Understanding Human Vulnerability: How MSPs Can Help
Understanding Human Vulnerability
Managed Service Providers (MSPs) are uniquely positioned in the information security and information technology realms. MSPs sit outside their client organizations, yet they provide critical services to organizations and are typically relied upon to work side-by-side with organizational staff on those services. In a natural way, MSPs become an extension of the client organization and are seen as such.
When it comes to information security, MSPs also have unique challenges. They work with many customers who are at different levels of sophistication and at different parts of their information security journey. They also manage large swathes of data for their customers.
As a result of those relationships and MSPs’ positions with respect to customer data, MSPs can exercise significant influence on their customers’ information security programs. In this article, we’ll discuss why MSPs can exercise that influence, the net benefits to MSPs to do so, and how best to wield that influence.
Why do MSPs Have Influence Over their Clients
MSPs are typically hired to solve a problem for organizations. Those problems are also otherwise unsolvable. It would have if an organization could have solved the problem by hiring staff, buying hardware or software infrastructure, or implementing internally developed processes. Organizations leverage MSPs because they are:
More cost-effective than other solutions,
Experts in addressing the problems the organization wants to solve, or
Able to provide a solution that is truly unique or difficult to implement.
As a result, the MSP becomes integrated with organizational operations. Its teams work alongside and sometimes under the direction of the customer.
In that way, MSPs become trusted partners. The critical solutions they provide become launch points for other services and initiatives. MSPs are relied upon to provide strategic and operational advice. Their management becomes trusted advisors to customer management, and their roadmaps influence customer organization roadmaps.
MSPs are also polled for information and opinions based on what they’ve seen with other client organizations. Those opinions may even extend beyond presently contracted services.
Where MSPs are trusted teaming partners and have a breadth of experience with other client organizations, one area where they can provide meaningful advice is information security. Many clients expect security compliance vis a vis Third-Party Risk Management (TPRM) programs. That’s a largely reactive and placatory information security interaction.
MSPs can be much more proactive and leverage the trusted nature of their partnerships with clients to exert their influence to drive good security practices with clients. That exercise benefits both the MSP and the client. On the client side, they now have a requirement upon which to rely for budgetary or executive support. Failing to adhere jeopardizes a critical partnership, and few security offices will pass that opportunity up.
The benefits of MSPs are more significant. On the one hand, the MSP can demonstrate expertise in an area used to drive additional business. On the other, better security practices benefit the MSP because it’s less likely the MSP will be compromised through an interface with one of its clients. Those impacts are amplified for MSPs; a single cyberattack can impact many customers and lines of business at once.
Some of the most critical threats to that shared business model are social engineering attacks, like phishing and business email compromise, and consequent malware attacks like ransomware. Providing common information and requirements to clients decreases the likelihood of those attacks being used against the MSP.
MSP Benefits from Educating Clients
MSPs materially benefit from providing clients with information highlighting the benefits of quality security. That is improved with targeted training focusing on the human element of cybersecurity, where humans are typically the weakest link of any cybersecurity program; the more information, training, and tools to mitigate attacks, the better.
MSPs, as highlighted in the preceding section, are safer overall by providing information about the human element of security. They’re even safer still when they provide requirements common to all clients with respect to implementing human-based security safeguards. That safety is derived from the mitigation of social engineering attacks as a primary attack vector for malware. That’s also safety at scale: an MSP isn’t just protecting their data, but all their clients’ data, at a minimum.
That’s an understated point when typically discussing MSP security. MSPs aren’t at risk because they’re MSPs, per se; they’re at risk because they have information from tens, hundreds, or thousands of clients. That information is valuable and may be incredibly sensitive. Exfiltration of that data may be unacceptable to clients. That sensitivity and impact make MSPs a high-priority target.
Even more significant: many MSPs may have connections to their client’s networks. Those connections may be air-gapped from each other, which will slow an attack but not prevent its occurrence, especially if not air-gapped from the MSP network.
If client networks can be accessed from the MSP by different accounts, then a threat actor who gains access to the MSP can leverage lateral movement and privilege escalation to access those networks. Additionally, those points of access provide easy points of entry to the MSP. Securing those points of entry and exit is a must.
Mitigating client threats also mitigates those threats to MSPs. That can result in significant cost savings. By minimizing the risk of important attack vectors, MSPs can lower their cyber insurance premiums. They also reduce the likelihood that they’ll suffer a catastrophic cyberattack, breach many client contracts, and be forced into many points of very messy and expensive litigation.
