Legal Risks of Poor MSP Practices
8 January 2020 Leave a comment MSP
Headlines are seemingly filled with stories of security breaches, specifically cybercriminals targeting SMB customers. Just recently, a ransomware attack was reported in an MSP based in Colorado, specifically catering to Dental Offices. KrebsOnSecurity has learned that over 100 dentistry practices were affected by this ransomware identified as “Sodinokibi” or “rEvil.” The IT provider refused an initial ransom demand worth $700,000 for a key to unlock the customers’ infected systems.
FBI and U.S. Department of Homeland Security has been warning Small Businesses and their IT providers about these types of attacks. With the reports of cyberattacks becoming worse and relevant bodies of the government getting concerned, there is no doubt that the legal risks of poor MSP practices are simply increasing.
Why MSPs?
Cybercriminals find SMBs easier to attack and use MSPs that manage their networks as their attack platform. MSPs have access to the data of their customers as well as have the tools installed across all the networks, which is why a single infiltration can have a massive impact.
Common MSP Mistakes Leading to Cyberattacks
The 2015 Verizon Data Breach Investigations Report covered more than 2,100 data breaches. According to the report, for 2014 alone, there were over 700 million records affected by data breaches. With the increasing security risks to small businesses and enterprises, MSPs play a major role in making sure cyberattacks do not spread to their clients. Here are some of the mistakes that may contribute to security threats:
- Tool Delivery Over Solutions. Some
MSPs do not strengthen the capabilities of the tech stack they deploy. Instead, they focus on delivering tons of tools that could result in security coverage vulnerability. They leave out solutions that are best consolidated, such as endpoint protection, threat intelligence, centralized log management, and host- and network-based intrusion detection. - Consideration of Anti-Virus Solution as Sole Answer. MSPs often invite cyberattacks by failing to provide all-around security. For instance, they focus on virus detection or protection and do not secure e-mail communications or implement MFA.
- Disregard of Security Specialists Partnership. Cybersecurity is not considered to be a core competency of many MSPs. As a result, they neglect the importance of ensuring their clients are also capable of addressing the security concerns of their respective customers. What will follow this are lost contracts and delayed projects.
- Inflexible Packages. Some MSPs forget that every customer has varying needs and risks.
Conclusively, they simply provide a single solution to all their
clients. - Poor Partner Selection. Though
it is advisable to find a partner to make your vision happen, the
selection is highly critical. There are MSPs that fail to find partners that will not only ensure the protection of their clients, but also allow operational efficiency, profit improvement, and excellent margins maintenance.
What Are the Legal Issues MSPs Should Be Aware of?
Due to these attacks, the credibility of MSPs is at stake. MSPs may be required to show certifications to prove their capability in ensuring security to their customers. Moreover, proof of proper cyber insurance may be required.
From a technical standpoint and with the cyberattack threats not going away anytime soon, MSPs are advised not to waste any more time and stop ignoring the need for advanced security.
Whenever a cyberattack is concerned, it is possible that your client may take legal action against you. This is usually due to lost revenue and negatively affected operations. Don’t hope that a great relationship with your client alone will prevent this.
So what are these possible legal issues?
- Negligence Lawsuit. Under this civil lawsuit, an MSP will be charged for failing to utilize reasonable caution while providing its service, resulting in damage to the complainant. As an MSP, you are expected to provide a standard of care. Although there are no clear standards yet in the U.S. for cybersecurity, there are already recommendations from proven security frameworks, such as NIST 800-171, CIS 20, and NIST 800-53.
- Regulatory Enforcement. MSPs that fail to comply with the rules of the PCI DSS Security Standards Council and Office for Civil Rights under HIPAA would face penalties and fines.
- Breach of Contract Lawsuit. This lawsuit is applicable when MSPs fail to live up to what has been agreed upon in the contract. A data breach that results in a client’s losses is synonymous to the MSP harming the plaintiff.
Ways for MSPs to Protect Themselves From Cyberattacks
If you want to deter the possibility of cyberattacks, which lead to profit losses and poor integrity, you should follow the following process:
- Assign a vCIO or if possible a vCISO, to each of your clients and follow a QBR process by leveraging audit templates which Narmada platform provides out of the box.
- Assign an internal vCIO or if possible vCISO and apply a “QBR” process at your own MSP. MSPs must also implement MSP specific best practices and audit themselves regularly to find gaps since they could be an attack vector against their own clients.
- Make cybersecurity your priority. You can partner with security specialists in order to succeed at addressing the security concerns of your clients. Doing it all on your own may prove challenging.
- Find an all-encompassing security solution. If you will invest money and time to protect your infrastructure and networks, you should ensure the chosen solution is complete. Besides the virus, phishing, and spam detection and protection, there should be e-mail communication security, up-to-date threat intelligence, and multiple-layer scanning. Your cybersecurity solution should cover people, process, and technology.
- Create and communicate to the client your Incident Response Plan: Once a security incident occurs, the next worst thing that can happen is not having a good response plan. This can make the situation even worse and prolong the recovery.
- Make computer and network protection part of your daily operations. Monitoring your workstation and servers regularly will guarantee swift detection of suspicious activities. Apart from using strong passwords, there should be minimized access to your system by vendors.
- Implement cybersecurity awareness training. Your users are usually the weakest link in cyber defense so you need to educate them and test their resilience against phishing or malware attacks.
As an MSP, your challenge is not to provide just one solution, but to ensure that every possible cyberattack protection tool is implemented. With MSPs being scrutinized further, failing to provide effective cybersecurity will already be a determining factor for your business growth or demise.
The bottom line is that on top of implementing a great technology stack, introducing a vCIO and QBR audit program which leverages the Narmada platform, will allow you to accomplish all of this efficiently.