Ransomware attacks are on the rise. When government is targeted, politicians take note. Attacks on Louisiana public agencies led the state to pass the first-ever bill specifically regulating managed service providers (MSPs). Here’s what you can do about changing MSP regulations.
Our most recent blog outlined the basics of the new Louisiana legislation. Talking with industry experts, we also examined the implications of the regulation for MSPs in general. This article extends that discussion with practical advice for service providers. Remain competitive as businesses and government bodies start better understanding all that’s at stake.
From the MSP perspective, there’s only so much they can do. “We can’t make our clients purchase things that we know will protect them,” noted Amy Babinchak owner of three IT-related businesses.
The MSP can offer security options, but the customer can opt out. Plus, even with the “very best software configurations out there,” Babinchak said, “there is still the one wrong click factor.”
So, what’s to be done? One important strategy is to get any “opt outs” in writing. There is going to be a heavy emphasis on cybersecurity going forward, Babinchak said. If the client doesn’t want to follow best practices, get them to sign a waiver of liability.
Have the Difficult Discussions
In some ways, the MSP’s reputation relies on customer action. After 23 local Texas governments were targeted via their MSP, the state’s CIO said the ransomware succeeded because of bad practices at the local level, not at the provider itself.
“These organizations were impacted because they did not follow good cyber hygiene,” Kimbriel told his National Association of State Chief Information Officers audience. He suggested IT organizations need to install security patches and maintain strong password policies.
MSP Radio’s Dave Sobel says some service providers can be reluctant to present all available cybersecurity preventions and protections. Thinking the client won’t pay for two-factor authentication, and fearing they might lose the bid charging for that added level of security, the MSP offers basic services.
Yet the hard conversations have to happen, Sobel said. It’s irresponsible to know there is a better solution available and not offer it to the client.
Plus, it doesn’t help the industry’s reputation. According to PEW Research Sobel cites, consumer confidence in technology has dropped 20 points since 2016. He noted, “technology is not viewed as the perfect solution to everything right now.”
Have A Say in MSP Regulations
Another action MSPs and MSSPs can take? Joining an industry organization. Babinchak started the MSP Regulation and Legislation industry Facebook group to address regulatory changes.
The group, founded just a few months ago, already has 501 members. Its goal is to give MSPs a voice in writing legislation and regulations. “Rather than have these things to happen to us,” the group will put together position papers.
Sobel has talked with MSP owners that say they are doing more than any legislature could regulate. The problem is that thinking doesn’t account for poorly written legislation. “If they write it wrong,” the business owner has to deal with red tape hassles. “It’s on us as an industry to get together and do this.”
While the industry is coming together to “do this,” MSPs and MSSPs can also educate customer. Their users play a fundamental in cybersecurity. The best firewalls, anti-malware, or data encryption techniques still require human users to do their part to work safely.
Play a Role in Raising User Awareness
Some businesses simply believe “that won’t happen to me.” Others are so desensitized that they regard cybersecurity attacks as an inevitability.
Yet MSPs and MSSPs are in a powerful position to help prevent ransomware and other types of cyberattacks. Top strategies include:
- Working with their clients to develop incident response plans — doing the planning in advance leads to better decision making and a stronger reaction when the worst happens
- Implementing multi-factor authentication, especially for any privileged accounts, for an additional layer of security to slow down the bad guys
- Promptly installing any security patches and system upgrades to shore up any weaknesses before cybercriminals leverage them on the MSPs clients
- Mapping all remote connection ports and immediately closing any that are unused yet remain open
- Creating offsite/offline client backups for customers
- Installing Geo Fencing to restrict network access from IP addresses in particular regions
- Monitoring client environments and proactively addressing issues before they cause downtime
MSPs and MSSPs are a prime target for cybercriminals. Infiltrating one service provider can open the door to several targets at once. Those in the industry need to make the utmost effort to educate themselves and others about cybersecurity risks and best practices to thwart or mitigate attacks. Knowing about the latest in MSP regulations makes a difference too.
Want to amp up your security for customers? Check out the changes we’ve made in AccessEnforcer 5.0. Our simple-to-use Geo Fence policy instantly eliminates attack vectors by as much as 80%. The Gatekeeper feature shields systems from unauthorized users, stolen AD credentials, probes, scans, botnets, brute force, targeted attacks and more. Offer your customers simple and powerful security while you easily control the client networks and raise profits. Contact Calyptix today!