Five cybersecurity priorities for an MSP and its customers
Every business must present key differentiators from its competitors in its practice and marketing messaging. For managed service providers (MSPs), cybersecurity offers a place where the expert and conscientious provider can gain a significant advantage. In previous articles, we’ve discussed how most cybersecurity tools are not designed for a one-to-many protection model – except those designed for high-end, multi-function enterprise settings.
That presents challenges to MSPs, especially when we consider that cybersecurity threats are front-of-mind for many small and medium-sized businesses. We’ve featured ConnectWise as one of the few suppliers to the MSP sector of tools that are not only designed for MSPs’ use but also how the company helps its customers develop sensible, cost-efficient and secure solutions that are part preventative measure, part approach to cybersecurity and risk, and part amelioration and recovery systems.
We recently interviewed Leon Friend, the Security Sales Engineer, APAC, of ConnectWise, who explained the five most effective cybersecurity priorities that an MSP should adopt in its everyday work to ensure the safest possible working environments, both for the company itself and its customers.
Price and packaging
Given that the trusted service provider landscape is highly competitive for price, it’s tempting to believe that the MSP will lose business unless it can offer cybersecurity protections with the lowest possible outlay. However, with the predominance in the mainstream news of the terrible effects of cybersecurity incidents and the increasing requirement to comply with more stringent data governance, many customers are very conscious of the need for proper protection.
To achieve the balance between cost and effectiveness, Leon told us that an assessment of the MSP’s own risk profile alongside each of its customers’ is an essential first step.
He said: “The MSP has to understand and decide what their risk factors are and what risks they’re willing to take on. Sometimes, that means that they don’t accept customers because the customer is not willing to meet their benchmarks – which is hard. The MSP must ensure that the customer is not introducing risk to their business. Every business wants to grow, but the MSP needs to be sure that the growth is safe and profitable.
When an MSP is first starting to build their cybersecurity practice, they often think of tiered solutions based on a “good, better, best” model with corresponding prices. However, they will get better results by moving to a more consultative approach that focuses on the customer’s risk factors. By focusing here, they can build a security platform that is less invasive and caters for the customer’s needs, whether they are operating in sensitive areas such as medicine or finance or businesses with a lower-risk profile. It also means the customer will understand what they are signing up for”.
Determination of customer risk is an essential first step in providing the right protective measures. Seeing what data matters to an MSP’s customers and what is of lower value can help determine the correct level of cover and requirements. Many companies make good use of cloud-based SaaS solutions in the form of applications or remote storage. While it’s not necessarily a given that cloud services are secure, determining the business’s internal workflows and data protection needs will form the basis of recommendations for the types of cover available.
With many security incidents being the result of user activity, an often overlooked element is user education. Leon said, “…if we can educate those users to try and minimise [clicking rogue links], that’s great”. However, he also stated that it’s crucial that businesses don’t use a lapse as a stick but rather as a teaching tool, e.g., by using methods such as a short two-minute video that teaches employees why the action was dangerous and what to do in future. And this can’t be done just once; it needs to be ongoing.
Blanket use of services such as multi-factor authentication (MFA) may be challenging. Leon explains: “In some environments, BYOD [for MFA] is not achievable. For example, in a retail environment, where staff are not allowed to carry their phones, an authentication app just isn’t an option. You must think differently, for example, you might use security keys or hardware-based tokens such as Yubikeys”.
Covering for cyber incident costs and losses was, maybe five years ago, just a matter of ticking a box on the application for Professional Indemnity Insurance. However, all businesses now need to consider Cyber Insurance a critical part of their overall business insurance requirements. This means both MSPs and their customers should be looking to ensure they have the right level of coverage. Leon advises using a specialist insurance broker capable of helping companies choose between multiple cyber-focused insurers. That expertise will help companies see any gaps in cover or policy exceptions that could be critical.
The key here is a realisation that if no insurance is in place on the part of either MSP or its customer, the party deciding against insurance is effectively self-insuring, thus covering all its costs in the event of an incident. Boundaries between liability need careful thought: if a customer of an MSP suffers a critical incident, its MSP’s insurance policies may or may not provide cover.
Leon said that when an MSP seeks its own insurance, its marketing will be scrutinised by any underwriters. “When you go to get cyber insurance, [insurance companies or brokerages] look at your website,” he said. “If you’re saying you do everything, most cyber insurance will not want anything to do with you. So it’s important that MSPs are really clear about what they do, and just as importantly, about what they don’t do.”
MSPs don’t need to spend time and effort creating their own security framework. Implementing a framework such as Australia’s Essential Eight or the Cert NZ critical controls will dramatically improve the customer’s security posture. As the security practice grows, MSPs can expand coverage by using other security frameworks such as NIST or CIS.
Another important consideration for the MSP is whether its customer base has specific regulatory or compliance requirements. This will vary based on industry or market vertical and is essential to understand to ensure they can respond to their customers’ risk factors or needs.
Shared responsibility models
In almost all aspects of the MSP-customer relationship, both organisations need to work together to produce the right outcomes.
As an example, both parties must have established and practised incident response processes, agreed on levels of responsibility, and established the security frameworks upon which both will operate and expand. Without this cohesion, a successful response will be difficult.
Leon pointed out that in today’s MSP-customer relationship, the responsibility for data lies in three places:
- The data owner (the customer, who also controls the budget).
- The security adviser.
- The implementer of technology.
In most cases, the MSP provides the second two roles; the customer always owns the data.
All elements of the cybersecurity picture can be determined by agreement between both parties, from risk audit, advice, implementation, insurance choice and cybersecurity measures’ evolution and expansion. If we accept a company’s data as its unique intellectual property, expert provision to protect it is necessary. An MSP that can step into the role with assurance and expertise will find it is significantly differentiated from its competition.
There are few areas of business not interwoven by technology. The power and complexity of tech now means that specialists are needed for systems oversight, protection and management. It’s incumbent on MSPs to be the go-to expert resource for all things technological, and a large part of an MSP’s activities are in cybersecurity: proactive, reactive and constant.
Getting clients safe and secure depends on the MSP’s own tools, approach and knowledge. Coordinating all the moving parts fluently is challenging, but there are specialist companies that advise and supply MSPs with what they need.
To learn more about the unique offerings for MSPs that ConnectWise offers, click through to find out more from a representative near you.
- Biometric tool from INTERPOL is a game changer in capturing most wanted criminals
- AI and the changing cyberthreat landscape make data management crucial in 2024
- Global semiconductor sales to pass US$588bn in 2024, fueled by memory surge
- Dell Technologies sees AI, zero trust, and quantum computing leading 2024
- IBM makes significant breakthrough in quantum computing