirrors the customer’s risk tolerance, but also earns MSPs a ‘seat at the table’ through value add and education – not fear.”
Lalle says MSPs should treat a customer’s network as their own, starting with a NIST Cybersecurity Framework-based scan to proactively identify security risks across the entire business, not just on the network. Next, they should present the most critical risks, priorities and recommendations in an easy-to-understand report that serves as an action plan.
The idea is that if a customer refuses to implement an MSP’s recommendations, they should sign an attestation letter confirming they understand and accept the risk, and release the MSP from any liability.
“MSPs need to have the security talk about who owns risk upfront. It’s a healthy conversation that provides an opportunity for the MSP to educate their customer on what a healthy cyber security framework looks like, which not only builds trust, but could lead to upsell and cross-sell opportunities.”
“MSPs are responsible for protecting their customers’ data and IT assets. But a single compromise in the service provider’s network can introduce significant risk to customers. It’s crucial that MSPs manage the risks that they present to customers’ networks by protecting their own houses first,” says Lalle.