Fellow MSPs: Get Tough On Poorly-Postured Security Environments Before You End Up In A High Stakes Game You Won't Win
By Eric Weast, ECW Network & IT Solutions
“Have you ever done this before?”
That simple question—perhaps worded a little more softly—is my typical response when a client begins hemming and hawing over some aspect of the expertly-crafted security and regulatory compliance technology stack we offer as their MSP. Their answer is, inevitably, “No.” No, they haven’t ever ensured compliance for a business whose future depends on implementing the precise protections their industry regulations now simply require.
I reply that we have. And it’s just as important for us as it is for them. By design, our managed service offering includes a portfolio item for every control asked about on cyber insurance forms and compliance questionnaires. We leverage enterprise-grade security solutions that we can repurpose to meet the letter of the law when it comes to HIPAA, NIST, PCI, CMMC, or other stringent industry compliance frameworks. We’re vigilant, dedicated, and proven experts in achieving successful compliance attestations for our customers who engage year over year. We just need them to also accept their role on this team and approve policies and tools that will work reliably and with scalability to meet the security and compliance needs both now and later. If this new customer is interested, we’re glad to show them the way. But they must take our advice, accept our tools, and let us do things safely and correctly.
If a potential customer starts trying to nickel and dime security or poke around for risky shortcuts, we’re ready to give pushback. If they object too loudly, then we’ll just walk out. Why? Because in many of today’s regulatory landscapes, the MSP is also on the hook for everything. If there’s a breach of a client’s protected data on our watch, it goes beyond just devastating reputational damage: HIPAA and other frameworks can come after us with fines and penalties too. So, for smart MSPs, there’s no choice. We must be just as careful choosing our customers as they are choosing us.
To be fair to my MSP colleagues that I’m speaking to, it takes time and experience in this business to overcome the fear of walking away. You know that revenue is going to walk out the door and to another practice that will acquiesce to lower security standards. But the truth is, I've gained more customers by threatening to fire them and making sure we have those serious talks. I tell the client, “You may disagree, but your industry’s regulatory requirements and enforcement are the tide. And you simply can’t fight the tide. We're trying to help you stand against it. But we’re not getting rolled over together, because we won’t be there when you sink yourself.”
For a specific example, we’re currently working with a customer that truly didn’t even understand that it needed to be CMMC compliant. CMMC is used to inform the government and the Department of Defense as to the security capabilities of contractors and subcontractors. The boss at this construction company (with government contracts) has a very “We do things my way, like back in the day” perspective. I had to make it clear that CMMC isn’t something you get to disagree with: it’s like disagreeing with gravity. CMMC is effectively the law, and you can't ignore the law without facing a consequence.
Responsible government subcontractors are serious about security, out of necessity. They’ll perform multiple audits each year and bring in the big boy firms to conduct them. They know that if they don’t, their contracts with major clients in the government supply chain, aerospace, or defense contracting industry will simply be denied at some future point. These customers understand that you have to go with the program if you want to be invited to the government money party and are ready to listen when we MSPs tell them how to do compliance right.
If you’re an MSP assembling your enterprise-grade security and compliance stack, you need to enlist robust tooling that certainly doesn’t cater to customers trying to save a buck, but that does enable you to provide effective compliance in the industries you serve. A comprehensive stack will include several solutions: in our case, we have at our highest watermark of security, seven agents running on our customers’ endpoints, which would certainly give us agent fatigue if they weren’t all completely necessary for certain compliance frameworks.
Because protecting sensitive data is a foundational goal of compliance strategies, we begin with our cloud-based data encryption and access control solution BeachheadSecure, which we like for its ability to remotely revoke access and delete data from any device at risk, and its RiskResponder functionality. We also have SentinelOne in place for endpoint security, and Huntress for threat detection and response, among others. MSPs should also enlist multiple levels of ransomware protection, a DNS filter, and tooling to automatically isolate machines as necessary. MSPs must also become experts in the particulars of the regulations they provide compliance for, and any needs specific to customers in those industries.
Finally, it’s important to set expectations for customers on the fence about investing in the security their industry requires them to provide. It likely won’t be today or tomorrow, but when an incident does occur, audits will follow. Customers must be ready—and especially those under regulations like CMMC or HIPAA with strict legal ramifications. With CMMC, for example, anyone from a business’s cyber insurance company to their actual clients can conduct forensic investigations, or surprise audits where the business needs to show all its compliance paperwork. That material can’t just be invented in a week, which is why the best time to prepare for an audit is before it happens. CMMC compliance takes a ton of preparation, and while a business could fill out anything on a form, if it isn’t accurate then those responsible could actually go to prison for it.
As an MSP, I've never woken up thinking today’s the day I’m ready to go to prison for a client that just will never see the value in protecting their data, network assets, and online reputation. Think of that if you’re an MSP that needs the motivation to get assertive with potential customers.
About The Author
Eric Weast is the owner of ECW Network & IT Solutions, a South Florida-founded Managed Services Provider which has expanded its footprint over nearly two decades to service, secure, host, and support businesses in mature SMB and mid-market enterprise solutions throughout the country. ECW’s support staff is distributed across six different states within the U.S. and delivers 24x7 Cloud Hosting, Managed IT Support, and Managed Security Services.