How to Reduce Your MSP’s Risk of Cyber Attacks

Cyber attacks have been on the rise for years and are expected to continue increasing in severity well past 2022. The recent damage caused by high-profile supply chain attacks (think SolarWinds and the like) carried a lot of risk both for MSPs and their clients. 

Managed service providers should be planning strategies to increase their cyber resilience and secure their supply chains from future cyber attacks. This can be a gargantuan task, as it not only includes securing the MSP itself, but making sure vendors, freelancers, and other third-parties are secured as well. 

What happens when this need is ignored? The recent Kaseya ransomware attack proves how badly a cyber attack on an IT channel vendor can disrupt the supply chain of its customers and cause severe collateral damage. Cyber attacks on an MSP can easily spread to hundreds or thousands of small businesses if the proper security measures aren’t in place.  

MSPs are particularly at-risk next year. The report also shows that during the second half of 2021, only 20% of companies reported not having been attacked, as opposed to 32% last year. This indicates that cyber attacks are increasing in frequency across the board. 

MSPs are particularly at-risk because IT management tools, such as PSA or RMM, are being deliberately targeted and used against them. This method often gives hackers access to the IT provider’s entire client list. That potential for easy access is a juicy target that makes already high-risk MSPs even more vulnerable to attacks.  

MSPs are often the first line of defense against hackers when it comes to small and medium sized businesses. We regularly find ourselves standing in front of malicious actors who want an easy route into our clients’ networks and private information. Yes, MSPs have a daunting job, but those small and medium organizations still need to turn to outsourced IT to handle the increasingly complex world of IT management and cybersecurity.  

MSPs take on a good deal of risk as part of their daily operations. Furthermore, they take on risk from their vendors. When something like an RMM tool is compromised, hundreds of MSPs can become the innocent victims of cyber attacks. These MSPs then pass all of that risk right down to their own clients. Unfortunately, service agreements typically put the burden of fault on MSP regardless of how the threat originated. Unfortunately, the solemn responsibility of explaining the mishap to the end user always falls back on the IT provider.  

Several factors contribute to the growing cyberthreat landscape. However, it’s important to recognize that the frequency and impact of cyber attacks has not been reduced regardless of widespread response and attempts to curtail the danger. 

Besides practicing vigilance and using top-tier cybersecurity tools, MSPs can take a few other steps to protect themselves: 

MSPs are smartly turning to insurance to manage their cybercrime risk. That said, there is an increasing level of difficulty when it comes to falling back on these policies. Cyber insurance policyholders are being asked to document and prove that the controls they say are in place are truly there.  

As you would expect, the burden of proof about controls in the policy will fall on the MSP. Attestations just aren’t enough. You will need to keep detailed records of your cyber insurance requirements and show that the right tools are in place to mitigate risks. This will ensure a full payout if disaster hits.  

Such documentation will also be essential even if a cyber attack doesn’t come. MSPs that cannot verify proper controls will most likely not have their policies renewed. 

Risk assessments are an MSP staple that provides a practical breakdown of the vulnerabilities and threats to a client. With cybersecurity threats evolving, it is more important than ever that risk assessments are done on a regular basis to evaluate and prioritize your IT security investments. 

Managed service providers should require their clients to perform a regular risk assessment if they aren’t already doing so. This helps the MSP and the client prioritize the budget and resource allocation when it comes to protecting their networks and data. 

The keys to prospering through this escalation of cyber risk are automation and force multipliers. MSPs should seek out solutions that automate or scale crucial tasks like vulnerability scanning, compliance documentation, and privileged access management. These practices are not only critical for cyber insurance policies, but for general security.  

As cyber insurance regulations tighten and threats increase, MSPs that do not prioritize automated solutions and scalable tools will find themselves stymied by manual tasks that take away from the strategic management of their businesses.  

As you can see, managed services providers need protection more than ever. MSPs face more risks when it comes to cybersecurity, data privacy, compliance, profitability, and competition than ever before. MSPs fight to gain and retain customers while remaining profitable. The last thing they need is to suffer a critical hit to their reputation or finances because of liability. 

Limiting this liability can be done through careful management of each client. The MSP should clearly identify the obligations of both parties in their agreements. As well as obtain effective professional liability insurance for their own business. In addition, they should obligate clients to obtain first-party cyber liability insurance (and adhere to the requirements of said insurance, of course). 

Professional liability insurance is a great way to indemnify your company. Especially if a client alleges negligence in the performance of your agreement. Much like malpractice insurance, it protects the client if a service provider is negligent. Which in turn helps to protect you.  

Insist on first-party cyber liability insurance will protect your clients’ data from cyber liability risks regardless of the cause. Such policies should cover data breaches and data losses that are not the fault of your MSP.  This will cover incidents like insider threats, ransomware, malware, and other types of risk that come from outside your organization and aren’t related to MSP negligence.  

You can also limit liability by making sure your agreements include these provisions: 

The MSP takes no responsibility for hardware and software failures caused by third-party manufacturers and software developers. 

Data loss and data leaks are often the highest risk factor for managed service providers. Your agreement should disclaim responsibility for failures related to backups. It should also require your clients to maintain secure local backups of their important data in addition to backup services being rendered.  

Add a clause requiring first-party insurance requirements right into your agreements. Stipulate that the provider is responsible for carrying first-party cyber liability insurance and that they agree to do so throughout the engagement. Be prepared to explain cybersecurity insurance to your clients and make recommendations about where to obtain it.  

To protect your MSP against ransomware damages, clearly denote that clients are responsible for paying any ransoms or remediation costs if they are attacked. This doesn’t sound pleasant, but such a clause can be very useful in a worst-case scenario. Remind your clients that their own behaviors are most likely to lead to a ransomware attack. While you will do everything in your power to prevent them, you can’t take full responsibility for their own internal actions.  

One step of cyber risk mitigation that you don’t want to ignore is actually pursuing a culture of strong security. Liability isn’t everything, and at the end of the day you want to make sure your clients are actually safe. It’s wise to turn to the best security tools that address current cyber threats without inflating your costs.  

AutoElevate is a privileged access management (PAM) tool that fits those requirements. By streamlining the adherence to a ‘least privilege’ policy across all clients, your MSP can virtually eliminate 80% or more of the most common cyberthreats in circulation today. Our PAM tool makes it easy and affordable to limit your MSP’s risk of being blamed for a social engineering or ransomware attack. 

Auto Elevate is designed to help MSPs and IT professionals address that exact challenge. If you’re not familiar with the many useful features of this security tool, visit this page to learn more.