“Aim high” is the long-time slogan used on U.S. Airforce recruitment posters, but that same phrase has just as an important place in the cybersecurity services community. MSPs cannot afford to let their SMB clients skate by with subpar data practices and network protections. The risks are simply too big for your customers, and the liabilities are also on the rise for your firm as well as any others involved in designing, building, and maintaining organizations’ defensive postures.
MSPs have an opportunity, if not an obligation, to set a high bar for their clients. Despite time and budget restrictions, the SMB looks to providers like you for advice and expertise in the cybersecurity space, and those companies should always aspire for the gold standard with data and network protection. In today’s high risk, escalating threat environment, investments in those areas make good business sense ̶though that doesn’t mean every organization will be willing and able to pay for it.
One of the MSP’s roles is to challenge the norm and educate their clients on the rising dangers and to help them implement industry best practices and cost-effective solutions. Sure, you may have to poke and prod some of the more reluctant business owners, but you can rest easy knowing your team is doing its best to protect everyone’s best interests.
The New Baseline
GDPR (The EU General Data Protection Regulation) is not just the latest in a string of escalating compliance measures; it expanded the reach and scope of information security and privacy across the globe. While IT and legal experts correctly assert that this new standard does not set the ultimate bar in that arena, most recognize that these guidelines are raising protection awareness, and tightening the screws on the business community.
GDPR was intended to standardize data protection for EU citizens, but it also forces MSPs, cloud services providers, and others who support clients in those countries to follow the prescribed guidelines. As a “data processor,” those companies are held to the same rules regardless of where in the world their home office is located. All that matters is the location of the end user. All information that originates in in the EU is covered under GDPR.
For example, if a New York City-based MSP manages information storage and security for an insurance company headquartered in New Jersey with just one customer who resides in the EU, GDPR compliance is a concern. That regulation has long arms; not just geographically, but across the IT ecosystem, and the responsibilities go far beyond most other data standards.
This compliance measure also gives MSPs a glimpse of the future. Similar regulations are being proposed by U.S. government officials and legislators in several states, and legal experts suggest others are simply waiting in the wings to see which options could offer greater protection for their constituents. It’s less a matter of “if” than “when” legislators and regulators implement new standards.
Raise the Bar for Your Clients
Industry resources, including the NIST framework, the SANs Critical Security Controls Guidelines, and the CompTIA Channel Security Standard, are available to help MSPs elevate their knowledge and skills in the data and network protection space. You can leverage that information to increase your team’s data protection expertise, strengthen internal and client best practices, and advance your reputation in the community. Cybersecurity is that differentiator that can help your firm stand out in today’s increasingly competitive marketplace ̶ and enhancing your skills and understanding of various compliance requirements will open even more doors in the future.
As the “proactive experts,” MSPs can help their SMB clients get ahead of the inevitable introduction of even stronger data protection and privacy rules. While many say GDPR is the current high-water mark for security ̶ including consent for storing and processing data, encryption of certain information, and specific breach notification timelines and procedures ̶you should be planning for the compliance requirements to come.
Review the GDPR standards and adapt your services (and your clients’ security practices and policies) accordingly. Keep abreast of industry news related to federal, state, local, and global legislative actions, as well as new industry-imposed rules and updates for issues that could impact your clients. For example, many channel professionals follow the CompTIA Advocacy blog and press releases for the latest public policy updates related to cybersecurity.
A little extra homework and preparation on the compliance side can significantly boost your expertise and your MSP’s value. Are you ready to raise the cybersecurity bar in your practice?
Brian Sherman, Content Director, IoTSSA