It also builds expertise and authority in the cybersecurity space. If that leads to a cybersecurity line of business or more lines of cybersecurity business, then that’s an excellent new income stream. If not, that still highlights the commitment of the MSP to take on sophisticated and strategic issues. It improves the overall impression of the MSP and helps minimize risk findings during a TPRM review. It shows the MSP’s commitment to being a good business partner, which is critical to an MSP’s role.
How Can MSPs Help Educate Clients?
There are many ways MSPs can help educate clients and help them understand human vulnerability. The options depend on how core information security is to an MSP’s lines of business and whether or not the MSP would consider integrating information security into their lines of business or adopting it as a new line of business.
I’ll outline some options ordered an increased level of commitment, meaning that I’ll start with security education that can be done in the absence of new lines of business and end with those that would likely be new lines of business if not already done.
Talk to your Clients and Customers about Human Security
There’s never a wrong time to have a conversation about information security. Business email compromise, phishing, and other forms of social engineering are common enough threats that every organization will find themselves targeted by those attacks. Let your client know that you’re taking it seriously and communicate some of the steps you’re doing: tabletops, education, phishing exercises, etc. Ask your client what they’re doing.
Make sure you keep those lines of dialogue going throughout the year. If your client’s having difficulty, maybe suggest someone on your security team to whom the client can speak.
Building that comfort not only helps develop a rapport with your client about a mutual problem but also makes sure they’ll think of you when they’re attacked. You’ll want to know as soon as possible, and those conversations help promote that reporting speed.
Contractually Mandate Human Security
The wonderful thing about contracts is that you can use them to memorialize an agreement for anything. If the subject matter’s legal, they’re even enforceable!
It’s very uncommon to see a contract that doesn’t address information security in some way, whether TPRM, indemnities or hold-harmless clauses. What’s disappointing is that more contracts don’t contain provisions around mutual security safeguards.
If I had to speculate, it’s because organizations don’t want lopsided liability, and everyone wants to be treated fairly during contracting. A lot of information security provisions, however, seek to have the upper hand: establish who’s responsible for paying for what when a breach happens.
Flipping that inequity on its head does a service to all parties. Acknowledging that cybersecurity is a problem and risk mitigation is a necessity is a good thing. Contracts can include mutual risk mitigation provisions:
Everyone must have an anti-phishing program
Everyone must perform security training
Everyone must report suspected compromises
Interconnections will be severed when there is a reported compromise
Even if only those four provisions are outlined in a contract, every MSP client and the MSP are orders of magnitude safer than before those safeguards were in place.
Provide Security Training
Going a step further than just contracting for security practices, you can offer client training on good security practices. In that way, you’re not only guaranteeing that the practices exist, but you’re controlling the syllabus and narrative around those practices. That’s a powerful position to be in, and the MSP can effectively cater to its own security program and needs with that training.
The flip side to that is that an MSP taking on any part of its clients’ security posture management opens the door for finger-pointing in the event of a security incident. It’s no longer the client’s only problem if there’s a breach; it’s also the MSPs in a less suggestive way than the threat actor may compromise the MSP network. Now there’s the very real connection that the breach may have been caused by a purported “failure” in education.
Provide Security Services
In for a penny, in for a pound. If an MSP is already considering providing security services, they can also evaluate providing tabletop exercises, phishing drills, risk management services, and other more in-depth security services. Security services have grown to a multi-hundreds of billions of dollars industry worldwide, and there’s no sign of that growth slowing.
Providing security services in addition to whatever core line of business the MSP provides can help enhance those services, generate revenue, and safeguard other revenue streams. By creating a common security fabric, an MSP doesn’t need to worry about its clients’ postures or the risks to the data it holds on behalf of clients. Ostensibly, it will have that data available and can model its own risks based on that data.
MSPs hold a special place, with most clients being integrated enough to be considered part of their client’s operations and important enough to be serving mission-critical needs. As a result of that position, most MSPs are in a place where they can influence and drive client operations.
One place MSPs don’t typically exert that influence, but could, to significant effect, is with information security and particularly security against human-based threats. MSPs are particularly susceptible to cyberattacks and can mitigate those attacks at scale by addressing common cyber threats.
There are many ways that MSPs can accomplish that, ranging from general outreach all the way to security program services and management. What an MSP decides to do ultimately depends on their desire to integrate cybersecurity into their core operations as a line or lines of business. It also depends on how much responsibility they want for client systems and services. Overall, doing anything is better than nothing, and even a friendly conversation can pay security dividends.