Managed Service Providers (MSPs) are uniquely positioned in the information security and information technology realms. MSPs sit outside their client organizations, yet they provide critical services to organizations and are typically relied upon to work side-by-side with organizational staff on those services. In a natural way, MSPs become an extension of the client organization and are seen as such.
When it comes to information security, MSPs also have unique challenges. They work with many customers who are at different levels of sophistication and at different parts of their information security journey. They also manage large swathes of data for their customers.
As a result of those relationships and MSPs’ positions with respect to customer data, MSPs can exercise significant influence on their customers’ information security programs.
What Does Human Vulnerability Mean?
Human vulnerability, much like human error, refers to the possibilities for exploitation that can cause harm to an individual or company. The most vulnerable link in a system, program or team can bring down an entire structure.
The weakest link concept is critical in information security and cybersecurity. Even the most robust security system can be breached by skilled hackers or malware searching to exploit the weakest link.
As an MSP that runs many complex operations and manages customer information technology (IT) infrastructure, human vulnerability can leave your business susceptible to social engineering attacks, which play on human psychology to gain unauthorized access to valuable company assets, such as:
- Computer login credentials
- Intellectual property
- Personnel and payroll records
- Personal health information
- Healthcare records
- Trade secrets
Social engineering tactics can include promising rewards, using a false identity or urging the user to download malicious software to access sensitive information.
Keeping Clients Businesses Safe
While technology plays a vital role in addressing critical vulnerabilities, organizations must address the human element. However, creating and deploying comprehensive behavioral training techniques to mitigate human vulnerability can be challenging and time-consuming.
Using effective security awareness training, you can assess employee susceptibility to attacks, keep them engaged to increase retention and change their habits to be more cyber secure. Well-informed employees are much more likely to be alert and resist clever attempts at cybercrime. Automated and user-friendly training can also help your clients save time and promote a security-focused culture.
How Do MSPs Have Influence Over Their Clients?
MSPs are typically hired to solve a problem for organizations. Those problems are also otherwise unsolvable. It would have if an organization could have solved the problem by hiring staff, buying hardware or software infrastructure or implementing internally developed processes. Organizations leverage MSPs because they are:
- More cost-effective than other solutions.
- Experts in addressing the problems the organization wants to solve.
- Able to provide a solution that is truly unique or difficult to implement.
As a result, the MSP becomes integrated with organizational operations. Its teams work alongside and sometimes under the direction of the customer.
In that way, MSPs become trusted partners. The critical solutions they provide become launch points for other services and initiatives. MSPs are relied upon to provide strategic and operational advice. Their management becomes trusted advisors to customer management and their roadmaps influence customer organization roadmaps.
MSPs are also polled for information and opinions based on what they’ve seen with other client organizations. Those opinions may even extend beyond presently contracted services.
Where MSPs are trusted teaming partners and have a breadth of experience with other client organizations, one area where they can provide meaningful advice is information security.
Driving Effective Security Practices
MSPs can be much more proactive and leverage the trusted nature of their partnerships with clients to exert their influence to drive good security practices with clients. That exercise benefits both the MSP and the client. On the client side, they now have a requirement upon which to rely for budgetary or executive support. Failing to adhere jeopardizes a critical partnership and few security offices will pass that opportunity up.
The benefits for MSPs are more significant. On the one hand, the MSP can demonstrate expertise in an area used to drive additional business. On the other, better security practices benefit the MSP because it’s less likely the MSP will be compromised through an interface with one of its clients. Building effective security tooling empowers action on internal and existential threats.
Benefits of Managing Vulnerabilities in Client Organizations
MSPs materially benefit from providing clients with information highlighting the benefits of quality security. That is improved with targeted training focusing on the human element of cybersecurity, where humans are typically the weakest link of any cybersecurity program — the more information, training and tools to mitigate attacks, the better.
Let's examine some of the significant benefits that can impact both your MSP and your clients.
1. Reduced Risk of Social Engineering Attacks
Some of the most critical threats to that shared business model are social engineering attacks — like phishing and business email compromise — and consequent malware attacks like ransomware. Providing common information and requirements to clients decreases the likelihood of those attacks being used against the MSP.
MSPs are particularly susceptible to cyberattacks. Addressing common cyber threats can help mitigate these attacks at scale. There are many ways that MSPs can accomplish this goal, ranging from general outreach all the way to security program services and management.
What an MSP decides to do ultimately depends on their desire to integrate cybersecurity into their core operations as a line or lines of business. It also depends on how much responsibility they want for client systems and services.
2. Enhanced Data Privacy
MSPs, as highlighted in the preceding section, are safer overall by providing information about the human element of security. They’re even safer still when they provide requirements common to all clients with respect to implementing human-based security safeguards. That safety is derived from the mitigation of social engineering attacks as a primary attack vector for malware. That’s also safety at scale: an MSP isn’t just protecting their data — they're protecting their client’s data.
That’s an understated point when typically discussing MSP security. MSPs aren’t at risk because they’re MSPs, per se — they’re at risk because they have information from tens, hundreds or thousands of clients. That client information is valuable and may be incredibly sensitive. Exfiltration of that data may be unacceptable to clients. The sensitivity risk and impact make MSPs a high-priority target.
