The risks MSPs face are not always clear. While most IT business owners are aware of the consequences of losing clients, hiring bad drivers, and not locking their doors, other potential threats are not quite so clear. For example, knowing where the ultimate responsibility falls when a client becomes the victim of a ransomware attack or some other type of cybersecurity incident can get a bit fuzzy.
The factors may be complex and assigning responsibility for failures tends to get similarly complicated. Is the targeted vulnerability on the MSP side or due to client’s negligent employee? IT services providers need to know best practices for minimizing their collective risks to effectively protect their businesses, customers, and the livelihoods of everyone’s employees. Cybersecurity responsibilities must be clearly and frequently communicated to the respective parties, with periodic testing of each safety protocol to minimize the chances of a breach, ransomware attack, or other type of data-related incident.
As with any tech process or theory, a proactive management approach is essential. MSPs must continually assess their collective security environments and add new measures to reduce their company’s liability in the event something bad were to happen to their systems…or to their clients. The things that work well today may become vulnerabilities tomorrow.
The Weakest Links
Whether opening a business or walking down the street, risk is a part of life. Virtually everything and every activity brings some level of uncertainty (if not actual danger) and people spend a lot of time and effort managing the unknowns. Cybersecurity is a perfect example of that concept.
When cybercriminals compromise an organizations’ IT networks or data collection and containment systems, it’s almost inevitable that someone will start pointing fingers. Failures lead to blame. There will never be an unbreakable security perimeter as long as humans are part of the equation, and the responsibility for a lapse often falls to people far beyond those making the mistake. Many business leaders expect cybersecurity to be infallible. Even when an employee bypasses company security policies or ignores basic logic, some will blame their MSPs (or their internal tech teams when applicable) for not doing more to limit, if not completely prevent any subsequent damage. Their understanding of the scope and complexities of these attacks may not mesh with the true challenges of defending their networks, computers, and employees – especially workers who ignore rules, take shortcuts, or intentionally sabotage their systems.
Realistically, the liability for any failure should extend to all the “players.” Employees should pay closer attention and follow best practices. Company executives could invest more to strengthen cybersecurity measures and training and better enforce workplace policies. Unfortunately, everyone expects MSPs to be infallible − no matter how much their hands are tied by clients’ decisions and budget limitations – so they often take most of the blame.
Minimizing those liabilities must be a priority for every business. For MSPs, that mission is even more critical to limit their exposure to the processes and technologies actually in their control when an attack does occur. Proper safeguards and insurance coverage are an essential part of that equation.
The Known Liabilities
Cybersecurity concerns continue to grow. The problem is that there is absolutely no room for error: not from employees, business owners and managers, or the IT teams that support their technology systems. MSPs have to be more diligent than ever to reduce their own liabilities. While no IT services firm can eliminate every risk, some of the steps team members’ can take to minimize the company’s exposure include:
- Setting and enforcing strict internal cybersecurity policies. Between breaches, ransomware, phishing and a slew of always evolving malware targeting any network opening, MSPs cannot overlook anything today. Establishing and adhering to firm guidelines for the implementation, management and support of every IT system −for clients and internally – must be a priority. Lapses in a provider’s cybersecurity practices and controls can significantly increase its liability if those issues contribute to the breach of a customer’s data.
- Demanding high cyber standards from clients. There is no excuse for poor cybersecurity policy adherence today. If there was one issue that MSPs should ever consider firing a client over, this is the one, especially considering the impact a potential breach could have on both businesses. Providers must be willing to walk away from high-risk organizations to protect their reputations, financial stability, and livelihoods. MSPs that continue supporting clients with known vulnerabilities are amplifying the risks and potential monetary impact to their own bottom lines. Implementing and following through with a tough love approach, delivering cybersecurity upgrade ultimatums to poorly protected businesses, is business critical for IT firms in today’s threat environment.
- Keep building. Cybersecurity is dynamic. MSPs may gain the upper hand over cybercriminals by installing the latest protection measures and adding support options – but those wins may be short-lived without a roadmap of continual upgrades. One of the prime reasons providers attend channel events today is to gain insight on new tools and strategies to combat ransomware attacks and social engineering schemes. Adding layers of protection and upgrading existing tools helps keep cybercriminals at bay. MSPs that continually fortify cybersecurity protection and end-user awareness training (a critical component in any plan) prevent their clients from becoming the “low hanging fruit” those miscreants typically target. Those measures also help limit providers’ liability should something bad occur. MSPs following and promoting industry best practices have less to worry about in this era of high cyber anxiety.
- Checking all the “compliance boxes.” Failure to comply with recovery time or recovery point objectives or backup errors (including data losses) can be major legal and financial liabilities. MSPs have to be compliance experts for all of their clients and adequately support each requirement to limit their mutual liabilities in case of a ransomware attack or other data-compromising event. Rules and regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the Financial Industry Regulatory Authority (FINRA) can make clients’ heads spin. While the companies bear a major part of the responsibility for compliance, the blame for any failures is increasingly shifting to the MSP and IT communities. Providers can minimize their risks by adopting all prescribed requirements, testing systems frequently, and stressing the importance of these standards with clients, end-users and their own staff members.
No Easy Outs
Managing risk is part of doing business today. MSPs, like their clients, must strive to do the right thing everyday to minimize their legal and financial liabilities.
Following prescribed cybersecurity best practices and addressing regulatory and industry standards are essential steps. However, even the best laid plans can fail in today’s high threat environment, as cybercriminals look for even the smallest opening (typically a human error) to launch an attack.
Every organization needs a cybersecurity-specific insurance policy to minimize the monetary impact of business compromises. No MSP can expect to plug every potential gap or predict when a client’s employee will click that ransomware-launching link. Knowing the company has financial protection and support in these situations helps ease the burden (for everyone).