Use Service Agreements to Encourage Positive Cyber Hygiene
Written by: Charles Weaver, CEO of MSPAlliance
As MSPs deal with millions of work from home users to support, it is about time we have a candid discussion about implementing positive cybersecurity and cyber hygiene amongst managed services customers. MSPs are expected to behave safely, and so should their clients. Neither can be safe if one is unsafe.
Service Agreements as Compliance Tools
There are many reasons MSPs should use service agreements in their practice. By now, it should be commonplace to see service agreements offered to clients wanting to engage the services of an MSP.
Beyond the obvious utility of defining price, the scope of the work, choice of law, and other helpful business decisions, a service agreement can be particularly useful in encouraging positive cyber hygiene on the part of the client. How would it do such a thing? Let’s examine how.
Cyber Hygiene Encouragement from MSPs
In the end, MSPs are trusted advisors to their clients, able only to make recommendations, but not able to enforce policy. As a matter of managed services professional best practices, we must rethink how MSPs and clients interact on the issue of cybersecurity.
The number of data breaches and cyberattacks is increasing; we all know this. We also know that the method of attacks is following a pattern. Cybercriminals like to use email phishing campaigns, exploit commonly used applications (specifically administrator accounts), and probe user accounts without multi-factor authentication turned on. MSPs understand these tactics all too well.
However, the issue is that many organizations do not fully appreciate the level of persistence and sophistication of these cyber attacks possess. When the MSP advises the client to take certain precautions, the MSP can only suggest, but really cannot force the issue. This is where the service agreement can come in handy, protecting the MSP and the client.
Managed Services Minimum Standard of Care
It is time MSPs begin enforcing a managed services minimum standard of care. Aside from providers who fall below this minimum level, the vast majority of MSPs understand how to deliver this type of service, but are unable to due to clients refusing to comply.
The refusal is not born out of obstinance or malicious intent, but rather a product of budget constraints, or general ignorance of the true nature of cyber threats facing the organization. MSPs have long begrudgingly modified their agreements to comply with client decisions, knowing full well that it leaves them vulnerable.
Today, we live in a time where MSPs must communicate to clients when a decision will leave the client unprotected and at risk. Even one client can put an entire MSP’s client base at risk if they are not employing safe cyber hygiene. Until we get to a point where most organizations implement these best practices, MSPs need to begin enforcing change through their service agreements by limiting services and disclaiming liability in situations where the client is unprotected. Taking such action will take time, but it will eventually lead to improvements across a vast number of organizations globally. All it takes is enough MSPs taking this approach, and there can be tremendous benefits.
Customers need to understand that MSPs are not indemnifying their data or their networks. If the clients realize that there could be real costs (not included in their managed services agreement), they might think twice before refusing that backup as a service, MFA, or other security offerings.