Do Aussie cowboy MSPs need to be reined in with regulation?

Managed service providers (MSPs) are an essential part of the IT supply chain, especially as digital tools become more complex for end users and, with the additional need for security, their traditional break-fix role has completely changed.

For the most part, MSPs have remained outside of strict regulation when it comes to the services they provide, including cyber security.

However, ‘cowboy MSPs’ are hurting service providers who specialise in cyber security and regulation may be needed to curb them from providing rogue advice, especially as policies and regulation around data and third-party providers come into government focus.

Speaking to ARN, GCIT co-founder Elliot Munro explained that MSPs don’t want any of their customers to get hacked.

As a Queensland based IT services and consulting provider, it has seen enough attacks to understand what’s needed to make an environment secure and how much that costs.

“We put in as much as we can to make sure we can sleep at night, knowing customers aren’t going to get hacked and take up all of our time when they do,” said Munro. “But customers will only spend a certain amount of money to address what they perceive as risks to their business; … cyber security is all about risk assessment.

“If it costs more to address a risk than the risk would cost the business, then they’re just not going to do it.”

Munro believes GCIT has a solid offering priced “pretty competitively”, but often it will get small to medium business (SMB) customers who go to market and get pricing from somewhere else, usually at a rate that is 30 per cent cheaper.

“I just don’t know where those places are getting their margin from,” he said. “Our net profit last quarter was 2 per cent. We’re at 5 per cent this quarter and that’s only because we’ve had some [unexpected] expenses.”

Munro can’t understand how these providers are making any money and “suspects it’s because they’re not doing the proper job of securing” their customer’s environment.

“We try to hold off on buying all the shiny tools that vendors push, all infused with AI, which used to be machine learning,” he said. “We just know it’s very difficult to secure an environment for a price an SMB is willing to pay and still compete against other MSPs and one-man bands who are cutting corners.”

Is regulation needed?

For Munro, regulation might be what is needed especially as SMBs are hit hard by cyber crime.

During financial year 2024, SMBs reported an average loss increase of 8 per cent to $49,615 per incident, according to the Australian Signals Directorate’s (ASD) Annual Cyber Threat Report for 2023-24, which bases its findings on reports made to the agency during the 12-month period.

However, there’s no real repercussions to an SMB that has been attacked. If there was, it would be something that Munro could point out to customers.

“It’d be good if there was some government standard that businesses were being held to,” he said. “It would be great for the MSP industry, but I just think it would be better for better for businesses in general.”

Pax8 Academy manager Maria Armstrong would also “personally love to see” regulation happen in Australia.

SMBs make up 97 per cent of businesses in Australia and MSPs support those small businesses. However, they’re not legislated or regulated.

“There’s nothing that says you have to do the right thing,” she noted. “There’s nothing that says they have to understand the latest technology and they have to move with the times.”

What that regulation might look like could already have been hinted at in the 2023-2030 Australian Cyber Security Strategy, which references legislation from the UK and other governments, Armstrong explained.

In the UK, the government released its findings on proposals to improve the UK’s cyber resilience and how MSPs can be used to help.

The findings revealed the UK MSP market was fragmented with an estimated 1,500 to 1,700 large and medium MSPs could potentially be in scope of the plans to update the country’s Network and Information Systems (NIS) Regulations 2018.

Under the NIS, utility companies that provide essential services must improve their own cyber security or face financial fines of up to $35.5 million (£17 million) and this will be extended to include MSPs.

However, just over 9,800 small and micro UK-based MSPs would not be in scope, as they would be subject to the small and micro exemption, although this could potentially change.

In November 2024, the Australian government’s Cyber Security Act that came into place “directly referenced UK legislation around MSPs and around cyber security”, noted Armstrong.

“They said the reason we are writing our legislation this way is because the UK have written it this way and we feel that ours should be a global standard that aligns with other countries of a similar approach,” she said. “When I see regulation like this coming to the UK, I think that our government is going to look at this.”

Former Pax8 Academy executive coach Elliot Seeto told ARN that Australia is part of the Five Eyes organisation with the UK and it generally follows what they do.

“There’s a good chance that as part of the wider strategy, Australia would be looking to pull up certain some way, shape or form,” he said. “What that looks like and how it comes about is up in the air at the moment, but there’s a good chance that it would at least be considered at some point in the near future.”

For Armstrong, MSPs can choose to do professional development or stay on top of technology and business best practices, but they don’t have to.

“That’s why they’re now starting to be in the spotlight and most certainly more so in the UK than here because of the cyber attacks,” she said. “MSPs are involved in cyber in providing security for these small businesses and people have realised that they are the first line of defence and the first line of the first weakness.

“If they’re not doing the right thing, if they’re not doing their professional development, if they’re not making sure that they are that first line of defence, then 97 per cent of businesses could be at risk.”

Cowboys in the industry

For Seeto, anyone can call themselves an MSP or a security expert. This includes someone straight out of high school, or even in high school, providing some IT support to local and regional businesses and then call themselves “security experts”.

