Guest Column | May 15, 2020

Don't Wait For Regulations – You Could Lose Your Business

By Jason Rorie, PenTest+, MCSE, C|EH, CISM, CCSP, CISSP – CSO of Triad InfoSec/MSP Overwatch

MSPi Jason Rorie, Triad InfoSecMSP Overwatch 04.20

Most people in the IT channel – whether they be MSPs, VARs, or vendors – are finding themselves very busy right now. Current events have IT companies scrambling to provide business continuity to their clients throughout the developed world.

In the rush of it all, it’s very easy to develop a bit of “tunnel vision”. The bigger picture can start to blur as we focus on immediate problems, especially for those of us who are scrambling to keep up. This leads to problems down the line when the big picture comes back into focus.

What did we forget? What slipped through? Did we balance resources correctly?

Did we lose sight of some critical factors because of the crisis?

The truth is that many MSPs are losing sight of a significant big-picture issue: cybersecurity.

Yeah, it might seem like a breath of fresh air to hear the IT channel abuzz with something other than cyber for once, but I can assure you the actual problems haven’t gone away.

If you’ve been paying attention, you know that ransomware attacks and phishing are hitting a high point thanks to the pandemic and the opportunities it has created. And cybersecurity will continue to be the major issue in the IT business for long after COVID-19 disappears from the headlines. You can count on it.

What’s the most significant issue within that big issue? MSPs keep getting hacked, and these slip-ups are putting people out of business, hurting clients, and getting plastered all over the news. The public is losing faith in our industry – and it’s hard to blame them.

If MSPs are unwilling to take responsibility for their security, they absolutely should be held accountable. And that’s precisely what legislators are starting to say.

At the rate things are going, you can bet that regulations will be coming.

When the regulation conversation picks up steam and businesses catch on, they will begin asking their MSPs about security. What will the MSP say? How will they show evidence of what they are genuinely doing to protect both themselves and their clients?

The MSPs that put in the investment into an internal security program will be the ones that come out on top. A comprehensive internal security program consists of administrative, technical, and physical controls. Let’s talk about a few.

A successful internal security program consists of policies and procedures that serve as evidence of how you control security within your company. This is where most MSPs fall short. Do you have a policy that states all systems with sensitive information must be encrypted and protected with multi-factor authentication? With a policy in place, are you following the policy? Can you prove it? This is all part of self-regulation. All MSPs should be building policies and evidence repositories.

In addition to policies, you should be following the defense-in-depth theory on our internal network. You should have a layered approach to technical security controls. The layers to consider are IPS, SIEM, DLP, Threat Hunters, Endpoint security, etc. You don’t want to create resource overkill, but you do want to find that balance with layers, so each layer helps mitigate a potential incident.  This theory is nothing new to MSPs. You sell these solutions to clients every day but fail to treat yourself as a client; therefore, your internal network suffers.

Train your staff. All MSPs know that users are the weakest link when it comes to security. Most MSPs have tier clients enrolled in some type of cybersecurity awareness training. Make sure your employees are in that same program. Work with your vendors to get solution-specific training as needed to ensure you are using their platform as securely as possible.

Insurance is critical, as well. You need to have a comprehensive E&O policy and a comprehensive first- and third-party cyber liability policy. They are different, and you do need both.  The best way to think about insurance is that E&O covers your MSP when you are at fault, not a cybercriminal. Cyber insurance covers you when the cybercriminal is at fault. Either could happen, so it is best to be covered for both.

Another aspect of an internal security program is the physical controls. This is often overlooked by most due to the primary concern of logic security. Do you have controls in place to mitigate risks that occur from a technician’s phone or laptop being stolen? Do you house sensitive data on workstations or servers in your office? Are they physically locked up?

All this can be overwhelming, and that is understandable, but it is worth the effort for MSPs to start tackling this now before it is mandated. Your company and your clients will be better served by your continued effort to keep things safe!

If you are looking for a place to start or assistance with developing an internal security program, please feel free to visit our site and reach out at www.mspoverwatch.com

About The Author

Jason Rorie, CySA+, PenTest+, MCSE, C|EH, CISM, CCSP, CISSP, is founder and CSO of Elevated TechnologiesTriad Cyber Security, and Cyber Security Insurance Group.