Open Letter to Government Regulators Regarding MSP Security
To all local, state, provincial, federal, and international governmental bodies dealing with managed service providers
Speaking on behalf of many thousands of companies and individuals who make up the global managed services profession, I would like to set the record straight on a few matters. First, on the issue of cybersecurity and the role MSPs play in global IT management. Second, the recent attacks on MSPs. And third, our industry and professional response to these events and how the MSP profession can and should be utilized moving forward.
Wondering what an MSP is? Check out our MSP FAQ section.
The Role MSPs Play in Cybersecurity
For several decades, MSPs have been on the front lines of defending their clients against IT attacks. Long before it was ever called cybersecurity, MSPs have been performing invaluable work, supporting clients, managing IT environments, and safeguarding information.
As more attention is placed on information security and the value of stealing that information becomes monetized by cybercriminals, the role and profile of MSPs becomes much more visible. However, this is no different than when banks began to be robbed. People did not stop putting their money in the banks; the banks merely started building bigger and stronger vaults.
MSPs are often the only real IT management and data security protections an organization has. Particularly small and medium-sized organizations that have no meaningful internal IT management capabilities, the MSP is the only viable model for managing IT assets and protecting valuable customer data.
It is no secret there have been attacks on MSPs in the last year. Attacks on MSPs will continue. The motive behind the attacks seems quite clear. Beyond the apparent profit motive, the cybercriminals are attempting to breach MSP systems to access the customers. This is likely the motivating factor behind many, if not all, of the MSP attacks in the last 12-18 months.
MSPs are not less secure organizations and, therefore, better targets for cybercriminals. It’s just that MSPs are often the first line of defense, so anyone wanting to get to the customer would necessarily have to go through the MSP first. This is a natural evolution of the managed services profession and something the industry has been preparing for since 2000.
How MSPs Are Responding
The MSP community is aware of the risks and ready for the challenge. First, government regulators need to understand that an MSP standard does exist. The Unified Certification Standard (UCS) has been in existence since 2004. The UCS was developed by a group of diverse MSP organizations to be a purpose-built MSP standard.
The UCS is the foundation of what today is the MSP and Cloud Verify program. The MSP Verify is a report given to MSPs when they complete a rigorous review of their controls, policies, procedures, and security preparedness, both customer-facing and internal.
The MSP professional already has the tools necessary to self govern. What we need is participation and feedback from government regulators. To be clear, our profession began this process many years ago, long before attacks on MSPs were happening.
MSPAlliance members met with European Union representatives in advance of GDPR. MSPAlliance has also provided guidance to FDIC examiners on how to evaluate MSPs involved in bank IT infrastructure throughout the United States.
The point is this: MSPs play incredibly valuable roles in defending and maintaining IT systems on behalf of customers all over the world. MSPs are not perfect, but they do represent the best hope of keeping cybercriminals in check and stopping cyber-attacks on customers.
MSPAlliance and the global MSP community want to work with government regulators in an ongoing and constructive manner. We want to hear from you, develop a discussion to solve these problems we all face.
If you represent a government agency interested in discussing the efforts MSPs are taking to safeguard themselves and their customers, please contact us.