Four Best Practices for MSP Compliance

The MSP market is in a major growth phase. Estimated by some at $243 billion in 2021 and is forecast to grow by nearly 33%, reaching nearly $355 billion by 2026. Whilst that’s positive news for businesses providing managed IT and related services for organizations that choose to outsource their technical services and support, there are associated risks and responsibilities.  

Compliance standards that relate to data protection and security are numerous. These are not easy issues to manage, and they require specialized knowledge and experience to address properly.

Individual and industry certifications that demonstrate an MSP’s ability to protect data and support compliance programs are on the horizon as efforts are underway to formally professionalize the industry. Any MSP that does not get on board with these efforts can expect to be left behind.

Key Compliance Standards for MSPs

GDPR – The European Union’s General Data Privacy Regulation is the omnibus law under which all personally identifiable information (PII) such as health and financial data is secured and managed.

HIPAA – In the U.S., protected health information (PHI) is regulated under the Health Insurance Portability and Accountability Act.

PCI-DSS – While not a regulation, many states look to the Payment Card Industry Digital Security Standard as a required guideline for protecting consumer payment card data.

SOX – Sarbarnes-Oxley established standards for the management and protection of certain types of business data, such as financial records and intellectual property in the U.S.

GLBA – the Gramm-Leach-Bliley Act regulates the security and management of data for financial services firms in the U.S.

ECA – in the UK, the Electronic Communications Act of 2000 regulates the sharing and security of data associated with electronic commerce.

PIPL – In China, the collection, storage, and transfer of consumer data is regulated by the Personal Information Protection Law.

Why Compliance is Essential for MSPs

Service providers with an understanding of the risks associated with data management, and that follow best practices around security and compliance, can establish themselves as trusted partners at a time when risk management is a business imperative.

The threat to the MSP industry has only grown more serious. In May of 2022 the U.S. Cyber & Infrastructure Security Agency (CISA) and FBI issued a joint advisory with their “Five Eyes” peers in Australia, Canada, New Zealand, and the UK warning of threats specific to managed services providers.

CISA’s recommendation that customers get directly involved by ensuring that their MSP partners undertake certain security measures—and to contractually obligate MSPs to those measures—is yet another signal that the game is changing, and that MSPs must regard cybersecurity as a business imperative. A recent ScienceLogic survey that found 46% of European managed service providers are concerned about security issues confirms that MSPs are thinking about these trends. But thinking does not necessarily equate to action, and MSPs need to act.

Market pressures now demand that MSPs create and document security programs, earn certifications in certain security disciplines, and train or hire professionals with bona fides like Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Information Privacy Professional (CIPP), and Certified Information Security Manager (CISM). And security isn’t just about preventing cyberattacks and avoiding data breaches; it is about complying with the many security and privacy regulations that dictate how various kinds of sensitive data—like financial, healthcare, personal, and intellectual property—are protected and managed.

According to the most recent IBM/Ponemon Institute “Cost of a Data Breach Report,” the average cost to organizations that suffer a data breach is $4.24 million dollars per incident. That figure includes an aggregate of factors, including fines, legal fees, technical forensics and remediations, increased marketing, and losses associated with declining business opportunities and increased customer churn due to a loss of brand reputation. For the most egregious incidents, however, costs can be higher. Significantly higher.

The Importance of Thorough and Reliable Compliance Management

Maintaining a compliance program is a daunting task, and one that is not possible without automations specific to the various aspects of tracking and documentation. When moment-to-moment operations and changes at the device level need to be tracked, backed-up, managed, and documented, a solution like Restorepoint can cut staff time dedicated to such tasks by more than 50%, while increasing the scope, scale, and accuracy of the results. And because actions that can’t be confirmed are assumed to be non-compliant, if an audit is conducted, thorough documentation can equate to millions of dollars saved by avoiding fines.

Four Best Practices for MSP Compliance

For MSPs that want to minimize the risks associated with a data breach and associated fines for regulatory non-compliance, we recommend four best practices:

• Actively track, verify, and manage system and configuration changes. According to the most recent Verizon Data Breach Investigations Report, misconfigurations contribute to as many as 15% of data breaches. Unauthorized and unplanned configuration changes are also a high priority indicator of compromise (IoC) and should be investigated as a possible breach to contain potential attack effects and limit damage.
• Build, manage, and document specific compliance policies. Written plans are required by regulators and serve as a reassurance to customers and prospects. Documentation of plans, updates, and ongoing compliance processes is also a requirement of security and compliance auditors. Compliance is not a one-size-fits-all exercise. As previously discussed, specific requirements are involved based on industry, geography, and any cross-border transfers of data involved.
• Ensure configuration and data back-up processes is in place and have a failsafe recovery plan. When misconfigurations are detected, or if unauthorized changes (either malicious or done in error) are made to data systems, having a backup available for rapid restoral is vital. But a simple restoration to previously saved configurations is not enough. A complete disaster recovery and business continuity plan should be in place to cover contingencies ranging from simple errors to major cyberattacks, including events like denial-of-service attacks or ransomware infections.
• Eliminate operational and data silos. When systems and data are stovepiped, it creates complexities for data management tools and systems. Unifying operational systems means tools can see all relevant processes, making compliance management and monitoring more efficient.

If you are a managed services provider searching for a solution to help substantially lower your organization’s and customers’ exposure to security, compliance, and availability risks that are commonly overlooked and frequently unforeseen, reach out with questions specific to your situation. Book a Restorepoint demo.