From acceptable use policies through vulnerability management, there are a lot of aspects of cybersecurity for MSPs to cover with customers. It can be overwhelming—and maybe impossible—to be an expert on everything. After all, one weak link and you and your customers’ information could be at risk.
To help MSPs get started in cybersecurity—or take more advanced steps to becoming true cyber experts—members of the CompTIA ISAO Cyber Fundamentals SME Workgroup created a pair of whitepapers that explain a number of security topics, detail why they are important, and provide some resources to help.
Both papers are available to download here:
- Fundamental Cybersecurity for Managed Service Providers
- Advanced Cybersecurity for Managed Service Providers
Both guides were developed after workgroup members discussed how many MSPs still struggle to adopt security frameworks and implement processes within their own businesses.
“It was almost like a deer in headlights situation where many MSPs did nothing because they didn’t want to make a mistake and pick the wrong framework,” Bryan Hornung, CEO of Xact IT Solutions, a Marlton, N.J.-based MSP. “We felt it would be good to create a baseline framework any MSP could follow.”
Many MSP organizations don’t realize the amount of risk their businesses face all day, every day, according to Justin Weeks, vice president of cybersecurity and compliance at Aligned Technology Solutions, an Alexandria, Va.-based MSP.
“And those who do realize the magnitude may not know the answer to the question ‘What should I do next?’ That, combined with increased regulation, consumer demand, and businesses demanding better security of their partners, made it clear that some guidance was needed in the marketplace,” Weeks said.
Security Tips for Everyone
One thing the group decided from the outset was to create separate documents to ensure that both security novices and experts had information and guidance on how to improve their cyber resiliency.
“We created these papers to start working on a standard for MSPs in the security space, to provide guidance on the critical things that should be done as a minimum to keep MSPs and their clients’ environments secure,” said Robert Paradise, CEO of Attain Technology, a Providence, R.I.-based MSP. “Fundamental security is something every environment should strive to meet, and the advanced paper might be for complex network environments or larger networks and or environments that have some compliance need.”
All MSPs should be following at least the basic information and ideas contained in the Fundamentals paper regardless of size, region or vertical focus, said Weeks.
“It’s the minimum we should be offering to our clients as a service. By following the fundamentals you can truly eliminate a large amount of risk to your organization and to the clients that you serve,” he said. “There are very few people who can say that you weren’t attempting to do the right thing by implementing the fundamentals.”
Meanwhile, the Advanced paper is for organizations who have already mastered the fundamentals and want to continue their security journey internally and with their clients, Weeks added. “It’s not ‘advanced’ in a way that you don’t need it, but in the way that it’s the next logical step. A good number of the advanced items are in demand by clients, insurance companies, partners, and regulators.”
Protecting Client Information, Networks Is Serious Business
When MSPs don’t treat cybersecurity as an important part of an IT environment, and a customer pays for it, it reflects poorly on the entire MSP industry, said Paradise.
“Some MSPs take it seriously and some clearly are not. I am still seeing very insecure networks as we migrate new clients and that tells me that some MSPs are not making the right recommendations or not implementing them effectively,” he said.
The problem, added Hornung, is that there aren’t any mandates or regulations regarding cybersecurity for MSPs.
“An MSP can choose whether they provide security services on top of traditional MSP services. What’s important is that you communicate whether you do security or not, and if you do, be able to articulate the process and framework you follow,” Hornung said. “MSPs can take these whitepapers and start to build a security framework within their business. Once they have the fundamentals in place for choosing and implementing a framework, they can grow into implementing more industry-specific frameworks.”
Get access to critical cybersecurity intelligence to keep your business safe.
Learn more about The CompTIA ISAO!