Over the course of the last two years, the security reputation of managed service providers (MSPs) has taken a hit in the wake of several high-profile breaches.
Cybercriminals have determined the most efficient way to compromise multiple IT environments at once is to target the MSP that serves multiple customers. Those attacks, known as buffalo jumps, have led to multiple instances where malware was distributed downstream onto multiple customer platforms.
Some of those breaches even led the Louisiana secretary of state to publicly warn organizations to not rely on MSPs.
A new law subsequently went into effect in Louisiana on February 1st of 2021. The law requires MSPs and managed security service providers (MSSPs) that provide IT infrastructure services to public bodies to not only register with the state, but also notify the state in the event of a cyber incident, including any ransomware payments.
It’s now only a matter of time before other states implement similar regulations.
MSPs increasing cybersecurity budgets
A survey of 150 MSPs conducted by Perch Security, an arm of ConnectWise, finds that MSPs are raising their cybersecurity game in response.
A full 82% of MSPs surveyed indicated that the portion of their budget reserved for cybersecurity increased in 2020. Three quarters (75%) said those budget allocations will increase again on average 12% in 2021.
That level of spending suggests MSPs have come to appreciate to what degree cybersecurity represents a potential existential threat to their business, said Wes Spencer, chief information security officer (CISO) for Perch Security. Many MSPs now assume a breach is inevitable. The issue now, he said, is how best to remediate a breach as soon as it’s discovered.
“We’ve seen a great maturation in terms of cybersecurity among MSPs,” Spencer said.
The biggest challenge MSPs face when it comes to security is, of course, the level of return that might be achieved from those investments.
Most end customers now routinely expect that what managed service is being offered is secure. Convincing a customer to pay extra for additional security as a consequence has always been difficult. The MSP clearly incurs a cost. However, asking a customer to pay extra for security can result in them revisiting the reason they might have selected a service in the first place. It’s a delicate conversation that can easily lead to a negative outcome for the MSP.
Unfortunately, the Perch survey also finds nearly three quarters (73%) dealt with some type of security incident in the last 12 months involving at least one client, with roughly a quarter of those incidents involving some form of ransomware.
As the number of cybersecurity incidents increase, it’s usually not too long before the end customer gets around to blaming the MSP for their troubles. Many MSPs are concluding the better part of valor is to embed cybersecurity capabilities into a service at a price point that accounts for the cost of delivering that capability. The issue MSPs encounter, of course, is they often wind up competing against rival MSPs that have not invested as heavily in security. That enables them to offer a service at a potentially lower cost. The onus for convincing the end customer that security is worth the extra costs falls on the MSP that is ultimately trying to do the right thing by their end customer.
As unfair as that might seem, MSPs also know some customers are more trouble than they are worth. Any customer that is trying to drive the cost of a service down by comparing two unequal services is going to experience more cybersecurity incidents. The MSP that low-balled the cost of their service will inevitably be called upon to address those issues, with each incident further eroding whatever profits they had hoped to make on that services contract before the end customer decides to move on anyway.
Naturally, it will be up to each MSPs to determine what level of security to embed versus attempting to monetize as a discreet service. The more discreet the service, the more it will require dedicated cybersecurity expertise that is often hard to find and retain.
On the plus side, advances in automation and artificial intelligence (AI) continue to reduce the total cost of cybersecurity. MSPs need to pay close attention to what cybersecurity tasks are about to be become automated as they invest more in cybersecurity talent to manage tasks that might soon become more easily handled by a machine. AI isn’t going to replace the need for cybersecurity professionals any time soon. However, the nature of the tasks that require human insights will undoubtedly change in the months and years ahead.
In the meantime, what is certain is that over time, more security capabilities will need to be embedded in the core service. It’s next to impossible for an IT project to be launched these days with addressing cybersecurity concerns upfront. Many end customers are demanding more cybersecurity visibility into the underlying platforms that make up the supply chain on which a managed service is based.
Of course, that discussion also creates an opportunity to have an honest dialogue with those end customers. There is no such thing as perfect security. The issue of the day is not limited to preventing breaches as much as it is determining how an MSP and their customer can best collaboratively respond once it inevitably occurs.