“This is not necessarily a bad thing, but we need a set of standards that indicate the reputable organisations,” he said. “These are people that have been through some sort of education, [hold] some sort of professionalism and say they meet a qualification to provide the specific advice or services that they’re providing.”

The real problem is needing to weed out what Seeto calls those “cowboys” who give the industry a bad name, which is part of the reason why some small businesses may object to working with MSPs.

“They may have worked with someone who called themselves an MSP,” he said. “Honest MSPs understand the issues and are trying their best to do the right thing.

“It only takes a few bad eggs out there to disrupt what is supposed to be a service that is provided through people who actually know what they’re doing.”

That’s the challenge Seeto sees and why he is for some sort of regulation within the industry to differentiate and set the bar a little bit higher, because that standard is non-existent currently.

“If we don’t do it, the government will,” he said. “The government may not provide the right form of standard or regulation that that we need in the industry and we need to make sure that the MSPs and TSPs [third party service providers] have a voice to say what will and won’t work.”

SMB education

Armstrong said end customers in the SMB space don’t always see the risks because a lot of media coverage focuses on the big attacks on large corporations, leading people to think that these incidents won’t happen to them.

“The reports coming out from the government tell a different story,” she said. “They show that most cyber incidents affect small businesses.

“The reality is a cyber attack can shut the business down for good. When that happens, it’s not just the business owner who suffers. Many employees lose their jobs, too.”

This is until small businesses understand the importance of having a reliable IT provider, Armstrong noted.

“Cyber security is crucial for their survival and businesses need to realise that cyber security is just as important for them, especially considering the risks they face on a daily basis,” she said

In the MSP industry, some service providers have led with fear, which is something which is something GCIT doesn’t like to do, noted Munro, because it seems people are being held to “ransom”.

Whenever a big security uplift in response to attacks takes place, Munro does talk to CGIT’s customers about the attack, but cautions against multifactor authentication (MFA) as a cure-all.

“Most phishing emails are breaking into account these days,” he said. “MFA used to be just the thing that we would [use] and it would stop all the problems, but now MFA is just as weak.

“We’ve had to demonstrate to customers the threat and then say, ‘These are the new [tools]’, which we have to put in place to address the threat. Only then do they do they pay, but it’s difficult.”

Munro added that if “there was regulation on both sides” that required MSPs to meet a given standard, that could solve the issue.

“Until that happens, it’s just going to be a lot more breaches,” he said.

Seeto believes unfortunately the “government won’t make any quick decisions”.

“While it’d be great to get some sort of mandates or some sort of support, at least from them,” he said. “I think there’s that’s where a couple other organisations are stepping up to try and improve the state of the industry.”

Seeto said various organisations have their own programs, like GTIA’s (formerly CompTIA) Cybersecurity Trustmark initiative, which has been rolled out to set the bar by requiring GTIA Cybersecurity Trustmark compliance in order to provide cyber security services.

“I often compare it to certified public accountants or chartered accountants in the accounting industry – external bodies that set the standard,” he said. “There are organisations trying to do the same for cyber security services.

“SMB1001 aims to raise the bar through dynamic, evolving standards and has the most traction at the moment because it’s simple and readily available particularly for SMBs.”

Referencing the UK regulation again, Seeto noted there’s a requirement for MSPs being mandated to meet standards to address supply chain issues as well. SMB1001 has that built in to try and expand that to organisations beyond just SMBs, including enterprises and governments.

“They’ve got a program out there to counter that and create a database or an index that organisations, or SMBs, can go to as part of their procurement process and say, ‘Hey, who has met some sort of minimum standard out there?’, whichever tier they might sit on in SMB1001,” said Seeto.

Keep it truthful

Infosure director Andrew Brett told ARN that MSPs need to be honest with clients about cyber security, making it clear that cyber insurance and security products won’t offer 100 per cent protection against attacks, but they can improve the chances of coming through an incident with less damage.

“You don’t want the cyber attack, just like you don’t want a car accident,” he said. “No one does, because they’re traumatic. You don’t know what kind of car accident you’re going to have; you could die.”

Being truthful was also a sentiment that managed security service provider EvolveCyber founder Liam Benson resonated with.

“One of the most honest and impactful things I’ve said to clients is, ‘I cannot protect you 100 per cent from a cyber breach’,” he said. “That’s just a fact; there’s a level of humility in admitting that.

“What I tell clients is, ‘I can’t guarantee full protection, but I will do everything I possibly can to defend you and, more importantly, to prepare you so that if something does happen, we’re ready.”

He told ARN that EvolveCyber will tell customers it has the right protections in place, the right insurance and the right processes, “so everyone can sleep better at night”.

“However, the mindset of constantly beating your chest, needing to be right in every situation and telling customers you can protect them 100 per cent? If MSPs are doing that … holy shit, they’re in for a really bad time.”

ARN continues the conversation with Brett and Benson in the next investigative piece on the importance of truth between MSPs and their customers.