As MSPs become more frequent targets for cyber attacks, industry leaders and other stakeholders have encouraged firms to adopt established cybersecurity industry standards. The goal of doing so is for MSPs to increase their level of internal security to protect themselves and, by extension, their customers.
Frameworks provide step-by-step instructions and best practices for risk mitigation, such as developing security awareness training programs, preventing email-based attacks, and protecting servers and web services. MSPs have multiple cybersecurity industry standards to choose from. Popular frameworks include the National Institute of Standards and Technology (NIST) Cybersecurity Framework; CIS Controls; and ISO frameworks. More recently, IT management software vendor ConnectWise introduced its own MSP-specific cybersecurity guidelines, dubbed the MSP+ Cybersecurity Framework.
“Because these frameworks offer specific guidance, they can be very effective for MSPs looking to improve their security policies or even get started with putting together a plan,” said Lewis Huynh, CSO for NinjaRMM, an MSP software vendor. “These frameworks aren’t necessarily a one-size-fits-all solution, but implementing even just some of the security controls and policies outlined will leave organizations more secure.”
Implementation can reduce many MSP security concerns, added Tom McDonald, president of New England Systems Inc. (NSI), an MSP in Naugatuck, Conn. “Nobody expects MSPs to be more advanced than the common published standards for cybersecurity best practices,” he said.
NIST offers a popular policy framework for IT infrastructure security.
Getting the ball rolling
“Security is a moving target that requires constant revision, and, because of this, the hardest part of implementation is simply getting started,” Huynh said. However, even taking small steps will improve an organization’s posture and make it easier to proceed with further changes.
As a first step, MSPs should conduct an internal risk assessment and set goals that align with their overall business strategy, Huynh said. MSP firms should engage all internal stakeholders, from C-level executives to customer support, as part of the risk-assessment process.
Huynh recommended MSPs identify the types of data they collect and the data’s lifecycle within the organization. “This will help [MSPs] better understand their cybersecurity risk and where to invest more time and resources to better secure their supply chain,” he said. “With clear goals, an understanding of the project scope and clear visibility into the data lifecycle, MSPs can more effectively implement a cybersecurity framework.”
While some MSPs may use their in-house staff to adopt a framework, others will turn to a third party, NSI’s McDonald noted. He recommended hiring a security consultant. “Each company must review what [cybersecurity industry standards are] available, consult with an expert, pick a framework and/or control set, and double-down to make it happen,” he said.
Costs and benefits of cybersecurity industry standards
The most obvious benefit of internal security frameworks is protection for the business itself. MSPs will experience fewer incidents and strengthen the trust of clients, McDonald said. In addition, by aligning with a framework, MSPs can instantly plug into a support community they can call on for help.
“You’re not trying to figure it out on your own when you pick a standard as your basis for cybersecurity and risk,” McDonald said.
Implementing a cybersecurity framework can also give MSPs a competitive advantage. MSPs that attain cybersecurity competencies can launch new services and attract new clients. By demonstrating their internal operations meet certain security requirements, firms can move into markets such as enterprise and federal IT.
“Many businesses today will specifically seek out an MSP that they feel has done due diligence when it comes to their own cybersecurity,” said Brian Brammeier, chief information security officer at Ntiva, an MSP and consultant in McLean, Va.
Adopting a framework doesn’t come without its hurdles, however.
Many businesses today will specifically seek out an MSP that they feel has done due diligence when it comes to their own cybersecurity.
Brian BrammeierChief information security officer, Ntiva
MSPs may struggle to meet the certification requirements, as obtaining certifications can demand a significant amount of time and resources, Brammeier said. Certification processes can take as long as six months to over a year to complete. Once obtained, the ongoing maintenance to remain compliant can be expensive — so much so that some smaller MSPs may decide it is unfeasible.
“When it comes to security, everything has a cost and a risk,” Brammeier said. “MSPs, just like any business, need to look at the cost of implementing robust security protection versus the risk of not doing due diligence.”
Gaps in the framework
Another common challenge relates to the scope of a cybersecurity industry standard. No standard can protect an organization from every possible risk. As a result, MSPs should add in some extra measures tailored to their particular organizations. Additionally, MSPs must remain constantly vigilant and plan to review their security policies and procedures at least annually, NinjaRMM’s Huynh noted.
Cybersecurity frameworks such as NIST’s include comprehensive security guidance for the most destructive cyber incidents, such as ransomware or supply chain attacks. With that said, no defense is ever airtight: Motivated cybercriminals will find ways to infiltrate networks.
“MSPs shouldn’t approach cybersecurity frameworks as the silver bullet to their security issues,” Huynh said.