For every size and type of company, there is a managed service provider (MSP) that can take care of its cybersecurity. “Whether you’re an NGO, a car dealership, or a gaming studio, an MSP can help you focus on your core competencies, while they take care of the day-to-day agenda, like monitoring firewalls and security logs,” explains Charles Weaver, co-founder and CEO of the MSPAlliance, which unites more than 30,000 MSPs worldwide. Who better to take advice from if you want to take the security of your business seriously? Here are some of his tips.
You can’t do it all, and that’s fine
Unless you are a large enterprise, a government entity, or a business engaged in defense contracting, you probably don’t have the resources, technology, and experience to be able to defend your IT infrastructure 24 hours a day, 365 days a year. “It’s a very difficult proposition. On top of internal requests, updates, and projects, the IT administrators should focus on the company’s IT strategy and business issues. Naturally, they can’t do it all, and that’s when an MSP can step in,” says Weaver. So, the very first thing you need to do on your way to securing a high-quality MSP partner is admitting you need one.
How has the role of MSPs been changing?
The MSPAlliance was founded in 2000. “Since then, the threat landscape has changed dramatically. The world now relies on technology more than ever. And all the data needs to be managed and protected – that’s why the role of MSPs has been increasing too,” explains Weaver. “Twenty years ago, cyberattacks were a lot more targeted, focusing on certain types of organizations, like banks, etc. But now, with the attacks becoming ubiquitous and aiming at businesses of all sizes, cybersecurity is in the interest of every single one of us. Everyone has something valuable to the attackers. With cyberattacks being on the rise and information about high-profile data breaches and ransomware attacks finding its way not only to the IT community but also to non-professionals, small businesses are finally starting to take cybersecurity seriously.”
Charles Weaver, co-founder and CEO of the MSPAlliance
The MSP size should mirror the needs of your business
Ideally, small businesses should invest in smaller MSPs. “There is a higher probability they would better understand the needs of the customer’s organization, since they are a similar size,” claims Weaver. Also, the cost of a smaller MSP would probably better correspond with the resources small and medium businesses (SMBs) allocate for external IT support. And what about having more MSPs? “That is usually the case for mid-market businesses and enterprises, but it can also be that a small business needs more security-specific MSPs that take care of, for example, specific applications.”
Choose an MSP that knows how to protect itself
What’s the MSP doing to protect itself against cyberattacks? That’s another question you should ask before choosing your partner. “Attacks on supply chain vendors and third parties are rising. You don’t want any type of risk to transfer to you or your organization. Therefore, asking for the MSP’s internal security practices, certifications, audits, and other materials is crucial. You should always make sure your MSP takes cybersecurity seriously when it comes to protecting itself.” For example, the software vendor providing the MSP, and thus your company, using remote management software can become a lure for cybercriminals. “The MSP’s vendors are critical supply chain targets. And the managed service provider can be the front door that attackers use to break into the whole house.”
Some basic cybersecurity requirements with which MSPs should protect themselves
Regular security scans
Internal network scanning
Using multi-factor authentication (MFA)
Ready for anything
The MSP should present a cybersecurity response plan, stating how to proceed in the case of a cyberattack. “Also, your partner company should be ready for natural disasters, from storms resulting in power outages to pandemics, due to which it might be necessary to relocate offices. Hand in hand, you should develop a business continuity and information security plan so that no unexpected events endanger your data,” adds Weaver.
“We’re at a point when everybody should expect to be attacked, including MSPs. The standard we apply in our profession is: Can you withstand and survive an attack? If you were successfully breached, could you restore and get on with normal operations, including managing your customers, without having significant downtime? That’s also what you should ask your MSP before signing the contract.”
Don’t rely on reviews alone
When looking for information about MSPs, reviews can be helpful, but they should certainly not be your only source of information. “Try to arrive at an evaluation that will be as objective as possible, investigating the MSP’s certifications, credentials, and other criteria. You always need professionals that understand your systems and data – what’s suitable for one kind of business might not be fitting for yours,” says Weaver. A similar logic applies to evaluating the price/performance ratio. “Don’t go after the lowest bid. It’s clear you want to get good value for the price you pay, but qualifications should always come first.”
The MSPAlliance is a worldwide network of more than 30,000 managed service providers. “We certify and audit MSPs, providing customers with information that helps them make well-informed decisions,” says Weaver. “Our standards applying to MSPs have existed since 2004; they’re the oldest on the market. But they’re updated regularly, sometimes even multiple times a year, since we always reflect the current legislation, such as the GDPR – it’s crucial MSPs reflect external factors in their standards.”
Ask for thorough communication and reporting
MSP found, contract signed. How can you make sure that the managed service provider has your back? “An MSP that’s doing its job should be no problem – no dramatic moments should occur; nevertheless, the natural thought of a CEO would be: ‘Why am I paying all this money, when I don’t see them working or doing anything?’ Therefore, the MSP should constantly be communicating with the customer company, providing information about its actions,” recommends Weaver. “The very least you should ask for is reporting, but ideally, the communication between the customer and the MSP should go a lot deeper.”
Charles Weaver, co-founder and CEO of the MSPAlliance
Charles Weaver is the CEO and co-founder of the MSPAlliance (the International Association of Managed Service Providers). Since its founding in 2000, the organization has grown from less than five founding members to tens of thousands of members worldwide. Under Mr. Weaver’s management, the MSPAlliance has expanded its reach and influence to include education, standards of conduct, and certifications for managed services professionals and companies.
In addition to running the daily operational activities of the MSPAlliance, Mr. Weaver writes and speaks extensively around the world on the managed services industry. His book, "The Art of Managed Services," has been read worldwide.
As a leader in the managed IT services industry, Mr. Weaver’s knowledge and expertise have been highly sought after by some of the leading technology service providers and vendors, including Cisco, Intel, Microsoft, RSA, Intuit, DELL, Raritan, Symantec, NEC, and many others. Mr. Weaver has also been featured in many publications worldwide, including the New York Times, Inc. Magazine, Financial Times, Chicago Sun-Times, Entrepreneur Magazine, Wall Street Journal, and others.
Mr. Weaver was named one of The 50 Most Influential People in Business IT by Baseline Magazine. Before starting the MSPAlliance, Mr. Weaver was an editor for one of the largest websites at internet.com with a daily readership of over 140,000. After internet.com, he led the start-up of a software company focused on the legal sector.