Written by: Charles Weaver, CEO of MSPAlliance
Amidst all the discussion around MSP regulation today, an important question must be asked and addressed: are the threats to organizations really from MSPs or break/fix providers posing as MSPs. The answer to this question is critical for “MSP regulation” to proceed without unnecessary harm to real MSPs.
MSPs are not Break/fix Providers
It is no secret that government legislators and regulators are focusing their attention on MSPs to respond to the increasing cyber-attacks on organizations, including state agencies and governments. MSPAlliance acknowledges these efforts to gain better MSP transparency as legitimate public policy oversight functions.
However, it is essential to educate these same regulators and legislators about the distinctions between break/fix providers and proactive managed service providers. These two types of companies are not the same and have many differing characteristics.
While we have written extensively on reactive vs. proactive IT companies, these discussions have occurred mainly within the IT channel and not in the public forum. The general public is not aware of managed service providers’ operational details, other than what they read in the media today. Government officials are generally not aware of the legacy of work performed by thousands of MSPs worldwide throughout the last 25 years.
The running of a managed services business must be practiced consistently to achieve even average results. As the last 20 years have taught us, tens of thousands of break/fix companies have begun to transition their business models to offer proactive managed services. As this transition continues to occur, it is essential to differentiate those MSPs who have achieved a level of professional competency from those companies still learning the trade. These early transitioning companies are mainly providing reactive or break/fix services and are most vulnerable to cyberattacks.
The distinction between break/fix companies and MSPs is important to understand if government regulators hope to achieve meaningful results from their regulatory efforts. More important is that MSP standards and certification frameworks already exist to aid government regulators in categorizing and assessing MSPs and non-MSP organizations.
Recent Cyber Attacks Have Exploited Break/Fix Companies, Not Just MSPs
Several of the more recent cyberattacks impacting end-user organizations have incorrectly attributed fault to the provider, explicitly calling them out as MSPs. At least a few of these ransomware attacks did not involve MSPs; the providers were reactive and break/fix companies based on initial reviews of their websites. Despite how these providers market themselves, the fact that anybody can claim to be an MSP is an issue that must be acknowledged by our profession and any government regulator or legislator.
For governments and regulators to create effective MSP regulation and oversight, it is crucial to understand and define the MSPs to remove non-MSP organizations from the rest of the professional MSP community. Until this happens, any MSP regulation could unnecessarily impact professional MSPs and miss regulation of non-MSP entities.