Even more significant: many MSPs may have connections to their clients’ networks. Those connections may be air-gapped from each other, which will slow an attack but not prevent its occurrence, especially if not air-gapped from the MSP network.
If client networks can be accessed from the MSP by different accounts, then a threat actor who gains access to the MSP can leverage lateral movement and privilege escalation to access those networks. Additionally, those points of access provide easy points of entry to the MSP. Securing those points of entry and exit is a must.
3. Reduced Costs
Mitigating client threats also mitigates those threats to MSPs. That can result in significant cost savings. By minimizing the risk of important attack vectors, MSPs can lower their cyber insurance premiums. They also reduce the likelihood that they’ll suffer a catastrophic cyberattack, breach many client contracts and be forced into many points of very messy and expensive litigation.
4. Improved Client Relationships
Reduced risk of cyberattacks and enhanced security practices also build expertise and authority in the cybersecurity space. If that leads to a cybersecurity line of business or more lines of cybersecurity business, then that’s an excellent new income stream. If not, that still highlights the commitment of the MSP to take on sophisticated and strategic issues.
It improves the overall impression of the MSP and helps minimize risk findings during a TPRM review. It shows the MSP’s commitment to being a good business partner, which is critical to an MSP’s role.
How Can MSPs Utilize Techniques to Educate Clients?
There are many ways MSPs can help educate clients and help them understand human vulnerability. The options depend on how core information security is to an MSP’s lines of business and whether or not the MSP would consider integrating information security into their lines of business or adopting it as a new line of business.
Here are some ways to inform your clients about security education:
1. Communicate About Human Vulnerability and Cybersecurity
There’s never a wrong time to have a conversation about information security. Business email compromise, phishing and other forms of social engineering are common enough threats that every organization will find themselves targeted by those attacks. Let your client know that you’re taking it seriously and communicate some of the steps you’re performing, such as:
- Tabletops
- Education
- Phishing exercises
Make sure you keep those lines of dialogue going throughout the year. Ask your client what they're doing on their end. If your client’s having difficulty, maybe suggest someone on your security team to whom the client can speak.
Building that comfort not only helps develop a rapport with your client about a mutual problem but also makes sure they’ll think of you when they’re attacked. You’ll want to know as soon as possible, and those conversations help promote that reporting speed.
2. Contractually Mandate Human Security Practices
The wonderful thing about contracts is that you can use them to memorialize an agreement for anything. If the subject matter’s legal, they’re even enforceable!
It’s very uncommon to see a contract that doesn’t address information security in some way, whether TPRM, indemnities or hold-harmless clauses. What’s disappointing is that more contracts don’t contain provisions around mutual security safeguards.
If I had to speculate, it’s because organizations don’t want lopsided liability, and everyone wants to be treated fairly during contracting. A lot of information security provisions, however, seek to have the upper hand: establish who’s responsible for paying for what when a breach happens.
Flipping that inequity on its head does a service to all parties. Acknowledging that cybersecurity is a problem and risk mitigation is a necessity is a good thing. Contracts can include mutual risk mitigation provisions, such as:
- Everyone must have an anti-phishing program
- Everyone must perform security training
- Everyone must report suspected compromises
- Interconnections will be severed when there is a reported compromise
Even if only those four provisions are outlined in a contract, every MSP client and the MSP are orders of magnitude safer than before those safeguards were in place.
3. Provide Security Training
Going a step further than just contracting for security practices, you can offer client training on good security practices. This way, you can guarantee that the practices exist and control the syllabus and narrative around those practices. That’s a powerful position to be in, and the MSP can effectively cater to its own security program and needs with that training.
Alternatively, an MSP taking on any part of its clients’ security posture management opens the door for finger-pointing in the event of a security incident.
It’s no longer the client’s only problem if there’s a breach — it’s also the MSPs in a less suggestive way than the threat actor may compromise the MSP network. Now there’s the very real connection that the breach may have been caused by a purported “failure” in education.
4. Consider Additional Security Services
In for a penny, in for a pound. If an MSP is already considering providing security services, they can also evaluate other in-depth security services, such as:
- Tabletop exercises
- Phishing drills
- Risk management services
Providing security services in addition to whatever core line of business the MSP provides can help enhance those services, generate revenue and safeguard other revenue streams.
By creating a common security fabric, an MSP doesn’t need to worry about its clients’ postures or the risks to the data it holds on behalf of clients. Ostensibly, it will have that data available and can model its own risks based on that data.
Mitigate Human Vulnerability With Phin Security
MSPs hold a special place, with most clients being integrated enough to be considered part of their client’s operations and important enough to be serving mission-critical needs. As a result of that position, most MSPs can influence and drive client operations. With the right solutions, MSPs have the power to exert significant influence on information security, particularly against human-based threats.
At Phin Security, we offer advanced security awareness training to equip your team with the skills and tools they need to address human vulnerability. When it comes to defending your company against complicated attacks, being proactive is the best tool. Start your free trial today to learn more about our training and phishing prevention solutions.
