Why Are MSPs Still Struggling to Implement a Layered Security Approach?

In a June 2021 webinar with SKOUT Cybersecurity, SVP of Product at Axcient, Ben Nowacky, quantified the rising number of successful ransomware attacks based on Axcient data. “In 2019, we were seeing one to three successful ransomware attacks per week. So, not nothing, but not a massive amount. Starting in 2020, around this same time, that trend started to increase, and now we’re seeing anywhere from one to two successful ransomware attacks a day. Right now, in June 2021, we’re on track to see between two and four per day.” Ransomware, spear phishing, and other malware attacks have been increasing for years, but Managed Service Providers (MSPs) are still failing to provide the layered security approach necessary to protect clients. What’s standing in your way and how are you planning to survive an attack?

#1: ‘It won’t happen to me’ mentality

Despite ransomware being one of the most talked about cyber threats over the last decade, there are still some who believe they’re immune. Attacks per year are in the millions, the financial cost to businesses are in the billions, and the risk of shutting down after an attack is more likely than survival. Yet now we’re seeing attack success rates increase. The bad actors are winning in spite of the big, bright warning signs that have been flashing for years. While many have grown numb to the statistics, as an MSP, it’s your responsibility to secure clients with the assumption that they will get attacked. At this point, it’s not a question of if, it’s just a matter of when.

#2: Cybersecurity skills gap

In order for anything to get the attention it deserves, someone has to cheerlead the cause, get buy-in from the top, and from there, gain momentum for change. Unfortunately in cybersecurity, there’s a lack of cheerleaders. Globally, we’re facing an estimated deficit of 4 million cybersecurity roles in the public and private sector. While technology has advanced and there are a lot of developments in toolkits within cybersecurity, not enough professionals are focused on the actual attacks.

Until the role of Chief Information Security Officer (CISO) is seen as essential in business, MSPs often fill the role of security advisor. This puts you in a unique position to guide clients toward the multi-layer security protection they need. You know the risks, consequences, and solutions for business continuity, so it’s important to pass that knowledge, and those services, onto clients. While the industry attempts to close the skills gap, you have an opportunity to grow your business while keeping clients safe.

#3: Lack of cybersecurity responsibility

Without a designated CISO or similar role in an organization, who is responsible for security? Often times it defaults to development teams, but human error is still the number one cause of data loss. Ransomware and phishing attacks start with bad actors, but they need employees to click the encrypted link, leave passwords unlocked, save files on desktops, and leave system doors open. Typically these things happen by accident, but well-intentioned people can take down entire organizations with innocent mistakes. James Mason, Sales Engineer at SKOUT Cybersecurity says, “Now, there’s an inherent understanding within organizations that no single person should not have their finger on the pulse with cybersecurity. Everyone should understand.”

MSPs can’t do anything to stop humans beings from being human, but you can emphasize the shared responsibility of cybersecurity with clients. Regular security training, faux phishing attacks to test readiness, and most importantly, comprehensive business continuity and disaster recovery (BCDR) solutions are critical for a layered security approach. Employees and business leaders alike have to understand their pivotal roles in protecting the business from targeted attacks via social engineering, shadow IT, and failure to adhere to security protocols.

 #4. MSPs aren’t liable (until now…)

Historically, when a company’s data is hacked, they’re held responsible in the court of public opinion. Now, the blame is shifting from the business to the MSP in charge of protecting the business. Many states have recently passed laws holding MSPs responsible for attacks on clients. Breach notification laws require MSPs to publicly report cyber incidents and notify the state. Texas, Louisiana, Connecticut, and New Jersey have all passed new liability laws that could affect an your cyber liability insurance, reputation, and ability to compete in the channel. Not surprisingly, the federal government isn’t far behind.

With these heightened and widening consequences on MSPs, it’s more critical than ever to take a layered security approach with clients. Now, MSPs are liable for data loss regardless of if it’s in your control of not. So the question becomes, how much are you willing to risk in your own business to allow clients to forgo security? Some MSPs are weary to include data los prevention as a standard and required service for clients, but allowing an opt-out could be fatal for both of your businesses.

Data protection is security

When a business loses data access, the business stops. It’s not enough to hope an attack won’t happen or cross your fingers that if it does, you’ll be able to recover. Today, you need know exactly what will happen when data is compromised. What backup and disaster recovery solutions are in place for restore? If ransomware does hit, what are the next steps? Utilize the resources below to start building your layered security approach for uninterrupted business continuity.

About the Author:
Liz Mellem // Technical Copywriter, Axcient

Liz Mellem has been a freelance copywriter for over three years in the technology, education, and alternative medicine industries. She produces content, sales collateral, and email marketing campaigns that contribute to digital marketing strategies for sales growth and brand awareness. In her free time, Liz enjoys reading, exploring Austin, and Netflix with her cat, Harlem.