Channel, OT Security

The Importance of Compliance Reporting

Failure to comply with regulations can land you in both legal and financial hot water. One of the best ways to avoid either of those outcomes is to implement an effective compliance reporting protocol for your organization and your clients.

Kaseya’s Miguel Lopez
Author: Kaseya's Miguel Lopez

By going through the trouble of reporting on compliance, you will both be ensuring you’re fully meeting the expected requirements AND you’ll have the proof to show that you’re being appropriately diligent in your preparations.

Remember, compliance isn’t intended to be onerous, it’s really about ensuring comprehensive and consistent best practices are employed across the industry. For example, nearly every payment card info breach occurred at organizations that weren’t PCI DSS compliant at that time. If everyone play ball, everyone benefits from fewer breaches, thefts and leaks that hurt consumer and business confidence in digital systems.

Why comply?

If you aren’t keeping up with regulatory compliance, you are opening up you and your customers to painful and expensive legal actions if data is ever stolen, leaked or lost. Regardless of whether it was your fault or that of a bad actor, it’s still your responsibility to cover all of the bases to ensure you did everything within your power – and particularly what was expected – to defend the data you’re processing and hosting.

Additionally, you also risk having a major business disruption even if no one takes advantage of your lack of compliance. If you or your client is found to be out of compliance you might have to cease operations or pay a hefty fine, which could in turn lead to both a short-term continuity issue and long-term customer satisfaction and retention issues.

When your entire business is focused on managing and protecting your client’s data (and that of their customers), there’s not much appetite for sloppiness, particularly in such a high-profile area. And when it’s time to woo new clients, complying with relevant standards is a prerequisite box that you simply must check to be considered a viable vendor.

Where to start?

Luckily you don’t have to tackle every compliance protocol, but there are a few common ones that many MSPs should consider as a baseline.

Even if your client base wasn’t operating in an industry that traditionally fell under regulatory authority, with the introduction of GDPR in May of this year pretty much every business is now covered under this European law unless they are exclusively operating outside of Europe. And since the Internet doesn’t care what your zip code is, no business with a significant online presence is safe from falling under this broad authority as European customers or users may interact with your clients even if they’re not actively marketing or operating there.

If you have customers conducting any kind of online transactions, PCI DSS compliance comes with the territory. If you’re going to take credit or debit cards, you’re going to need the firewalls, security and rigorous password protection that come along with it. Data segregation and malware protection are some of the other areas you’ll need to invest in to meet PCI requirements for compliance.

HIPAA (Health Insurance Portability and Accountability Act) might seem irrelevant to your business if you’re not directly serving clients in the medical or insurance field, but it actually casts a far wider net than you may think. Not only organizations dealing directly with patient data comply, but new rules mean many of their vendors need to sign Business Associate Agreements as well, which extends many of the data protection requirements to ancillary businesses that may include some of your clients.

Running afoul of any regulatory body can cost you and your clients significant amounts of money: HIPAA violations can cost up to $50,000 each, PCI penalties run from $5,000 to $10,000 per month, and a GDPR fine can run 10 or 20 million Euros. With that kind of money at stake, it’s financially irresponsible to take your chances and ignore compliance.

The right tools and platforms simplify compliance

If you’re running your MSP on a hodge-podge of DIY solutions and bargain basement vendors, generating accurate and comprehensive reporting can be a significant challenge. But when you’re relying on high-quality end-to-end solutions for managing your client portfolio, compliance is practically baked in.

At Kaseya, we take compliance very seriously and don’t want it to be an undue burden for our MSP partners. We know you’ve already got your hands full managing your clients’ systems, so we’ve made it easy for our customers to generate the necessary reporting to meet the requirements of the various compliance bodies you deal with.

Compliance is also a moving target since every year threats evolve, and the standards companies are held to evolve along with them. Keeping up with these requirements is key, and a quality vendor will be your copilot for this never-ending journey.

Regardless of which vendors you rely on to serve your clientele, make sure that compliance reporting isn’t an afterthought (or ignored completely) to avoid downstream headaches that come from inadequate reporting or having to pay crushing fines for violations.

Miguel Lopez is senior VP of managed services providers at Kaseya. Read all Kaseya blogs here.