What You Need To Know About How The Delivery Of IT Services Is Changing

By Dave Sobel, The Business Of Tech Podcast

There is a fundamental shift in the way IT services are to be delivered.

The Kaseya breach in July of 2021 has acted as a tremor in the stability of the IT community which reacted with shock, with anger, with outrage – but most importantly, seemingly surprise. Perhaps we need to revisit the history.

On October 3, 2018, CISA warned about a previous two-year history of threat activity against managed services providers. CISA warned, “MSPs generally have direct and unfettered access to their customers’ networks and may store customer data on their own internal infrastructure. By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk.”

Managing the supply chain risk was highlighted in the advisory. Of course, in the timeline, that’s not even first.

• Kaseya was involved in a breach in 2018.
• They and ConnectWise had a breach in 2019.
• ConnectWise, too, was used as an entry point in Sept 2019.
• Oh, and another in November 2019.
• Webroot… yeah, they had one too, June 2019.
• Ninja? It had one in July 2019. To be clear, not a supply chain issue. Just RMM as the entry point.

And I didn’t even mention SolarWinds and the supply chain attack there. From my vantage point, this is a repeat of history, not something new. ProPublica did an entire piece on MSPs as targets in September of 2019.

This is not to criticize the vendors. They have enough resources to solve their problems. Instead, let’s focus on what’s happening to providers.

On September 2 of this year, CISA issued specific guidance to MSP’s customers. In just the section on the contract between the MSP and their customer, the agency recommends the following:

• Detailed guidelines for incident management, including the MSP’s incident response responsibilities, warranty information, compensation for service outages, and plan to provide continuous support during a service outage.
• Remediation acceptance criteria that define the steps the MSP will take to mitigate known risks.
• A Software Bill of Materials or similar verification of the security of any software the MSP will use to provide its services.
• Statement from the MSP on how data from different clients will be segmented or separated on the MSP’s networks.
• Detailed guidelines for log and records maintenance, including requirements for the MSP to provide secure storage of backups and for detailed records of when accounts are accessed, by whom, for how long, and what actions were completed.
• Direct access to security logging information, network intrusion detection, and anomaly analysis data telemetry from all systems managed by the MSP that support the service being procured.
• The ability for the customer organization to examine the systems that directly and indirectly support the contracted service on-demand by the customer organization with appropriate data handling considerations.
• Documentation of MSP’s financial health, performance record for other clients, and disclosure of any previous legal issues.

Think about these questions from your customers. Are you prepared to answer these requests?

Consider what customers are being advised to understand. They want to know that their IT partner is financially viable and stable. They want to have access to examine the details of your service. They need to have access to your logs. They want access to your records. They want your operating procedures on how you keep customer data separate. They want to know all the software you use in their network. And they want to know, up-front, exactly how you’ll handle an incident.

So much for the customer not caring about what tools you use. Because now, your tools may be viewed as a threat.

For the longest time, IT providers and MSPs have wanted to have a seat at the table. To have their services valued. To be in the C-suite.

Well, now it has happened. And these are the questions of scrutiny that are coming.

Now, I can hear many people saying, “Oh, my customers won’t ask me these things. My customers trust me.” They aren’t sophisticated enough to ask this. They don’t care.

Let’s assume for a moment that is true.

Do you know who will care? The lawyers, when something happens. When a breach happens – and it will because it is simply a matter of time — these are the questions that will be examined.

And no tool will solve this. Even if there was a magic tool its licensing agreement would ensure there was no actual liability transferred to that vendor.

This is a process concern, and providers are going to need to spend a lot more time on managing this risk than ever before. Are you ready for the examination by a customer on your processes? Are you ready for the lawyer who will come knocking? Or the insurance company who will ask these questions to offer you cyber insurance?

That all said, this is not new. It’s not innovative. These policies and procedures are available. They are resources to build upon. While the time to implement them is up to each provider, the development is an opportunity for collaboration. The community both has these resources and can improve upon them together.

My challenge to the IT and MSP community. The next time you wonder if you are using the right PSA, or RMM, or antivirus, or backup tool, or any other tool in your toolbox, instead use that time to ensure your policies and procedures are ready. They are streamlined. They are transparent. They are ready to not only use but show your customers.

The real opportunity now is being excellent at managing this process. Not every customer will be asking for it right now. The ones that do, however, will be the customers of the highest value. Strength in delivery of these procedures offsets any possible advantage in tool selection and propels a provider far ahead of any competition.

With cybercriminals themselves as competition to an SMB’s bottom line, fight that competitor with the guidance given to your customers. That’s a winning strategy.

About The Author

Dave Sobel is the host of The Business Of Tech and a leading expert in the delivery of technology services with broad experience in both technology and business. He owned and operated an IT Solution Provider and MSP for over a decade, both acquiring other organizations and eventually being acquired.