The cybersecurity landscape evolves rapidly. Bad actors are constantly finding new vulnerabilities to leverage. Small businesses often find it challenging to keep up with the latest threats and types of attack. They may partner with a managed service provider (MSP) to take the necessary steps to limit exposure. This article, the first in a series, explains how a cybersecurity standard of care helps establish a threshold for reasonable expectations and implementation of best practices with an MSP.
The principles embodied in a standard of care are not unique to cybersecurity. You’ll quickly find references to standard of care in legal, medical, engineering and other professional communities. These standards outline the degree of “care” a professional should demonstrate with their clients, patients, or customers. When it comes to IT and cybersecurity, the standard of care can easily get quite technical and overwhelming.
As noted on law.com, “what constitutes reasonably prudent cybersecurity practices, is not a black-and-white issue.” Cybersecurity standards change regularly. Plus, they vary based on industry, applications, and client resources. And the expectations of an MSP and its customers may vary too. So, what’s to be done?
The solution is not to abandon any standard of care altogether. A doctor works diligently to provide care to identify and treat a patient’s unknown illness. Similarly, it's important to recognize the imperfect realities of cybersecurity and each small business’s unique situation. Embrace a framework with a standard of care to drive constant improvement and enhanced security.
By enshrining a standard of care in a contract or terms of service, the MSP’s “reasonably prudent cybersecurity practices” are clear from the outset. The small business owner also identifies its unique needs. This benefits both parties. The provider and small business owner now have shared expectations. As a legal note, a contractually set standard would give rise to potential contractual liability.
The agreed upon standard of care could also reflect or incorporate requirements outlined in regulatory, industry or other authoritative standards. There are cybersecurity standards for healthcare compliance (e.g. HIPAA), financial transaction compliance (PCI DSS) and government compliance. For instance, Louisiana in 2020 became the first state to regulate accountability for MSPs doing business with government clients.
Identifying the right standard of care for any small business client must consider its unique environment, resources, data, and situation, especially any underlying obligations it may have to others. Obligations may be owed to its customers, employees, financial partners, or service providers.
There is never going to be a “one size fits all” model for cybersecurity. A small business owner doesn’t have to rely strictly on an MSP’s view of appropriate cybersecurity standards either. A small business with its own standard of care can better optimize its expenditures around IT. Developing a standard requires identifying cybersecurity priorities amidst an organization’s unique threat landscape. This helps the business focus on its most critical areas of need.
If the business decides to partner with an MSP, its own standard of care can provide a framework for questions and due diligence, including evaluating potential vendors, and a benchmarking tool to track progress over time. Demonstrating strong cybersecurity standards illustrates commitment to customers, employees, and partners. This will provide a competitive advantage to win new business, safeguard current clients, and achieve long-term success.
Establishing a standard of care is challenging. The goal for any small business owner should be to stay focused on the business operations at hand, and not cyber threats. Implementing a standard of care at the start can help. The first step is for the small business or its MSP partner to develop a risk profile to better understand necessary steps to limit access.
At a bare minimum, a professional IT providers should adhere to guidance outlined in public service cybersecurity announcements published by NSA, DHS and FBI regarding relevant tools such as RDP and Microsoft Exchange. It’s also not unreasonable for a small business owner to expect a professional to stay abreast of NSA guidance issued on matters such as a Zero Trust Security Model. This model limits access using a least privileged access approach or with a Zero Trust Network.
Whether arising by contract or tort law, a standard of care becomes the measure of accountability for both MSP and small business. Cybersecurity lawsuits will become more common as the courts seek to uncover root cause and accountability. This makes a standard of care critical to establish reasonable expectations for implementing cybersecurity best practices.
Think of it this way, the web is only as secure as its weakest link. Establishing common security requirements helps manage risk on a broader scale. It’s like the “rising tide lifts all boats” metaphor suggests. Enhanced security at a single small business can help make it more difficult for the cybercriminal to find and exploit attack vectors.
The MSP, the small business owner, the IT team, and their lawyers all need to understand how to avoid contract breach, negligence lawsuit or regulatory enforcement. As this article has discussed, avoiding legal woes is not the only reason to establish standard of care, but it is an important one.
To help you grasp this complicated, yet essential topic, look for upcoming installments. This series will explore various standards of care and different applications to industries before going into more detail about the MSP’s responsibility.
Calyptix Security aims to help small businesses in all industries and our IT partners achieve effective cybersecurity standards of care. AccessEnforcer is purpose built as a service to provide all-in-one network security and management and offer enterprise-level security at a small business price.