Brian Jackson -

Balancing the risks as an MSP

There is a growing trend among partners in converting into managed service providers – but are there risks to this approach that the channel needs to be aware of?

This article can also be found in the Premium Editorial Download: MicroScope: MicroScope: Taking the steady approach to becoming an MSP

There’s a general consensus that the future for most channel partners lies in converting to become managed services providers (MSPs). Many already have. But life as an MSP is not all wine and roses, as a recent survey by LogicMonitor entitled The next-gen managed service provider makes all too clear.

The survey found that 84% of MSPs in the UK had experienced an outage or brownout (with an average of 16 outages in a year), and 41% had suffered lost productivity as a consequence. On the issue of cyber security, MSPs revealed that 80% of customers had been affected by cyber attacks and admitted they were “not very confident” in their ability to successfully address a cyber attack.

Around the same time the survey was published, it emerged that UK government proposals to update the Network and Information Systems (NIS) regulations included a threat to impose fines of up to £17m on organisations – including MSPs – that failed to put effective security measures in place.

With a majority of customers investing more in MSPs and broadening their range of responsibilities, the question for MSPs is how to ensure they can meet those responsibilities without buckling under the burden? How do they provide the service customers require in a world where outages and cyber attacks are increasing in frequency and sophistication?

Dave Mareels, CEO of cyber security firm SOC.OS, says: “MSPs need to take on specialist security staff and invest in security and protective monitoring products. While costs will increase, failure to deliver effective services may result in damages being brought against them. Security incidents could mean getting sued by their clients.” Rather pessimistically, he believes that “inevitably, some may go out of business as they fail to adapt”.

While acknowledging MSPs have a big role in securing the IT channel and businesses worldwide, Daniel Hurel, Westcon Europe, Middle Easter and Africa (EMEA) vice-president for cyber security and next-generation solutions, stresses that they are not wholly responsible for the security of every business.

“By putting the whole responsibility on MSPs, it could lead to companies becoming complacent,” he says. Every business needs to understand the responsibility it has to ensure its own cyber security, he adds, citing the Log4Shell attack as “a case study in showing how a simple line of code resulted in the potential breach of 90% of the worlds IT”. 

David Ellis, vice-president for security and mobility solutions at Tech Data EMEA, believes the government proposals can “only be seen as a positive step forward as it builds a standard framework to safeguard all businesses from attacks”.

“MSPs are key to helping mid-sized and SMEs [small and medium-sized enterprises] protect their businesses, as many of these users wont have the specialist skills to manage this area themselves. They should be able to prove that they follow good practice and adhere to NIS regulations,” he adds.

“The provision of these digital/IT services is critical to users in the way that other essential services such as water and electricity are. Ultimately, the NIS regulations are all about good practice and MSPs should be wanting to adopt these anyway – this just provides a standard framework.”

If and when the proposals become law, Ellis believes there will be an important two-fold role for the channel. “First, to make sure cyber security solutions are delivered to the right standard. Second, to help organisations address the cyber security skills gaps needed to meet this new standard,” he adds.

That might be a tough task if Martin Riley, director of managed security services at Bridewell Consulting, is right in his claims that “most MSPs lack the security architecture, design, governance and operational capability to ensure that customers are safe”.

“They can demonstrate compliance to ISO27001 and some offer compliance to ISO27017, but few ever actually audit beyond these compliance needs,” he adds.

In light of the government’s proposals, he warns that MSPs should re-evaluate their operations and how they are undertaken. “As balance and spend shifts towards improving cyber resiliency, more markets will shift towards larger cloud service providers and to maintain the profits they enjoy from delivering those services, MSPs will need to be prepared to invest,” he says.

Riley argues that, for many years, MSPS “have done the bare minimum and struggled to put appropriate cyber security controls in place to reduce the risk to their customers. This is evident over the past 18 months with the rise of supply chain attacks, a trend which we predict to grow in 2022.”

MSPs need to act now to implement robust cyber security measures that focus on separation of duties and reducing their attack surface, he adds.

Changing the MSP mindset

Lee Wrall, director at MSP Everything Tech, describes client security and satisfaction as “absolutely critical”, saying they should be at the top of every MSPs priority list. In the case of Everything Tech, this has led to the adoption of two-factor authentication (2FA) as standard across all clients.

“With over 3,000 users, this was a huge task,” says Wrall. “However, given this is the number one prevention against phishing attacks, we felt it was absolutely fundamental to ensure our customers were well-protected.”

Applying the maxim of “prevention is better than cure”, he says that while the time and effort required to mobilise 2FA was substantial, it is an even bigger task to respond to a ransomware attack, not only from a technical perspective, but also from a customer trust perspective.

The company also ensures customers are awareness trained, empowering them to identify potential risks to their business and take appropriate action in response. 

Many SMEs view security measures such as multi-factor authentication (MFA), password protection and password rotation “as time-consuming and inconvenient to users”, notes Gregg Lalle, senior vice-president, international sales and strategy at ConnectWise, adding that it’s up to MSPs to change the mindset and provide training and recommendations that will balance security with operational efficiency.

They need to show SMEs and their teams “in sufficient detail exactly why they need to adhere to a strict security policy and why some additional measures are important”, he adds.

