Amy Luby, Founder of Modern MSP

AUTHOR: Amy Luby, Founder of Modern MSP

Over the past few years, MSPs have experienced unprecedented changes and challenges. Unfortunately, the uncertainties continue in 2022, with world events and economic concerns forcing business clients to rethink and reshape their operations, and those transitions are causing even more turmoil and disruptions. It might be time to evaluate your cybersecurity practice for an extreme makeover.

Cybersecurity is one of those areas of uncertainty. No MSP can assume its posture is strong enough to stop today’s onslaught of hackers, phishers, and other cyberattacks. And Russia’s assault on Ukraine is making that situation even worse, with malicious actors unleashing an array of new attacks on networks and systems throughout the world.  As if things were not bad enough before, the IT services community must step up even more to protect their clients and their own businesses.

advanced cybersecurity expertise must be a key service offering in every MSP’s portfolio

Today, advanced cybersecurity expertise must be a key service offering in every MSP’s portfolio. Not only are IT firms the ideal target for hackers, as we’ve seen many times since the U.S. Secret Service issued an advisory warning of increasing attacks, but your customers’ network may be more vulnerable than ever. That helps explain why nearly 33% of small businesses are now outsourcing cybersecurity to a trusted managed services provider and/or a managed security services provider (MSSP).

Oddly enough, thanks to a widespread MSP security problem, there’s an increasing disconnect between clients’ perceived protection levels and what they are actually paying providers to deliver. Everyone wants the top cybersecurity package coverage for the base bundle price! MSPs will always get the blame if something goes wrong, even when the clients’ go cheap, which is many providers are moving away from lesser cybersecurity options. Delivering one top-line offering with a few industry-specific or compliance-related options is easier to manage, support, and stand behind.

MSPs have options today. For example, with a centralized platform remotely managing customer networks, you can cost-effectively and rigorously protect the routes of ingress for attackers and minimize the risks to clients and your own firm. That’s not the only way to give your security practice an extreme makeover. Here’s a short checklist of ideas to help you strengthen your offerings and better protect their IT ecosystem.

Evaluate your portfolio

When prospects are considering your MSP to provide support, it’s important to bring proven best practices and technologies to the table. A failure in any of these areas can open the door to cybercriminals, from internal management systems and infrastructure to network security, access control, and multi-factor authentication (MFA) offerings.

Does your team have the necessary credentials or certifications (i.e., CISSP, CompTIA Security+, pass government background checks) to prove your MSP is the real deal when it comes to cybersecurity? Now is the time to get serious about updating and upgrading your team’s expertise and credibility in that area. Background checks on contractors and full-time employees are mission-critical. There’s nothing worse than having a team full of rockstars and letting one negligent subcontractor wreck your reputation.

Evaluate your practices

Acquiring a compelling value proposition requires MSPs to abide by the same security measures as their customers. Prospects and clients should know what you do to protect your own infrastructure. Share a copy of your MSP’s information security plan, policies, and disaster recovery strategy – redacting any sensitive information, if applicable – along with a list of compliance requirements your team can address. Also, if you have a named information security officer or other executives with similar responsibilities, emphasize their qualifications and background to help put clients more at ease.

Finally, base your security program on a predominant, well-vetted framework like CIS Controls. Governance is an important part of your cybersecurity practice, so make sure to evaluate yourself in this area honestly and address any deficiencies quickly.

Evaluate your policies

When it comes to creating an iron-clad cybersecurity policy, benchmark your firm to industry best practices, as well as to any standards your clients should be following. This should include regular vulnerability scans for your business and clients’ operations and a clear process for detecting and remediating potential vulnerabilities. You should be able to answer any “worst-case scenario” by referencing policies and guidelines. If the current plan does not cover any of the most likely situations (overlooking the alien invasions and “end of the world” type concerns), it’s time to consider a cybersecurity makeover for your MSP.

Be sure to address methods for assessing and managing risk in those evaluations. Who is conducting threat appraisals within your organization, and how often are they performing those assessments? Also, do you have a clear change management policy for internal operations? Managing access is critical. Make sure that team members only have credentials to their “spheres of influence.” For example, logins for remote monitoring and management (RMM) platforms should only be available to the group(s) specifically involved in managing the client’s network. Not the sales or accounting staff.


The key to MSP success is cybersecurity expertise

MSPs can prevent ransomware attacks with attack surface reduction (ASR) rules

Evaluate your tactics

Cybersecurity excellence depends on how well your team is prepared to handle “worst-case scenarios.” Do you have tested backup and recovery strategies in place for your MSP as well as your clients’ systems? Conduct regular surprise inspections of all security controls. MSPs should also employ third-party assessors to review defenses, perform penetration testing, document the results, and recommend improvements.

Proven tactics, coupled with clean documentation, are signs of a mature and secure MSP. Are there any areas where your team, processes, or technologies are lacking? There’s no time to waste. From the spotty implementation of MFA and skipping cybersecurity training sessions to a lack of penetration testing, MSPs cannot skimp on the essentials today. Now is the perfect time to take a deep dive into your protection capabilities and consider giving your policies and toolsets a complete makeover!

Have something to say about this topic? You peers would love to hear from you in the Modern MSP Facebook Group.

About the author

Amy Luby, founder of the Modern MSP community, is a proven entrepreneur and pioneer in the IT services industry. She founded and built one of the first Managed Services Providers in America, and expanded that business into one of the first Master MSPs, defining both business models in the process. She writes weekly about the business of being a Modern MSP.