Will Cybercrime Court Help or Hurt MSPs?
The United Kingdom recently announced the creation of a "cybercrime" court, designed to bring the country into the 21st century. Catherine McGuinness, Policy Chairman of the City of London Corporation said "I'm particularly pleased that this court will have a focus on the legal issues of the future, such as fraud, economic crime, and cybercrime."
Although this court won't be constructed and hearing cases until around 2025, it still gives us something to think about. How will a cybercrime court impact MSPs? Let's examine how more cybercrime cases will likely involve MSPs as a starting point.
Cybercrime is the #1 Criminal Enterprise on the Planet
You don't get involved in the drug trade if you want to make it rich these days...you go into cybercrime. Statistics show a dramatic rise in cybercrime over the last decade and since the advent of cloud computing, everyone (including non-technical people) understand the basics around data privacy, data theft, and cybercrime.
As more individuals and organizations get involved in cybercrime, you can expect a sharp increase in the number of cybercrime related prosecutions.
MSP Involvement in Cybercrime Prevention
MSPAlliance has, almost since its inception, been an advocate for the use of MSPs as often first lines of defense against bad actors trying to harm end-user organizations. I think most MSPs also see themselves as useful resources for their customers in helping them fight against cybercrime. In many cases, the MSP is the only resource available, particularly in smaller organizations, when it comes to being capable of monitoring networks and identifying if cyber attacks are being aimed at a customer.
Data Breach Notification Cases
I believe it is likely that MSPs will become most visibly involved in fighting cybercrime in the next 10 years as data breach notifications become "mainstream". Now that all 50 states in the US have data breach notification laws, and now that all of the European Union (via GDPR) has it as well, MSPs have a "primary" duty to help customers know whether there was a breach.
This is where it gets tricky. MSPs may view assisting customers with data breach notifications as contrary to the best interests of the MSP. I disagree. I believe data breach notification events provide fantastic opportunities for MSPs to work with and educate their customers on what happened and what can be learned. This assumes that the MSP did not make a mistake.
Assuming the breach was not a fault of the MSP, in many cases we have seen situations where the customer chose not to pursue a particular path in protecting their IT resources (purchasing data backup as a protection against malware, for example). In these situations, data breaches (even breaches occurring elsewhere) can serve as useful tools in educating customers on how best to protect their most valuable IT assets.
MSPs had better come to grips with becoming more visible to the non-technical world. Particularly when it involves criminal court proceedings, it is in the best interest of MSP organizations to be prepared for this eventuality, rather than resist and not embrace change.