There are never 100% guarantees, but to be prepared is half the victory
Patrick McCue, LogMeIn and LastPass

Citing research commissioned by ConnectWise that found 91% of SMEs were prepared to use an MSP, or switch MSP, to find the right cyber security solution, Lalle says: “Partners will need to raise their understanding across the entire cyber security discipline – from technical and customer service capabilities to training, automation and the ability to oversee a constantly expanding attack surface.”

He believes that today’s “worldly wise SMEs” are not just looking at the tools in an MSP’s offering, they are considering other critical elements such as an MSP’s ability and expertise.

Patrick McCue, global vice-president of global partners at LogMeIn and LastPass, says that MSPs need to plan ahead. “Plan for the worst, even,” he adds. “But most dont even have an incident response plan in place. What is the strategy if you lose power, or if youre attacked by a cyber criminal, or if you can no longer access key passwords? Those who do have incident response plans prepared are far more successful as they stay ahead of the curve, allowing them to be more operationally mature.

“MSPs have an ethical and legal responsibility to provide customers with reputable vendors to limit the possibility of cyber attacks, but it works both ways,” he says. “MSPs should review a ‘refusal of service’ document with new customers and decline to work with those who do not meet their minimum threshold of requirement.”

If MSPs are uncomfortable with a customer’s current network and products, “theyre probably ripe for a take-down. There are never 100% guarantees, but to be prepared is half the victory.”

Increasing resiliency and awareness

Customers are often not the best gauge of their own security. Rachel Rothwell, Zyxel Networks regional director of UK and Western Europe, makes the point that they “are often completely unaware of how at risk their businesses are – especially smaller businesses which fail to grasp the scale of the threats to businesses just like theirs”.

She cites a report that claimed 60% of SMEs went out of business within six months of a security breach. “MSPs have to take the lead, educate their customers on these risks, and deliver a service that can minimise the risk of business-critical disruptions, by testing frequently to ensure customers have the right security measures in place,” she adds.

Yana Vaysman, senior director and head of managed services at Avionos, argues that the best way for MSPs to ensure they don’t buckle under the burden of their responsibilities to customers is to adopt a collaborative and flexible support model, where one team member isnt bearing the brunt of urgent requests such as cyber attacks.

They should have a mix of team members that work on a global model, she says, adding: “They should also be around-the-clock with onshore, offshore and nearshore resources to support the team. This allows for backup coverage no matter where and what is going on, and a shared knowledge base is spread across multiple regions and offices to support this flexibility and collaboration.”

The knowledge base, made up of solutions, guides and troubleshooting instructions, can be shared between teams to mitigate risks and to provide continuity across different locations and time zones, holidays and time off taken by team members. 

Greg Jones, business development director at Datto, acknowledges that many MSPs are starting to build cyber resiliency plans to address cyber security issues. “But these plans should also include planning for brownout and adverse technology outages and not just focus on the cyber threat landscape,” he says. There are many free vendor-neutral frameworks to help build cyber resiliency.

[A cyber resiliency plan] is totally useless if nobody knows the plan or even the first critical steps within that plan
Greg Jones, Datto

He urges MSPs to test their cyber resiliency plan: “Call everyone within your business – even senior leadership – into an emergency meeting, dont give them any information about what the meeting is regarding.

“Say the following words, ‘We have just been hit by a major cyber attack, all systems are offline, what do we do next?’, and then for the next 30 to 60 minutes sit back and watch what unfolds before your eyes.”

The person who called the meeting should just observe and take notes. “This will highlight all the areas you need to work on and any holes in your plan. This experiment will always offer surprises along the way. Remember, it is great having a plan, but it is totally useless if nobody knows the plan or even the first critical steps within that plan,” says Jones.

“You might even find you dont have a copy of the plan printed out – someone might say, ‘Its saved on X Drive’, which is great, but could prove a problem if all your systems are offline.”

Know your limits 

Matt Scotney-Jones, Netwrix EMEA and Asia-Pacific (APAC) head of MSPs, believes that the key to getting the balance right between meeting customer expectations and not being flooded by requirements is prioritisation.

“If MSPs can get a view on what the majority of their customers are looking to achieve, it becomes easier to see the wood for the trees and create a reasonable solution portfolio. Just admit that its not possible to tick every requirement box that is thrown at an MSP,” he says.

MSPs should also look at consolidating their vendor numbers because, if they have too many, they run the risk of drowning under the weight of having to develop skills on plenty of products to support them – and a lot could have cross-over functions. “Its always been said not to put all your eggs in one basket, but consolidation can save valuable time and money,” he adds.

MSPs should also be willing to ask for help or advice from experts in the field. There are many resources available to help guide MSPs and ensure they dont over commit. A lot of vendors run advisory councils, “which is a great way of gaining knowledge from others and understanding what they might see in their market”, adds Scotney-Jones.

In the end, the biggest threat to MSPs could be themselves. Stew Parkin, technical operations director at MSP Assured Data Protection (ADP), warns that they need to know their limits.

“ADP knows its strengths, sticks to them and enhances them,” he says. “It’s so important to remain focused. All too often, the broadening of services is driven by sales, not technology.

“There is a very real temptation within the MSP market space to sell services around whatever the customer need,s and this is when they run themselves ragged – spinning too many plates, and running the very real and huge risk of them all crashing down.” 

Read more about MSP security

Read more on Data Protection Services