Sometimes, it can feel as if half the job of running an MSP is working as an unpaid cybersecurity consultant to clients. Speak to anyone in the industry, and they can tell you scary stories about clients who wanted passwords disabled, encryption “turned off”, or backups “made invisible”.
Whilst such requests are good for a laugh, perhaps MSPs should not be so smug about their own cybersecurity. Despite lecturing clients on the need to keep their systems secure, almost 50% of MSPs admit to investing in cybersecurity measures only after experiencing an attack.
Yep, that’s right. MSPs are getting much better at understanding business processes, leveraging the power of MSP business insights, and building customer support systems. They are less good at securing their own systems.
In large part, this is due to a number of misconceptions about data security. Some of these concern threat hunting. Others are simply a reticence to recognize the scale of the cybersecurity threat that MSPs face. In this article, we'll take a look at these misconceptions, and explore the ways that your awareness of them can be used to prepare your business against cyberattacks.
1. A Firewall Is Enough
Ten years ago, there was a widespread assumption that internal networks could be protected by a firewall. Despite ample evidence to the contrary, that idea is still common. The truth is that the vast majority of malware is delivered via email and the Web, and standard firewalls are incredibly bad at spotting malicious traffic in these mediums.
To make matters worse, clients who are given control of their own firewall will quickly attempt to undermine its effectiveness. They won’t mean to, of course, but after being blocked from downloading a “really useful” app, most users will simply whitelist the relevant site.
2. Cybersecurity Is Cheap
This is a particularly widespread myth among MSPs. We’ve got loads of smart, well-educated computer engineers in-house, goes the thinking. Why do we need to buy expensive cybersecurity software?
Well, here’s an analogy. You probably haven’t let your dev team design their own home-brewed payment processing software, right? Why not? Because you don't trust them to make it secure against theft and hacking. Instead, you rely on professionals who are specialized in that field. Cybersecurity is no different.
It's true, of course, that some cybersecurity solutions aren't cheap. But that doesn't mean they aren't good value, especially when you factor in the cost of a successful hack.
3. I Won’t Get Attacked
This is another commonly held belief among MSPs, albeit one that is slightly more explicable. If you provide services to a bank, for instance, you might think that hackers would go after the bank rather than their MSP. But you would be wrong.
In reality, MSPs are a huge target for hackers. That’s for a couple of reasons. The first is that they hold data on a whole array of clients, so an attacker gets two (or three, or a dozen) hacks for the price of one. The second, as we hope is becoming clear, is that the data held by MSPs is often poorly secured in comparison to the security in place on their clients’ systems.
And if you need further convincing, just think: tiny businesses and even private individuals get hacked all the time. It’s estimated that 20 percent of cyberattacks that result in a data breach affect small businesses with fewer than 250 employees, and the financial impact of these hacks on everyday consumers is huge. (Learn how to classify data from different standpoints, including general security, backup, disaster recovery in our article.)
4. We’ll Be Able to Handle It
This one is not a problem just for MSPs but is rife across many industries. If you have in place a breach mitigation plan, and all your systems are backed up, it can be tempting to think that you’ll be able to recover from even the largest hack.
But are you sure you would even spot an attack if it occurred? Research shows that 81% of reported intrusions are spotted not by internal security processes or systems, but by external sources such as news reports and external fraud monitoring agencies.
5. Passwords Are Enough
This one is less of a myth and more of a reminder. It’s true that a well-designed password-protected system is pretty secure. But only if it is used correctly. As an MSP, you have a responsibility to remind your clients that the security protections you’ve put in place in your software – including the requirements for unique, strong passwords – are there to protect your clients, and not annoy them.
Which brings us back to where we started, in fact. Because, whilst you are checking that your clients are using your systems in the way they were designed to be used, take the opportunity to put extra protection in place for them (and you). Recommend that they use a secure VPN and invest in their own threat detection and mitigation software, and you’re also protecting your own systems into the bargain.
Further reading Zero Trust Security Model: The Biggest Advantages and Obstacles
The Bottom Line
Ultimately, allowing yourself to believe any of the myths above has a financial cost. This can come in the form of lost revenue caused by a hack, damage to your reputation, or even fines for not protecting data enough.
For that reason, the best approach for most MSPs will be to look at the cost of cybersecurity alongside the rest of their financial KPIs. By balancing the costs of good cybersecurity against the possible costs of a hack, you will be able to see this investment for what it is: a way of ensuring the sustainability of your business.