When an MSP becomes and MVP
Security has always been a major issue for MSPs and all the signs are that it will become a more pressing concern as cyber criminals start to target the smaller organisations that make up such a large part of their client base. As a consequence, there is an increasing onus on MSPs to ensure they can deliver effective security services, but the quid pro quo is that their customers need to take the issue of security more seriously too.
Failure to do so can be damaging for the customer but also for the MSP. As John Pagliuca, EVP at SolarWinds MSP, noted at the vendor’s Empower MSP event held in Amsterdam in May, the cost of ignoring or failing to address security adequately could be very damaging indeed for MSPs. With cyber criminals were starting to target SMBs more and more, those customers were looking to MSPs “to prevent security incidents and protect them, respond if it’s happening and provide back up if it’s corrupted”.
He highlighted security as “one of the big pillars of growth for MSPs” but warned that this also came at a price. “The reason MSPs lose business is because the customer has a security event. If something bad happens, they blame the MSP.”
So what can MSPs do to try and ensure customers have a baseline security strategy in place to protect themselves and how can they make sure customers take the threats seriously? If customers refuse to adopt appropriate measures, what should MSPs do to protect themselves from blame in the event of a breach?
William Fletcher, EMEA sales manager at Webroot, acknowledges that SMBs are often left out of important conversations around data regulations and cybersecurity threats, leaving themselves and their users vulnerable. He cites recent research which found that more than 70% of cyber attacks target small businesses and that 60% of those affected went out of business within six months of their breach.
By necessity, this should mean SMBs are more inclined to turn to MSPs to help them out. Fletcher says the first step for MSPs should be to “ensure a strong foundational security strategy” within their clients’ business by establishing “cyber hygiene best practices”. He describes it as a “critical part of keeping any client protected, particularly given the limited size and scope of SMBs’ security infrastructure”.
The next step is “an actionable cybersecurity checklist that will scale as the company grows”. This means creating a culture of security with comprehensive and continuous employee security awareness training and regular risk assessment and security audits. A disaster response plan with back up and recovery tactics to mitigate losses from a data security breach is also advisable. “No single solution is a silver bullet, but tiered defences make a business more resilient against cybercrime,” Fletcher adds.
Kevin Lancaster, CEO and general manager at ID Agent, which is owned by Kaseya, stresses that MSPs need to educate customers and position themselves as experts on the subject of cyber threats. This means having a sales and marketing strategy that can convince customers that “cyber security is no longer an optional luxury, it is mandatory”.
He believes that MSPs need to “help customers understand that cyber security is a team sport. Generally, the teams that practice running plays from the same playbook and believe that a good defence is just as important as a good offence, are the ones that come out on top”.
Peter Rose, CTO at Tekenable, says that “education has to be number one”. A big difficulty is that a lot of the noise around cyber security is dominated by big breaches at large organisations. “It seems very distant for SMEs,” he argues, and they might believe cyber criminals are unlikely to attack them. The other response is that they “become discouraged” believing that if the large organisations can’t protect themselves, why should small companies wasting money trying to protect their businesses?
Rose says MSPs need to “ground the issues in the business of the SME you’re talking to and make it practical and real for them. Make sure you’re not overstating the risks. SMEs will take cyber security seriously when it’s grounded in their business and with budgets that are accessible to them. There’s a balance between impact and budget.”
Michael Conway, director at Renaissance, agrees that MSPs need to get the balance right for their SME customers. “You can see people spending money on security that doesn’t do anything, they’re buying technologies and products that are pointless. If they spend the same amount of money in a better way, they’d be more secure. It’s about spending the right amount of money wisely, not about spending more money”.
The benefit of using a MSP is that “they will always have the latest stuff, it’s never 10 versions behind. It’s in the interest of MSPs to keep customers up to date because that means they’re less likely to have a problem and so they are less likely to have to provide services to get them out of that hole”.
As Dr Karen O’Connor, general manager at Datapac, notes there is a duty for MSPs to ensure customers are aware that they cannot “guarantee their customer complete security or the total elimination of risk. There are several factors simply beyond an MSP’s control, from the end-user risk to the latest unknown threat, which can bypass even the most up-to-date and advanced IT system. Therefore, managing customer expectations is a key part of the job”.
But what happens if customers refuse to take cyber threats seriously? What can MSPs do to ensure they aren’t left to carry the can if the customer suffers a security breach? Sarah Armstrong-Smith, head of continuity & resilience at Fujitsu Global, makes the point that if there is a blame game, customers can’t take the high ground. “Whether a company decides to outsource all or part of their security to an MSP, they are still accountable for their data and services,” she says. It may well be that, in a partnership, there is acceptance of the risk “but such action needs to be agreed at an appropriate level to ensure there is full visibility of the risks and business impact”.
