Written by: Charles Weaver, CEO – MSPAlliance
MSPs are no strangers to the limelight. Very early in the managed services profession MSPs dealt with a variety of public relations issues, mostly centered around the value MSPs brought to their customers. Today, MSPs have another public relations issue brewing, although this one has far more significant consequences to our profession.
Ransomware attacks involving MSPs
The United States Cybersecurity and Infrastructure Agency (CISA) starting issuing advisory bulletins in 2017 and 2018 warning MSPs to be aware of advanced persistent threats (APTs) specifically targeting MSPs. The announcements did not get a lot of publicity, but MSPs began talking about them seriously at industry events (including MSPWorld).
While the focus of these attacks has always been the customer, the methods of achieving success seem to be leaning towards the exploitation of known vulnerabilities impacting MSPs. Specifically, administrative accounts used by the MSPs, such as RMM, ticketing, and other service delivery tools, are being targeted.
The good news is these exploits are extremely easy to fix. The bad news is there are a lot of companies calling themselves MSPs who do not possess strong security skills. These companies are not paying attention to these security bulletins and are potentially putting their customers at risk.
It’s out in the Open
It’s one thing for the channel press to cover these security issues, but quite another when the non-channel media does it. That is precisely what is happening now, and global MSPs need to a) realize this problem, and b) respond to it.
A recent story featured a medical customer who was attacked by cybercriminals by exploiting the technology consulting company who handled the outsourced IT management. The article describes the devastating effects of the cyberattack and what happened to the customer. The blame is put squarely on the “MSP.”
Later in the same article, the author describes attacks on MSPs as increasing. There is only one problem; the technology consulting company was not an MSP. At best, they could be considered a break/fix or reactive IT company, but few people would classify that company as a provider of managed services.
I am often surprised when MSPs say it doesn’t matter what they call themselves. What difference does it make, they frequently say. It makes a big difference, especially today.
Calling Yourself An MSP Matters
If break-fix companies masquerade as MSPs and cause harm, this activity will cause considerable damage to the managed services profession. I have repeatedly said that more customers want managed services than there are qualified MSPs to do the work. Compare that statement with the seemingly endless lists and numbers of MSPs throughout the world; you might think that there are more MSPs than customers; this is not true.
Customers are Safer with MSPs
Customers are manifestly safer with legitimate MSPs than doing it alone using internal IT only. Many customers have no clue as to what threats are out there, let alone how to protect against those threats. This is why it is so important to be clear what type of company to whom you outsource your IT management.
Practicing MSPs have known for a long time that break-fix companies can cause a lot of confusion and harm in the market, just from a sales and marketing perspective. Now, we see this battle between break-fix and proactive managed services spilling out into the public arena.
I am not saying that MSPs are infallible. We have a lot of important work to do in educating the global managed services marketplace in the next five years. However, MSPs, on average, are going to be far more effective at helping customers protect themselves against cybercriminals compared to break-fix companies.
The next time you encounter a customer bringing up these articles, ask whether it was an MSP or just a bunch of technicians reacting to technical problems. Not the same thing at all!