In case you were wondering, working with an MSP can lower your overall cyber risk profile. If you have been reading about how MSPs are at higher risk of being attacked and wonder how both of those statements can be true at the same time, you have come to the right place.
MSPs do lower risk. Period.
Now, for the rest of you cyber security consultants, cyber insurance gurus, and other self-proclaimed experts whose expertise extends to the managed services profession, you may be scratching your heads and thinking to yourselves, ‘I thought MSPs were risky.” We have addressed this so-called conflicting theory that MSPs could both be the cause of risk and responsible for lowering risk. I would like to address this issue and try to explain why this conflict may occur at times and why MSPs reduce risk for their managed services customers.
First, We Define MSP
In my professional opinion, the belief that MSPs both are risky and can reduce risk to their customers can be most easily explained as follows: most successful security events leading to data breaches do not happen to MSPs but instead to break/fix companies. Now, nobody likes to think of themselves as a break/fix or reactive IT company, but the reality is, there are a lot of these types of companies operating today.
While we cannot prohibit reactive IT companies from calling themselves MSPs, we can define their behavior and delineate between how they operate compared to how MSPs (we will define this below) operate. The distinction between these two IT provider business models is everything! If you do not understand this difference, you will never understand the world of managed services and the evolutionary IT service delivery path all providers must travel.
Proactive vs Reactive
It would be simplistic to define MSPs as proactive and break/fix companies as reactive. While a true statement, we need to examine the business landscape more closely to fully understand how reactive IT companies evolve into providers of managed services.
Break/fix companies often possess similar characteristics as MSPs, which does make the identification process much more difficult. Break/fix companies can have RMM and ticketing tools, they can utilize recurring billing models, they can even call some of their offerings “managed services.”
Even having all these elements at play does not mean you are an MSP. It is how you use these attributes, the skills of your people, and the processes you invent (yes, I said invent) which define you as either a reactive or a proactive IT provider.
Do MSPs Get Attacked?
Yes, MSPs get attacked. It happens all the time, like it does for nearly all organizations with an active connection to the Internet. What defines risk is not the likelihood of being attacked but how well defended you are as an organization and your skill and preparedness in dealing with an attack that may be successful.
The mature MSPs (defined as those operating with more proactive processes) tend to have less successful data breaches compared to their reactive counterparts. It does not mean MSPs do not get targeted, and it does not mean MSPs do not occasionally have security incidents. What it does mean, however, is that these MSPs are more likely to be able to a) defend against a security attack and b) successfully recover quickly from such an event.
Compare this to the reactive IT provider who likely has less formidable security defenses and has not put much (if any) thought around how to recover from a successful security or data incident. The responses of an MSP and a reactive IT provider are remarkably different and make a world of difference when it comes to duration of outage, amount of monetary damage suffered, and ultimately the overall severity of the attack.
When we read stories about MSP attacks and risk, we are reading stories which do not differentiate between MSP and break/fix: this is a huge problem. Stories about insurance companies leaving the cyber insurance market (these do not always involve MSPs; there are plenty of situations where cyber insurance companies draw down their pursuit of such a business line because they do not understand cyber…different from their understanding of managed services) do not factor claims made between MSPs and break/fix. The insurers probably believe they are just dealing with MSPs since the extent of their due diligence on these providers is limited.
In fairness, managed services is a difficult profession to understand and even more so for those outside it. For those of us who have spent much time studying managed services, it is easy to understand what the high-performing MSP can do for its clients. The challenge is when you are presented with an MSP who may not actually be an MSP or may be an underperforming MSP.
When evaluating an “underperforming” MSP, the ultimate question is whether you are dealing with a reactive IT company posing as an MSP. It is important to acknowledge this reality while simultaneously realizing that there are huge differences between the two types of providers. This understanding is what is crucial to differentiating between MSPs and break/fix companies and fully understanding the associate risk between these two types of organizations.
Conclusion
I am aware of how difficult all this may seem, especially to newcomers to the managed services profession. It does take time to become comfortable (and proficient) in understanding different types of IT provider and being able to quickly sort them into effective categories. But identify and sort you must if you wish to effectively assign the appropriate risk categories to the appropriate provider type.
The good news is when you do have this categorization, you will be able to correctly assign risk and understand, with a normal amount of variation and deviation from the median, the proper function of the MSP as an entity which does lower risk for its customers.