The MSP market is in a major growth phase. Estimated by some at $243 billion in 2021 and is forecast to grow by nearly 33%, reaching nearly $355 billion by 2026. Whilst that’s positive news for businesses providing managed IT and related services for organizations that choose to outsource their technical services and support, there are associated risks and responsibilities.
Compliance standards that relate to data protection and security are numerous. These are not easy issues to manage, and they require specialized knowledge and experience to address properly.
Individual and industry certifications that demonstrate an MSP’s ability to protect data and support compliance programs are on the horizon as efforts are underway to formally professionalize the industry. Any MSP that does not get on board with these efforts can expect to be left behind.
GDPR – The European Union’s General Data Privacy Regulation is the omnibus law under which all personally identifiable information (PII) such as health and financial data is secured and managed.
HIPAA – In the U.S., protected health information (PHI) is regulated under the Health Insurance Portability and Accountability Act.
PCI-DSS – While not a regulation, many states look to the Payment Card Industry Digital Security Standard as a required guideline for protecting consumer payment card data.
SOX – Sarbarnes-Oxley established standards for the management and protection of certain types of business data, such as financial records and intellectual property in the U.S.
GLBA – the Gramm-Leach-Bliley Act regulates the security and management of data for financial services firms in the U.S.
ECA – in the UK, the Electronic Communications Act of 2000 regulates the sharing and security of data associated with electronic commerce.
PIPL – In China, the collection, storage, and transfer of consumer data is regulated by the Personal Information Protection Law.
Service providers with an understanding of the risks associated with data management, and that follow best practices around security and compliance, can establish themselves as trusted partners at a time when risk management is a business imperative.
The threat to the MSP industry has only grown more serious. In May of 2022 the U.S. Cyber & Infrastructure Security Agency (CISA) and FBI issued a joint advisory with their “Five Eyes” peers in Australia, Canada, New Zealand, and the UK warning of threats specific to managed services providers.
CISA’s recommendation that customers get directly involved by ensuring that their MSP partners undertake certain security measures—and to contractually obligate MSPs to those measures—is yet another signal that the game is changing, and that MSPs must regard cybersecurity as a business imperative. A recent ScienceLogic survey that found 46% of European managed service providers are concerned about security issues confirms that MSPs are thinking about these trends. But thinking does not necessarily equate to action, and MSPs need to act.
Market pressures now demand that MSPs create and document security programs, earn certifications in certain security disciplines, and train or hire professionals with bona fides like Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Privacy Professional (CIPP), and Certified Information Security Manager (CISM). And security isn’t just about preventing cyberattacks and avoiding data breaches; it is about complying with the many security and privacy regulations that dictate how various kinds of sensitive data—like financial, healthcare, personal, and intellectual property—are protected and managed.
According to the most recent IBM/Ponemon Institute “Cost of a Data Breach Report,” the average cost to organizations that suffer a data breach is $4.24 million dollars per incident. That figure includes an aggregate of factors, including fines, legal fees, technical forensics and remediations, increased marketing, and losses associated with declining business opportunities and increased customer churn due to a loss of brand reputation. For the most egregious incidents, however, costs can be higher. Significantly higher.
Maintaining a compliance program is a daunting task, and one that is not possible without automations specific to the various aspects of tracking and documentation. When moment-to-moment operations and changes at the device level need to be tracked, backed-up, managed, and documented, a solution like Restorepoint can cut staff time dedicated to such tasks by more than 50%, while increasing the scope, scale, and accuracy of the results. And because actions that can’t be confirmed are assumed to be non-compliant, if an audit is conducted, thorough documentation can equate to millions of dollars saved by avoiding fines.
For MSPs that want to minimize the risks associated with a data breach and associated fines for regulatory non-compliance, we recommend four best practices:
If you are a managed services provider searching for a solution to help substantially lower your organization’s and customers’ exposure to security, compliance, and availability risks that are commonly overlooked and frequently unforeseen, reach out with questions specific to your situation. Book a Restorepoint demo.