Many MSPs are struggling to keep up with the security needs of their customers. The volume of incidents, cost of implementing security solutions, and a reactive approach puts a lot of pressure on them. In the meantime, issues pop up everywhere, further reducing their ability to get a plan together. This often contributes to the overall decline of your IT relationship.
Today's business needs a cyber attack response plan, a managed EDR solution, and a recovery plan in place. A mature IT partner will proactively address these in their core service offering. As a business owner how do you evaluate where your MSP is on security BEFORE you experience an incident? These three areas may offer some insight.
Security is required
This sounds harsh, but a mature IT partner will require their security standards be implemented. There should not be an option for the Client to "choose" to put their business at risk due to an uninformed decision. Since 2016 we have been implementing MFA across our Client base. It became clear that we had to incorporate this into our ongoing planning, not make it an optional project.
Today, having MFA is like saying you use a password. It is the most basic security step you can take. If your provider is not talking about how to proactively secure data, devices, and users with actionable and thought out plans, beware. Backups and anti-virus simply are not enough!
Technology Roadmap with Security focus
First, many groups are not providing a technology roadmap. A review of hours and tickets from last month is not a roadmap, it's a rear view mirror. Ditto for reviewing the clean up from latest ransomware attack. If all the planning is trigger by reacting to something that "happened" security is not a focus.
Security should be "baked in" to the Roadmap. Most technology providers are behind and playing catch up with random add-on and white label services. A mature provider will evaluate what security standards (and solutions) need to be in place, add them to the Roadmap, and have them rolled out across all their Clients, not just those that want to pay for it!
Cyber liability insurance applications take forever
Cybersecurity insurance is a requirement to conduct business today. The shift started ten years ago and has accelerated drastically in the last 24 months. The application for cyber insurance is now multiple pages of in depth questions about how your business technology is run and protected. Gone are the days of installing anti-virus and USB backup drives. For all the talk in the MSP space, many groups are still essentially doing that.
If your provider is struggling to "check the boxes" when completing your cyber liability insurance applications this is a red flag. In addition to potential data breaches, this also leads to higher than necessary premiums or inability to get coverage. A mature provider will have an established process to handle these applications and should be meeting a majority of the requirements.