MSPs Are Impacted by Client Risk
Written by: Charles Weaver, CEO of MSPAlliance
In the wake of the Louisiana MSP registration law, US Secret Service warnings concerning threats to MSPs, it seems appropriate to provide some context to the regulatory and legislative activities impacting MSPs today. One of the areas least understood by non-MSP professionals is the interrelationship of the client and the MSP. Until this unique symbiosis is understood, effective regulation and legislation will be challenging to achieve.
Amateur MSPs Do Exist
The first point we can concede is that amateur MSPs do exist. The definition of the amateur MSP is necessary absent a more official designation so that the public can effectively and quickly understand the type of MSP with whom they are dealing.
MSPs do not need a license to practice. MSPAlliance has always maintained an anti-licensure position as such a step would neither guarantee the quality of services nor expand the number of MSPs practicing (a problem we currently face as more organizations need to outsource their IT management).
Without such a designation, MSPs must be able to demonstrate proficiency in several operational and technical areas so clients can make informed decisions concerning their IT management and outsourcing. The need for MSP transparency becomes even more apparent when evaluating MSPs at different stages of their maturity. Many clients do not need full IT management outsourcing, having some internal IT staffing and capabilities already. Other clients completely outsource their IT management to MSPs having no significant internal resources available.
There is great diversity in the IT management needs of the general public. IT management skillsets, pricing, flexibility, availability, and a great many more variables impact the sourcing and selection process of an MSP. For many clients, amateur MSPs may be the best option for handling IT management. Others may not have such a choice.
Client Risk to the MSP
Implicit in any managed services relationship is the existence of risk. Merely having a computer or a server connected to the Internet poses a risk for the user and the organization. Medical, banking, and legal clients pose even greater risks to the MSP as the type of data is more valuable to cybercriminals. Some managed services clients understand these risks, other do not.
While MSPs offer a vast wealth of knowledge, technical expertise, and IT management resources, those resources matter little if the client is unwilling to accept the recommendations. For example, an MSP may suggest to the client the implementation of multi-factor authentication as a simple yet effective security prophylactic. Yet, if the client refuses this suggestion (perhaps due to cost or perceived inconvenience), the MSP now has a critical decision to make: maintain the relationship with the client and do the best job possible, or abandon the client as too risky).
These types of choices are presented to thousands of MSPs every day throughout the world. Non-profit clients may have legitimate budget constraints and cannot afford regular IT security practices. Other clients may refuse to implement standard IT management best practices because they believe it will harm employee productivity.
The MSP must decide on how they will deal with such clients and the inherent risk they pose to the MSP.
Legislation of the Client or the MSP
MSPs rarely have unilateral control of the IT management practices of their clients. Even when MSPs obtain “trusted advisor” status with a client, the client organization must make decisions based on information presented to them by their MSP.
As regulators and legislators deliberate on whether to act on MSPs, we urge those bodies to consider the unique position MSPs have in our world today and respect the delicate balance between trusted IT advisor and IT management decision-maker. These are very different roles between the MSP and the client and must be thoroughly understood for effective MSP regulation and legislation to exist.