Recent events have reaffirmed the wisdom that the majority of MSPs demonstrate in utilizing comprehensive stacks that are built around effective security safeguards that can protect both their clients and their own systems. At the same time, organizations relying on managed IT security must understand that when they pressure their MSPs for cheaper options, the result is often more trouble than they bargained for.
A new cybercriminal practice is bringing these issues to a head: attackers are increasingly targeting MSPs directly. Success means breaching not just the MSP’s data, but exposing the data of all the MSP’s clients in a single attack. Needless to say, this opportunity has made MSPs into prized targets.
The trend has also made MSPs a target for new government regulations. A number of state and local governments—which happen to be MSP clients—have faced particularly challenging incidents over the past couple of years, resulting in new laws. In one of these events, a cyberattack breaching an MSP’s systems enabled attackers to then conduct ransomware attacks across four Louisiana school districts, precipitating the declaration of a statewide emergency. A separate but similar ransomware attack took Louisiana’s DMV offices offline. Another incident in Texas, again originating from an MSP breach, resulted in 23 towns being struck by ransomware.
Louisiana Secretary of State Kyle Ardoin addressed his peers on this topic in a speech critical of MSPs. “…many MSPs have not been upfront with their clients about the need to invest more in security,” chided Ardoin. “This leads to serious problems for their clients, and the MSPs themselves.” Louisiana then proceeded to approve Act 117, requiring the registration of all MSPs that work with public entities. Those registered MSPs are also legally bound to report to government authorities all cyberattacks and breaches that occur. The law went into effect in February.
And while the specter of sophisticated ransomware attacks invokes thoughts of frightening scenarios and attention-grabbing headlines, the truth is that run-of-the-mill bad security hygiene is just as dangerous to MSP clients (and therefore to MSPs themselves). Poor employee practices and lack of security training can open the door to threats more easily than the cleverest program. Modern work-from-home policies only exacerbate this risk, allowing access to sensitive data and systems from outside of the central office while reducing visibility into employee behavior. Lost or stolen devices can lead to data breaches as damaging as anything ransomware can do. Nefarious insiders present risks and require monitoring and mitigation methods all their own. Over-focus on ransomware, and the other dozen security fronts you forgot to defend are sure to offer a brutal reminder. As an MSP, it takes a thoughtful holistic approach to cover all your bases.
Again, I know firsthand the care with which most MSPs approach security. In my mind, the central issue here is actually the difficulty MSPs too-often face in bringing clients to appreciate the necessity of investing in the safeguards they recommend. MSPs commonly trade horror stories about those clients that won’t stop asking to cut corners on security, for whom implementing their expertly-layered security stacks built to prevent breaches is like pulling teeth. These clients can’t seem to understand that attackers love bargain security even more than they do. When the inevitable data breach occurs—when customers with exposed data leave for competitors, the business’ reputation is shattered, and regulators are calculating fines—that cheap security won’t look like such a deal anymore.
I also write this to bolster the resolve of MSPs to assertively resist clients pressuring them for ineffective security. MSPs are well versed in the kind of carefully constructed, layered security stack necessary to prevent successful attacks from all angles. Data encryption and access controls must be in place and capable of protecting data and devices, especially when it comes to facilitating remote work policies. Strategies leveraging two-factor authentication and even geofencing capabilities can provide essential protections on that front. A dedicated employee training regimen that continuously reinforces vigilance and best practices provides a crucial security layer. Endpoint security must be robust and effective. System and server isolation policies are necessary to keep attacks from escalating.
MSPs are experts in combining solutions to assemble a comprehensive security strategy worthy of customers’ trust. When a customer then has the audacity to ask an MSP to compromise those careful designs, it only compromises their own security. Given the reality that a single weak security layer is all cyberattackers require, businesses are only one “bargain” away from a breach.
Any MSP bending to budget security demands already knows that they’re playing with fire. And it’s not just themselves and their clients, but the MSP industry as a whole that will get hurt. By standing firm, educating customers to build their understanding of security risks and requirements, and turning down clients when fully necessary, MSPs ensure a more secure world and do themselves a service. 
