Rising cyber-attacks shines spotlight on customer trust for MSPs

The number of cyber-attacks and incidents has occurred in rapid succession in the last month, from local IT managed service providers to Qantas, and most recently one of the giant global IT distributor Ingram Micro.

Cyber criminals aren’t holding back in ramping up their attack efforts. They’re not waiting to hit multiple targets across different industries through any vulnerability they can – from third party service providers to legacy infrastructure.

This highlights a critical inflection point as IT partners play more than a just a break fix role in providing the right cyber security guidance for their customers.

MSPs must step in to demonstrate the value and long-term cost-effectiveness of preventative security strategies. Otherwise, customers will use price sensitivity to reject suggestions, which can lead to underinvestment in essential protection, however this all starts with trust.

From a managed security services provider (MSSP) perspective, EvolveCyber managing director Liam Benson, trust is everything when working with customers.

“I think trust and accountability go hand in hand,” he said. “You can build trust absolutely, but retaining trust, I feel, is also one through accountability.

“You’re working with businesses who are not technical having trust is incredibly important from both sides.”

Benson told ARN that customer need to be able to trust that the MSP knows what they’re doing, but also MSPs need to trust that the customer was also looking after its partner’s “best interests at the same time”.

“I think one of the most freeing things I’ve ever said to a client, for me personally, is [stating] I cannot protect you [the client] 100 per cent from a cyber breach…that’s just the reality,” he said. “There’s almost a kind of humility in saying that.

“What I tell clients is, [while] I can’t protect you 100 per cent, what I can do is everything possible to defend you, and more importantly, prepare you, so that if something does happen, you’re ready.”

Benson emphasised this can be a bit unsettling at first and end-users as “what do you mean you can’t protect me?”

“I tell them we’ll prepare for it and make sure that if something happens, we’ve got all the right things in place,” he said. “We’ve got the response plan, the insurance, the controls, the logging …all of it.”

“That way, everyone can sleep better at night.”

According to Benson the industry has a “compulsion” to beat their chest and act like they must be right every time.

“Honestly if you’re an MSP [telling] the customer I can 100 per cent protect them… holy shit you’re in for a really bad time,” he said.

The inability to admit their inability to guarantee that protect also meant MSPs were also reluctant to “touch” the cyber insurance conversation, noted Andrew Brett, Infosure director and certified cyber insurance specialist.

“Getting into that conversation meant they’d have to admit that what they were doing was not 100 per cent secure,” he said. “They’d have to acknowledge that what they’ve put in place is penetrable.

But in doing that, Brett explained, they’re depriving the client of, preparation.

“When a cyber incident happens, the client’s left in the dark and the MSP is standing there going, ‘I don’t know what incident response looks like’,” he said. “The brutal part was the trust will completely go.

“The client’s left thinking, ‘why did you tell me you could protect me 100’ when I believed you’.”

That’s when you see people really spiral, Brett noted. The MSP partner had another path, one where they could’ve been honest from the start and explain to them about limiting the impact.

“Like Liam said, no one wants to hear they might still get hit, but it’s a hell of a lot better than pretending nothing will happen,” he said. “That’s what trust is and give me the facts … I’m an adult, I can make my own decisions. But let them be informed decisions.”

Ultimately avoiding hard conversations about cyber insurance or incident preparedness may protect an MSPs ego, but it does nothing to ensure business resilience, which could help customers absorb the shock when an incident occurs.

“What isn’t realised is that just because the [cyber-attack] is resolved today, it doesn’t mean it’s over,” said Benson. “It could be two to four years later, and suddenly the client’s sensitive data, like medical records from a GP clinic, surfaces on the dark web.

“All it takes is one patient asking why my records on the dark web are?”

That scenario will put the MSP under fire because there was no legal oversight, no documentation, no insurance in place and no thought about regulatory requirements.

The “just fix it and forget it”, reactive approach ends up coming back to bite the IT service provider, explained Benson.

“It’s hard not to wince seeing how some MSPs are handling incidents today because the reality is, there’s likely a wave of consequences coming,” he said. “Maybe in four to six years…maybe 10.

“It’ll all trace back to decisions made in a panic, no cyber insurance, no preparation, just a scramble to patch things up and avoid looking bad. That’s not going to hold; not for the MSP; the client; or for the industry.”

Be aware of limitations

As part of building trust with customers, Aegis cyber security chief information security officer Luke Irwin told ARN that MSPs need to be aware of the cyber landscape and the limits of their capability and skills.

“IT is not cyber, although they are related fields,” he said. “They’re not the same thing, [although] related.

