As Competition and Regulation Increase, MSPs Must Provide Security to Survive

Written by Raffi Jamgotchian
April 12, 2018

Recognizing that "in compliance" is not the same as "secure" can be a competitive differentiator.

Given the current environment, I predict one of three fates for MSPs in the near future: You’re going to become a security-providing MSP, you’re going to partner with one or you’re going to go out of business.

Demand for effective data security looms larger than ever on the MSP landscape. With small and midsize businesses increasingly targeted in data breach and ransomware attacks – and with compliance auditors targeting these same businesses for more thorough regulatory enforcement across industries – the role of an MSP is shifting dramatically. If you can’t provide security services to fill this need, watch out: Your MSP competitors are likely jumping on this bandwagon as the tools to provide security become simpler to use. It gives them something new and popular to sell.

The fact that so many MSPs are now developing their own security offerings is a positive development for the industry, one that ultimately helps us all raise our games; however, whether putting together services yourself or partnering with a traditional MSSP, it is critical that MSPs now have the necessary security stack and expertise in place to secure clients’ data and navigate the nuances of regulatory compliance. This isn’t just good for the client, it is necessary for an MSP business’ longevity.

Assembling a stack takes more than just the right tools, although the tools are certainly important. Building an effective security program requires a deep understanding of the client, and the risks specific to its company and their industry. It takes a thorough knowledge of the difference between compliance and security, the laws regulating the client’s industry, and how to communicate with clients as a trusted resource and expert.

Compliance isn’t security — and you must provide both. Implementing effective data security can bring you compliance, but compliance doesn’t necessarily achieve security. At the same time, pursuing compliance with a blind eye to truly effective security can leave you with neither. Take this scenario as an example: Say you do everything possible to ensure that a client’s environment is compliant but ignore real security needs, and a data breach occurs. Your company might still be held liable to the breach. For example, just three months before Target announced it had 40 million records compromised, it had passed a qualified PCI audit.

Given this reality, my recommendation is to focus on doing the right thing as far as security best practices go, mitigating as much risk as your resources allow from a business point of view. Then you can review the customer’s compliance needs and fill in any gaps not covered by your stack. In Target’s case, they hadn’t identified where their third-party risk was, and they hadn’t properly segmented their payment processing network from the rest of their environment.

As a security-providing MSP, you cannot truly know if the security you implement in line with your interpretation of the law will pass muster in the auditors’ eyes until an audit happens. Because of this, the best practice is for MSPs to document those interpretations and actions in detail. Record and explain why specific tools and practices were put in place, and what area of the regulation they’re intended to address. Orient everything around increasing security for practical reasons, not just to posture for compliance. If an audit does happen, pursuing security in this way will maximize the chances of your decisions being upheld.

Additionally, it often makes sense to look at the minimum regulatory requirements and then go beyond those to provide more compelling service and ensure compliance. For example, FINRA requires financial-services businesses in its purview to have a business-continuity plan in place, and to test it once a year. It doesn’t define details beyond that. To address this, an MSP might decide to implement a relativity high-quality backup system able to recover data from a secure cloud, not instantly as the most expensive solution might, but within hours. This is an interpretation that will hold up in an audit, and it also protects uptime and provides a superior experience for the client.

Alternatively, an MSP could use offsite tape backup – the regulation doesn’t say not to – but the client’s uptime and the outcome of an audit would be at greater risk. In cases like these, there’s benefit in going beyond the “letter of the law.”

Tailor solutions to each specific client and their industry. Each client performs different activities, uses different equipment, and adheres to different industry rules. To be effective, security-savvy MSPs need to study a client’s specific risk profile and tailor a security program to those needs. For example, we use Beachhead Solutions’ SimplySecure as a tool that can encrypt data and remotely lock and wipe data from compromised devices in the field. This gives us a strong fit for securing our financial-services clients that have employees that carry sensitive data on laptops or mobile devices, which might be lost or stolen.

However, for our clients relying solely on stationary desktops, different tools are more appropriate. At the same time, each industry is governed by regulatory agencies and specific rules with enough variance that an MSP can’t successfully provide security for companies in that field without being deeply familiar with those nuances.

Be the expert the client needs. Software tools alone can’t secure a client. It takes participation by the people involved, from company leaders to employees. A security MSP is the point of contact that guides the client in ensuring individuals exhibit secure behaviors. In addition to putting training tools in place, it’s just as important that an MSP can understand and explain the human-error risks those tools mitigate.

In our own case, we use Breach Secure Now! to train client employees in security best practices, as well the aforementioned SimplySecure management system and the Carvir-provided SentinelOne endpoint detection and response solution to further support employees in protecting data on their devices. However, an effective security MSP must do what the tools cannot, and be proactive in communicating in real-time as breaches occur or new, massive vulnerabilities make headlines.

It’s important to take the lead in explaining major issues and events to clients, so that they fully understand how it affects them, and what actions you as an MSP and they themselves should take to mitigate risk. That process of demonstrating expertise and initiative in addressing issues not only makes clients more secure, it enhances your relationships and reputation as well.

As MSPs adapt to the new reality in which all clients and providers must address data security, good solutions are essential, but they can’t do the job alone. Knowledge of laws and technology, understanding of specific client needs, and great personal communication are the ingredients that ultimately help MSPs ensure customer data is secure — and strengthen their businesses for the long haul.

Raffi Jamgotchian is the founder of Triada Networks, an IT services firm that caters to boutique investment and other security-conscious firms in the New York metro area.