3 Assumptions That Will Land MSPs’ Clients in Compliance Trouble

Trust but verify should be standard for MSPs implementing security and compliance programs.

October 30, 2019

5 Min Read
Don't Make Assumptions

By Cam Roberson


Cam Roberson

For MSPs delivering device and data security as part of their offering, unearthing their clients’ incumbent and faulty security practices – often guided by misplaced assumptions – remains commonplace. No matter what a client says or believes about the details of their own IT environment as it relates to regulatory compliance requirements, the right move for MSPs is to trust but verify. Or, put simpler: never just take your client’s word for it. Doing so may leave the door open to damaging data breaches, and leave the client (and in some cases even you, the MSP) exposed to crippling regulatory fines.

Considering the mishaps clients can and will get into when it comes to handling data and safeguarding their IT systems, MSPs would be wise to introduce their own compliance-as-a-service offerings in addition to existing services, to fully protect the interests of their clients and themselves.

Here are three recent tales we’ve heard from MSPs about occasions where their clients made dangerous assumptions that would have left their systems out of compliance and at substantial risk:

1. The client assumes legacy policies remain compliant forever.

Dereck Jacques, team lead and project manager at Charles IT, told us the story of a client that needed to bring its systems into SOC compliance and came to the MSP for help. According to Jacques, “They were a rapidly growing company, whose technology and policies had started to lag behind because they had been so focused on scaling the business.”

The client assumed that the MSP’s compliance efforts would focus solely on replacing equipment (such as out-of-date legacy servers) and then updating the network to introduce intrusion prevention and detection that could bolster overall security. A primary client focus was the introduction of a Security Information and Event Management (SIEM) platform, fulfilling a key component of SOC compliance by providing a full record of important actions taken within the network.

However, the client also intended to leave its existing legacy policies in place, assuming them to be aligned with the company’s compliance goals. Luckily for the client, Charles IT went beyond simply fulfilling its technology requests and instead examined the client’s compliance profile in its entirety. When it did, those legacy policies stuck out as a major risk factor. “Rewriting and filling gaps in policies played a big part in our client’s move toward compliance,” Jacques explained. “We updated aging policies, and created new policies to keep the client in-step with its industry’s quickly changing technological landscape. Thanks to that more holistic focus, the client successfully passed their SOC audit and was awarded compliance.”

2. The client assumes its devices were devoid of sensitive PHI data.

Brad Storz, president of Cirrus IT Solutions, recently told us this story about a new client in the health care industry that insisted its computers held no electronic personal health information (ePHI) whatsoever. Health Insurance Portability and Accountability Act (HIPAA) regulations governing the industry require careful handling and storage of ePHI, enforced with substantial fines and even the dreaded public shaming. At the same time, any entity handling ePHI on behalf of a HIPAA-covered entity must …

… itself operate in accordance with HIPAA or be subject to penalties, including MSPs (per HIPAA’s Business Associate clause).

For these reasons, Cirrus IT Solutions was prudent in examining the new client’s devices with its own tools. “We did a scan of the client’s computers using SolarWinds Risk Intelligence,” reported Storz. “Sure enough, completely contrary to what the client believed, there was a tremendous amount of vulnerable ePHI data on their PCs.” Taking that extra step enabled Cirrus IT Solutions to ultimately provide full HIPAA compliance to the client, while keeping both companies clear of regulatory actions.

3. The client assumes BitLocker is fully sufficient for its data encryption needs.

From the client perspective, the BitLocker tool included with most editions of Windows appears to offer effective full-volume encryption for safeguarding data on their devices – to the degree that they assume there isn’t more for an MSP to do. “We commonly work with clients that believe their own BitLocker implementations completely lock down their data,” said Joe Cram, CEO of Solid Networks. However, native BitLocker lacks the organizational management component crucial to effective data security, essentially leaving protections up to individual employees. At the same time, compliance requirements in just about any industry call for persistent security enforcement and comprehensive automated reporting, necessitating active organizational management.

“With user-managed BitLocker, anyone with local system administrator privileges can simply turn BitLocker off,” said Cram. “It’s unilaterally considered a bad practice to rely on end users to manage device security for a good reason: user-based systems mismanagement is rampant, and the practice just isn’t compatible with being able to prove compliance to auditors should the need arise.” That said, Solid Networks regularly assists clients using BitLocker in achieving compliance and data security, by supporting the tool with a proper management platform.

In an environment where even the most well-meaning clients often make security decisions based on incorrect notions, it pays for MSPs to go the extra mile by offering compliance-as-a-service. In this way, MSPs can ensure that clients receive the data security they truly need to achieve and maintain compliance, and will appreciate as long-term client engagements.

Cam Roberson is the director of the reseller channel for Beachhead Solutions, a company offering a PC and mobile device encryption service platform for MSPs. Follow him on LinkedIn or @BH_SimplySecure on Twitter.

Read more about:

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like