To MSP or Not to MSP? Hacks, Ransomware Make the Acronym a Challenge for Tech Companies

As MSPs increasingly become the focus of hackers and ransomware attacks, some are finding that even being associated as an MSP doesn’t carry the same cachet it once did. So they're forging new identities.

Being a managed service provider these days can come with a target on your back. As MSPs increasingly become the focus of hackers and ransomware attacks, some are finding that even being associated as an MSP doesn’t carry the same cachet it once did. So much so, that some are looking to forge new identities.

Alvaka Networks, an Irvine, Calif.-based MS-…err… technology business, is one such company. Alvaka generally stopped describing itself as an MSP several years ago. The MSP label soured to the point that one prospect even said, “Oh, you’re an MSP? We don’t do business with MSPs. You guys get hacked.” Ouch.

But the customer wasn’t necessarily wrong. A poll by Continuum found that 83% of its MSPs’ customers reported cyber-attacks within the past 12 months and that 74% of the MSPs themselves suffered at least one attack. The damage can be great. One MSP recently estimated a $4 million loss due to a ransomware attack.

So what’s an MSP to do? Maybe stop using the name and step up its security game, according to Kevin McDonald, Alvaka’s COO and CISO and 20-year security veteran. Alvaka refers to itself as a full-service advanced network management and security provider. That’s language that more vividly and accurately conveys what the company can do for its customers, McDonald said. Alvaka also works very hard to differentiate itself through layered security efforts that make them less of a target and uses verifiable evidence like the CompTIA Security+ Trustmark.

“We generally don’t use the term MSP or MSSP unless we have to alleviate confusion with integrators, etc. It stopped making business sense some years ago and now the terms are often negative or meaningless,” McDonald said.

Likewise, Macnamara ICT, a London-based company, wanted to put the MSP moniker behind it because it didn’t reflect the company’s value with customers after investing in cybersecurity skills. And touting itself as a managed security services provider (MSSP) didn’t do the trick either, said Ciaran Kenny, managing director of Macnamara.

“We’re making the transition from traditional MSP to a ‘total technology partner’ to our customers. What we set about doing was a slightly scary conversation both us and our customers. We had to admit that we didn’t have security expertise, but let’s talk frankly about how to address it while we went through the process. It worked,” Kenny said.

CompTIA ISAO join the fight


Does the Name MSP Still Have Value?

One challenge with the MSP label is that essentially anyone can coin themselves as such. There is no formal standard or certification required to use the acronym. You’re an MSP? I’m an MSP too. That leads to a lot of confusion in the market and heightens what can be a large delta between highly skilled managed service and security providers and those just claiming to be. And that hurts the entire industry, according to Mark Essayian, president of KME Systems, Lake Forest, Calif.

“I created a term ‘technical janitor’ for MSPs who think they are doing a good job updating servers and doing basic help desk. That’s not an MSP and it cheapens the term,” Essayian said.

KME Systems describes itself as a “business partner for IT service,” according to Essayian. “I also see firms calling themselves MSSP where they don’t have the proper resources or ability to truly protect a client. It cheapens the name MSSP also,” he said.

McDonald agreed, noting that too many companies use the terms MSP and MSSP to wrongly convince people they know what they’re doing. “But managed services, and especially cybersecurity, is not something you can pretend to do. A lot of people are paying for smoke and mirrors,” he said. “Unfortunately, some in the industry are diluting the term by failing to deliver.”

Alvaka has had to take on several "rescue" projects in the last year and a half, helping businesses who ran into trouble using companies purporting themselves to be managed services and security experts.

“It is clear from very public stories, not everyone in the MSP community is securing their tools, doing their critical patching, using multi-factor authentication and other basic IT hygiene,” McDonald said.

Meanwhile, Macnamara also has raised its profile, earning opportunities with bigger customers along the way, by investing in security and shedding its identity as just another MSP in Google searches, Kenny said.

“By focusing on security, we are in a far healthier place in terms of control of information, which of course is the lifeblood of what we do. We spend less time on passwords and finding information and more time being proactive,” Kenny said.

Promises Don’t Fix Problems, Solutions Do

Finding a post-MSP identity has been a boon to Alvaka, KME and Macnamara, but forging that identity took commitment, resources, and investment to prove to customers that it’s more than just a name change. Especially with ransomware and hacks making headlines every day.

“Stop issuing these hyperbolic statements like ‘We got this 100%.’ It’s not true,” McDonald said. “If the CIA, NSA, and others can get hacked, nothing is 100% and claiming to be is disingenuous. I can’t attest to whether or not we’ll win, but we’re putting our best foot forward and working toward becoming better at service delivery and more secure every day. We’re not winning business because we are or were an MSP. We’re winning because of the value we bring and because we do what we say we’re going to do. That’s the key.”

So, what could help restore the MSP label to its former glory? It’s a loaded question, said Essayian.

“Perhaps the strong voices in our community discussing/blogging what is a good MSP from their viewpoint so we can ‘benchmark’ against. Awareness is key. You can’t choose between good, better, best if you don’t know what is good, better, best,” Essayian said. “Also, various levels of MSP are needed. I often use a chef analogy as people like to eat. Take three chefs and put them in a supermarket, tell them you are hungry and make me something to eat. You’ll get three very different meals depending on the chef skill level and imagination.”

Don’t Forget Cyber Insurance, Threat Intelligence

The term MSP still has value in the current market. CompTIA has a very vibrant Managed Services Community, after all, that collaborates on best practices and creating value, but the market has matured to the point where many companies performing those services need to do more—and customers are demanding more too.

“MSPs haven’t evolved to accurately describe what our clients need from us. We strive to be a business partner, who understands corporate needs, aligns with the organization goals and guides their technology decisions,” Essayian said. “Some MSPs think endpoint security and a firewall are enough, and it might be for a small firm, i.e., your hamburger and fries. Larger firms know they need tools, processes, and compliance. Do it right and you get sous vide duck and salad niçoise.”

Lastly, the last thing any MSP wants to do is put itself in a position where its own future is at risk, but one mistake can make a company vulnerable. Cyber insurance can ensure your business is protected from the immediate losses, but it’s not something that all MSPs have. In addition, access to real-time threat intelligence through law enforcement relationships and initiatives like the CompTIA Information Sharing and Analysis Organization (ISAO) are minimal investments that help to differentiate your value beyond being “just an MSP,” McDonald said.

“You can’t defend against what you’re not aware of. That’s why the CompTIA ISAO is a critical component. It gives us the information and access to resources to help us better respond to customers. Where’d you get your information? A news story? That could be way too late. By the time you get it, it could be destroying companies out there,” he said. “What happens when you and your customers get hit with ransomware and you are uninsured? You likely file for bankruptcy and walk away?  You’re not helping yourself, your clients, or the industry by doing that. As a community working together we have a chance. It’s not too much to expect that we do the basics, get cyber insurance or join an ISAO, and it can mean everything.”

Learn More About the CompTIA ISAO and Join Today.


Newsletter Sign Up

Get CompTIA news and updates in your inbox.


Read More from the CompTIA Blog

Leave a Comment