For that to work, both companies need to be clear on their roles and responsibilities and the requirements, “what corresponding service levels apply, and what happens in the event of a cyber-attack or data breach, including having a process for incident response and notifications”.
O’Connor says that Datapac clearly outlines “the risks and potential consequences of all options from the outset”. The company “would rather be honest with the customer about the risks of their choice and potentially lose the deal, rather than being covert and glossing over the risks only to suffer an unexplained and damaging data breach down the line”. She argues that MSPs have to “prioritise an honest relationship with the customer to enhance their reputation and ensure long-term business success”.
Lancaster says that with regulations such as GDPR there are “clear guidelines and expectations when it comes to data breaches”. He reveals that any MSPs that ID Agent works with “have taken an ‘opt-out’ approach with customers who refuse to invest in security”. This might not completely protect them from liability, but “it reinforces the MSP’s commitment to providing the best protection for their customers, with the solutions they have available”.
Fletcher at Webroot accepts it might appear complicated but “it’s actually very straightforward for MSPs to shield themselves from blame if a client experiences a breach. They need to contractually clarify precisely what they cannot be held liable for, and where their responsibility ends and the customer’s begins”.
Alan Byrne, managing director of Kerna Communications, takes a different tack. “The concept of blame is one that should never arise in the MSP relationship,” he remarks, “as it implies a complete breakdown of trust between the parties. In an MSP relationship the responsibilities are fully documented, unambiguous and evidenced.” That said, there are no guarantees with security, he adds, describing it as “a risk management activity. Businesses must decide on the Internet services they require and, together with the service provider, agree the appropriate controls based on a risk assessment that includes professional advice from the MSP to the best of their ability”.
If a breach does occur, it needs to be assessed and, if necessary, additional controls may need to be put in place to prevent a repeat. “For there to be a fault on the part of the MSP, multiple process failures would need to occur,” he notes.
If all else fails, should MSPs consider firing their customers if they fail to take security seriously? At the Empower MSP event, Richard McDonald, CEO of NetConsult, revealed that he knew of one MSP that had fired three clients over the years “because they had become too much of a liability to the firm”. He added that some MSPs had terminated clients or deliberately increased prices to the level where the customer had decided to go elsewhere. “You need to protect your organisation,” he said. “You need to set defined parameters for what sort of client you want. You need to interview them as much as they’re interviewing you.”
Rose at Tekenable believes there are a number of reasons why the MSP and customer may not end up seeing eye to eye. For example, the attempt to educate the customer by the MSP may not have been relevant to the company or it may have misunderstood the business priorities or the budget available. “Sometimes, the size of the MSP is a mismatch for the size of the customer. Should they fire them? No, they should offer a managed transition to a competitor that focuses on that type of customer.”
Armstrong-Smith acknowledges that firing a customer “may appear extreme, but ultimately it’s all about managing risk – that risk has to be assessed by both parties – as part of a formal commercial arrangement”.
Fletcher at Webroot says firing a client is never ideal but “it is sometimes necessary for MSPs to protect themselves. IT security is no longer viewed as an option or as a simple insurance policy cost. It is part of the cost of doing business if you use the Internet – which is nearly every business today”.
If the client won’t spend enough on the minimum security required, it will get infected. “The MSP has to make a decision: either charge the client and spend lots of time helping out while the client goes slowly out of business, or just cut its losses and fire the client,” he argues. “In the end, the MSP must set minimum security standards if it is taking responsibility for running that infrastructure – or have a legally watertight get-out clause of where its responsibility ends.”
Conway says he knows of one MSP that did a profit and loss analysis on all its customers and ended up “firing a bunch of them and it’s a far, far more successful business as a result. You can end up being busy fools working for one customer and you can’t scale it because you’re learning something for a single customer that you can’t use for others. It was probably one of the best things they ever did”.
If there is an issue, that’s where SLAs come into play, he adds. “It has to be very clear to everybody where the responsibility lies, where it starts and where it ends. It’s important for the customer in deciding what service level they need and are happy to pay for and it’s important the MSP is clear what they’re delivering so there are no surprises.”
Lancaster is in no doubt what needs to be done. “Given the severity of today’s exploits and the risk faced by every business, I believe MSPs should absolutely consider firing clients that refuse to invest in the minimum cyber security safeguards,” he states. “Security is a team sport. If a customer refuses to join the team, let them play games with someone else.”