Written by: Charles Weaver, co-founder of MSPAlliance
As the new reports of attacks on MSPs have increased, the MSPAlliance has mostly remained silent. Beyond internal industry communications and programs to improve cybersecurity measures (something we have been doing for 20 years), we have not taken direct issue with any of these news accounts.
The time has come, however, for MSPAlliance to issue a public statement on the recent “opinions” voiced by some lawmakers (and non-technical writers) about the role of MSPs in our present day. First, we need to set the record straight when it comes to how MSPs can and should be used, and where the lines of responsibility should be drawn.
MSPs Make Mistakes
MSPs are organizations comprised of people. People are fallible and make mistakes. MSPs should make fewer mistakes than other types of IT organizations and should have more failsafe controls in place to lessen the impact of any errors, should they happen. Obviously, this does not always happen.
No profession is perfect. But, good professions allow for these mistakes to inform other providers so they can learn and advance their professional skills. Professions also operate best in a transparent fashion; something the MSPAlliance and its 30,000 members have long held as a core belief.
Customers Don’t Always Listen to MSPs
I have spent 20 years in the managed services profession and have heard countless stories of MSPs advising their customers, only to be told no. The reasons for the “no” can vary, but typically it is a factor of a) price, b) lack of awareness on the issues, c) a combination of these two.
I am reminded of the New Orleans storm Katrina and how it impacted so many thousands of businesses along the southern coast of the United States. Many of those businesses had refused to take necessary preventative measures to back up their data. When the storm hit, these same businesses went to their MSPs and expected them to magically restore their data. I’m sorry, but it just doesn’t work that way.
Recalibrate IT Governance Expectations
It is time that we recalibrate the expectations of customers related to IT management. If an MSP makes a mistake, they should be held responsible. I don’t think anyone would disagree with that. Between cyber insurance protection and other risk mitigation techniques, MSPs have numerous ways to protect themselves and their customers.
However, when the customer refuses to participate and does not allow for proper IT management, then the fault cannot and should not rest with the MSP. MSPs do need to inform their customers about the risks of modern-day cybersecurity. Beyond that, MSPs cannot force their customers into taking specific actions. MSPs can refuse to service their customers if that service falls below a minimum standard. Perhaps that will be a trend soon.
Until then, thousands of MSPs I know work tirelessly to advise and protect their customers, even when their customers have no idea what is out there trying to attack them. Customers need to take responsibility for their actions and should not look at their MSP as indemnification for their bad IT management decisions.