“But just because you’re good at IT doesn’t make you good at cyber [and vice versa].”

The fact that IT implements some security controls has created the perception that IT is cyber, both in the heads of the workers, and in the public.

“MSPs are great at what can be referred to as frontline cyber, the antivirus, the patching, the firewalls, the network segmentation they are fantastic at that,” he said. But when asked [about] the last time a risk assessment was done on the environment or [explain] what the crown jewels are, they often just look blank.

“If there’s no understanding of what to protect, then there’s no actual budget problem, just a lack of direction. Without proper budgeting, the right systems, controls, and processes can’t be implemented.”

One of the biggest concern Irwin has been the number of MSPs who think cyber insurance is a waste of money or a bad product.

“Assume you’re an MSP and supporting a government corporation,” he said. “You’ve taken the close enough is good enough approach to cyber security.

“That government corporation gets breached, and their supply chain gets breached. That vendor’s supply chain gets breached; and eventually, some citizens get compromised as a result.”

Now, further down the chain, company number three, they have a cybersecurity insurance policy.

“Cyber insurance will pay out, yeah, but they’re going to try and pass that cost back up the chain,” explained Irwin. “Back to the previous company, then the one before that, and eventually back to the government department, and to you as the MSP, to recover costs.

“If they paid out $20 million, they’re going to want that $20 million back from whoever didn’t do their job properly.”

It’s the same logic as a car accident, explained Irwin, if someone causes a crash, insurance companies will try to recover the cost from the person at fault.

“If you don’t have insurance to cover you, they’ll go after you personally, your assets, your resources because that’s how cost recovery works,” he said. “It’s a major part of the insurance business model.

“They make claims, and they recover claims. They have entire teams dedicated to it.”

Partnering up

Cyber criminals aren’t waiting for the industry to catch up on understanding how they attack, as well as the recovery process.

This intersects with the government’s rapid rolling out of laws and policies around cyber security, ransomware management and the increasing complexity of the digital tools that bring their own challenges.

Which can make it hard for MSPs to keep up and “unreasonable” for them to know everything. But the “world they play in”, one where digital platforms are constantly being brought out.

Irwin wants MSPs to know there are partners out there who can help, people who they can engage without the fear they’ll lose the client or look bad.

“Why would I want to make a referral partner look bad? That helps no one,” he said. “It makes me look like an ass, makes them look incompetent and guess who won’t send me work again?

“If I see something they’re doing wrong, I’ll help them fix it.”

For example, there was an MSP on the Gold Coast who came to Irwin because their client asked if they were secure.

“[It’s a] dangerous question to ask, let alone answer,” he said. “To their credit, they said ‘we build and maintain your stuff, but we can’t answer that’, because that’s like marking our own homework.

“In that case, they brought me in. I did the assessment, found a few gaps, and went back to the MSP with the problems I found.”

Both parties returned to the client, and it was explained to them the issues found, which the MSP had already addressed.

Now, everyone wins, with the MSP’s security posture improved; the client’s risk reduced; and the understanding that Irwin was not attempting to poach the MSP’s customer for himself.

“I’m here to help them, and to help their clients trust them more,” he said. “Now I go back every year, and I do a security maturity review,” he said.

But the challenge… the biggest challenge for these types of partnership, was fear. Or rather, the perception of fear, said Irwin.

“MSPs think their clients are so valuable, they don’t want anyone else looking at the setup, in case something’s wrong,” he said. “But often, they don’t even know something’s wrong because no one else has ever looked.

“Without that second set of eyes… [they’re] playing darts in the dark. Doing this kind of work, getting the right people in, helps uncover the gaps, improves the overall posture, and raises the bar for everyone. That’s what actually makes a difference.”

MSSP Benson took this one step further and noted if everyone works together then collaboration becomes possible.

“A lead might come in and not be the right vibe for one provider,” he said. “Instead of forcing a fit, they can say, ‘call this person, this might be for them’.”

“A warm introduction is made, and trust is built from day one. The prospect now speaks with an MSP that’s been referred by someone who acknowledged, ‘this isn’t our space, but here’s someone who specialises in exactly what you need’.”

Benson said that initial connection already starts stronger, because there’s honesty, respect for expertise, and a shared goal.

Is there a case for regulation?

If the industry doesn’t start working together then there could be a possibility that regulation might be the next step.

In April ARN looked at how MSPs have remained outside of strict regulation when it comes to the services they provide, including cyber security.

However, ‘cowboy MSPs’ are hurting service providers who specialise in cyber security and regulation may be needed to curb them from providing rogue advice, especially as policies and regulation around data and third-party providers come into government focus.