3 Assumptions That Will Land MSPs’ Clients in Compliance Trouble

Cam Roberson

For MSPs delivering device and data security as part of their offering, unearthing their clients’ incumbent and faulty security practices – often guided by misplaced assumptions – remains commonplace. No matter what a client says or believes about the details of their own IT environment as it relates to regulatory compliance requirements, the right move for MSPs is to trust but verify. Or, put simpler: never just take your client’s word for it. Doing so may leave the door open to damaging data breaches, and leave the client (and in some cases even you, the MSP) exposed to crippling regulatory fines.

Considering the mishaps clients can and will get into when it comes to handling data and safeguarding their IT systems, MSPs would be wise to introduce their own compliance-as-a-service offerings in addition to existing services, to fully protect the interests of their clients and themselves.

Here are three recent tales we’ve heard from MSPs about occasions where their clients made dangerous assumptions that would have left their systems out of compliance and at substantial risk:

1. The client assumes legacy policies remain compliant forever.

Dereck Jacques, team lead and project manager at Charles IT, told us the story of a client that needed to bring its systems into SOC compliance and came to the MSP for help. According to Jacques, “They were a rapidly growing company, whose technology and policies had started to lag behind because they had been so focused on scaling the business.”

The client assumed that the MSP’s compliance efforts would focus solely on replacing equipment (such as out-of-date legacy servers) and then updating the network to introduce intrusion prevention and detection that could bolster overall security. A primary client focus was the introduction of a Security Information and Event Management (SIEM) platform, fulfilling a key component of SOC compliance by providing a full record of important actions taken within the network.

However, the client also intended to leave its existing legacy policies in place, assuming them to be aligned with the company’s compliance goals. Luckily for the client, Charles IT went beyond simply fulfilling its technology requests and instead examined the client’s compliance profile in its entirety. When it did, those legacy policies stuck out as a major risk factor. “Rewriting and filling gaps in policies played a big part in our client’s move toward compliance,” Jacques explained. “We updated aging policies, and created new policies to keep the client in-step with its industry’s quickly changing technological landscape. Thanks to that more holistic focus, the client successfully passed their SOC audit and was awarded compliance.”

2. The client assumes its devices were devoid of sensitive PHI data.

Brad Storz, president of Cirrus IT Solutions, recently told us this story about a new client in the health care industry that insisted its computers held no electronic personal health information (ePHI) whatsoever. Health Insurance Portability and Accountability Act (HIPAA) regulations governing the industry require careful handling and storage of ePHI, enforced with substantial fines and even the dreaded public shaming. At the same time, any entity handling ePHI on behalf of a HIPAA-covered entity must …