Managing Risk as an IT Services Provider
Being an IT service provider has changed. Back in the day, it was enough to just be good with computers and keep them running. Things have evolved and technology is now critical to almost every business on the planet. We rely more on email than we do on the telephone. There is a whole generation of people who prefer to communicate via text than the spoken word. The more concerning part of this evolution is how technology is being exploited by criminal entities to not only steal but disrupt and hold ransom businesses that rely on their information and systems to transact daily business. As a purveyor of those technology systems how do you protect yourself and your clients from those risks?
The risk to your clients is seen on the news almost daily today. We have also seen those risks translate to IT service providers because each MSP acts as the gatekeepers for hundreds and sometimes thousands of small businesses. The tools we use to give us access to our clients for quick and efficient service can also be a threat to all our collective clients. This is the classic convenience vs. security issue. How many MSPs still give users admin access to their individual devices simply for convenience? Likewise, are we being too cavalier with RMM tools that give an extremely high level of access to endpoints, servers, and networks? How do we balance serving our clients with keeping our systems (and theirs) secure?
As I write this, I just took off for an industry event in Dallas, Texas. The classic announcement to make sure that we put our own oxygen masks on before helping others is a reminder that as MSPs, we must put our own houses in order first. This article is not about how to do that, but rather outline the process for minimizing our risk in this new age of IT services. Therefore, step one is to make sure that we are using some known framework for securing our own businesses and systems.
There could be endless debate on which framework to use and here are a few to choose from:
However, which one you use is not as important as the fact that you are following a generally accepted set of rules/processes/safeguards defined by a recognized entity. Why is that important? When you must answer the inevitable questionnaire, audit, or subpoena it will matter that you have an answer that is recognized by the person or organization asking the questions. Like the boy scout motto says, “Be Prepared.”
Now, take that same framework (for consistency) and apply it to your clients. Build your software stack, training, and reviews around it. One of the major considerations for each client will be their cyber-insurance policy. What is required by their policy? How are you going to monitor, review, and report on the ongoing compliance with those requirements? Equally as important are any compliance requirements. Do they accept credit cards, do they handle data covered by HIPAA or GDPR? Are they in a highly regulated industry like life sciences or finance? Consider these things as you build out their solution. Remember you cannot prevent all the bad things from happening, especially since so many incidents are caused by human failure, but you can, and must, be able to defend what you did do. The best way to defend your methods is to show that they follow an accepted framework for security.
What about those clients that will not do what you tell them?
- Document your prescriptive solution
- Document their refusal to adopt the solution
- Revisit the solution at every review and document their ongoing refusal
Insurance is important as it is often the last remedy (that or litigation). The most effective protection is when everyone is insured. It is not enough for you to have cyber E&O. It is not enough for some of your clients to have cyber insurance. The least risk for all is for everyone to be adequately insured.
What if you do not want to add security to your services? Partner with someone who does and make it clear to all parties who is responsible for what.
Be consistent. In highly regulated industries consistency is often the key to compliance. Making sure that everything is done when it should and how it should, by everyone, is a keystone of keeping data safe.
Document everything. Your configurations, the changes to those configurations, meetings, etc. Automate reporting, capture everything possible in your PSA/ticketing system.
Report monthly. Prepare, share, and archive reports on your internal compliance as well as your clients’ compliance, monthly at a minimum. For maximum efficiency, find a way to automate the creation and sharing of those reports.
Reassess annually. Requirements and security frameworks are constantly evolving. Make sure you are reviewing insurance policies, compliance requirements, and framework updates at least annually to keep your business and your clients up-to-date and compliant.
The risk of running an IT services business has greatly increased since I started almost 30 years ago. Following these processes can help you stay on top of those risks and minimize them.