MSPs have a role in ensuring clients’ cybersecurity.
The stakes of not getting cybersecurity right are higher than ever in the world of business — and that’s especially true for managed service providers (MSPs). Just look at such recent developments as the release of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, recent CISA advice, National Cyber Strategy, the changing face of cybersecurity insurance, and evolving legal stipulations affecting the cybersecurity landscape for proof.
The landscape has shifted to one where a data breach can prove disastrous for your business. Not only does it open you to potentially crippling legal ramifications, but it also will assuredly drive away customers who want to ensure they are protected. While this presents new opportunities for savvy MSPs, the unique responsibilities of protecting confidential information and network security have made cybersecurity an essential foundation of your daily operations — and not just as a client service offering.
To reduce your risk, you need to address these five critical tasks:
1. Create a solid security stack
Smart stacks are one of the most powerful risk mitigation weapons in your arsenal. The right stack enables monitoring, inventory tracking, compliance management, and keeping crucial data secure while delivering insights that can proactively address potential issues before they become even more problematic. In a world of ever-increasing cyberattacks, a multi-layered security stack will provide the best defense against even the most sophisticated of attacks.
Your security stack should include:
- Identity protection policies and solutions
- Endpoint security
- Additional email security
- Network and web security
- Offsite backups
An incident response plan is a cybersecurity best practice for MSPs. There are several basics we have identified that need to be in place but in some cases are being overlooked. The most common security tools that IT providers are investing in include data security, cloud security, and infrastructure protection. Identity access is the least common investment but is an exceedingly important one.
Don’t ignore multifactor authentication
Using multifactor authentication (MFA), or more than one factor to authenticate users, such as a password, biometrics (e.g., fingerprint), or second device, is undoubtedly a best practice for cybersecurity. While almost all MSPs offer at least two-factor authentication (2FA) to their customers (using two of these previously listed factors), only 40% use it themselves. And despite it being offered, only a third of customers are currently using 2FA. However, MSPs report that they have plans to migrate 95% of customers to 2FA in the next five years, with most planning to do so in the next two.
Implementing MFA or 2FA cannot be done piecemeal; the efforts need to be holistically focused on all systems. However, there are a couple of challenges in doing so: IT providers may encounter pushback from executives as they perceive this extra layer of security as adding time to completing activities. Another hurdle is that some software vendors may not support MFA or 2FA as they are typically more of enterprise features.
The best way to implement MFA is to begin with a baseline that everyone needs to adhere to; start at the lowest level (like Office 365) and be diligent about enforcement. Eventually, as employees acclimatize, MFA can be ramped up to a more ideal level.
The MSPs Guide to a Multi-Layered Security Approach
2. Gain competitive advantage through education
MSPs have long been viewed as potential attack vectors. You’re a convenient entry point into the supply chain, which allows cybercriminals to compromise your systems and your customers, accessing twice as many records with the same level of effort. A recent N-Able report found that over the previous 18 months, almost all MSPs surveyed had experienced a successful attack. One-third had been successfully breached over the preceding quarter. One reason MSPs continue to be seen as an easy attack vector is that far too many attacks are successful.
If you’re not among the many who have been successfully breached, the opportunity exists for you to promote your security expertise as part of your value-add. Customers are increasingly aware of the need for a secure provider.
The best line of defense against this increasingly savvy brand of criminal is robust cybersecurity education. For an IT provider, that goes well beyond the basics of awareness training – it means broadening your knowledge on more advanced topics, such as applying CIS controls and developing security policies. You can also expand your capabilities with hands-on learning through professional services.
3. Outsource where needed
Outsourcing IT makes financial and operational sense for your customers – and it may make sense for you, too. It’s a steep expense to hire the breadth and depth of expertise you need in-house to cover all your solutions, support, and operations. One option is to bring in external services to fill in where you have gaps.
Add expertise for your customers
A team of experts can fill in any operational gaps you have, allowing you to operate with less overhead while providing exceptional and robust service to your customers. It’s a win-win for you and your customers — and a big loss for cybercriminals.
Partnering with a customer-obsessed team like Pax8 for cybersecurity gives you the bandwidth and empowerment to propel your business forward – offloading one major roadblock that almost every MSP is facing or will face.
If security is your core focus, you can offload other services so that your customers can get a more comprehensive solution from you while you stay focused on the ever-changing world of cybersecurity. You can outsource:
- Cloud architecture, such as Azure deployments
- Service enablement, like hands-on technical training labs
- Backup support
- Migrations
- Custom projects, ranging from IaaS (Infrastructure as a Service) deployments and migrations to data center services to networking support
- Help desk
A word about your backups
While backups are generally provided to most customers, only about 40% of businesses are backing up workstations every 48 hours or less.
In this fast-moving digital age, data is the lifeblood of any organization. To lose your clients’ data — even 48 hours’ worth of it — could prove costly to you and your customers in terms of negative publicity and reputation damage, as well as the lost income from non-affected customers fostering the (potentially accurate) perception that they can’t entrust their data to you.
4. Standardize processes now
In response to the sheer volume and catastrophic damage increasingly inflicted by cyberattacks, the US federal government released the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) late last year. This is big news for MSPs, as it forever changes how they report and manage cybersecurity. You have until 2025 to get your cybersecurity incident response programs and protocols in order.
How can you ensure compliance?
The answer can be summarized in two words: standardization and automation.
With attacks increasing in both volume and sophistication, managing defenses manually is impossible. Implementing greater levels of automation is essential to help keep customers’ businesses secure, like these options below:
- Automated patching. 80% of MSPs are applying patches automatically.
- Web filtering. 90% of MSPs provide automated web filtering.
- Automated redeployment security tests and configuration checks. Fewer than 25% of MSPs use these tools.
Ensuring compliance with CIRCIA is going to force IT services providers to “protect their house.” As with home protection, this goes beyond merely locking the door and wiggling the handle. Standardized and repeatable processes will be required, including prescriptive checks and balances and documented proof of action.
5. Maximize your online protection
MSPs can sometimes be guilty of not practicing what they preach, and this applies to security protection. You instill the importance of cybersecurity with your clientele, configure their solutions to provide security, and ensure the right policies and processes are in place to provide the most robust protection available. However, much like the doctor who is in ill health, your own business doesn’t have the same level of protection.
Are your clients really secure?
You can have the best cybersecurity solutions and protocols in place for your clients, but if you are the victim of a cyberattack, your clients will experience the effects of that in some manner, regardless of what protections you’ve implemented for them.
You must treat yourself as your own largest client, first and foremost. Keep your own business protected. This includes:
- An investment in cybersecurity insurance
- Adoption of MFA
- Use of password storage best practices
- Regular and in-depth training of team members
Risk mitigation is critical
We’re often told that business equals risk. That’s not quite right. Businesses have accepted risk. And not reducing risk could result in financial losses or reputational damage, which is a critical part of defending an organization’s assets and ensuring long-term business success. Mitigation planning doesn’t just help identify existing problems; it unearths future threats. By proactively anticipating issues, you can prevent them before they occur. With the right risk mitigation strategies in place, you secure more than your network — you secure your future.