stockpiling-security-riskA number of MSP owners have been asking me about their cyber liability policies lately. In recent months, many cyber insurance providers have started to turn away MSPs as policy holders because they simply are too risky to do business with.

What these insurance agencies are saying is that MSPs are holding onto too much risk, making them money pits when it comes to aftermaths of data breaches and ransomware attacks. The problem for you if this ends up happening is you have no where to really transfer any of your risks.

What is risk for an MSP?

Think about your biggest risks for a minute. I’m sure on the top of the list is losing clients, being unprofitable or the economy tanking where your client base cannot afford your service offerings.

Other risks might be competitors taking clients or detracting prospects from your business, employees stealing data or leaving your business at risk of outages, and vendors or channel partners susceptible themselves to cyberattacks.

That’s not to mention your clients or your business network succumbing to breaches or ransomware attacks under your watch. Suffice to say today more than ever, as a managed services provider, you have an enormous number of risks you and your team deal with on a daily basis.

While some risks like clients leaving or competitors luring clients away with low prices might not be entirely visible or known, most of the risks your MSP is dealing with—especially on the cybersecurity front—are known and completely actionable.

One of your biggest challenges will be communicating top risks to your clients.

When I was running my MSP, it took me quite some time to figure out that I need to clearly communicate the risks clients need to understand when it came to IT infrastructure and support. When I started out, I was the guy that wrote headlines like “we handle your IT so you can focus on your business”. What I learned over time is that promising too much or taking on too much risk is NOT the way to run your MSP.

When I am working with clients that may not understand the tech, I make sure to put security into a context they understand. Whatever you do, you need to tell the story about risk in lingo they understand.

Ways to limit your risk and liability?

Below are 5 ways you can start limiting your risks, especially if a cyber insurance provider asks to assess your operations.

Make sure you have a security training program that goes beyond basic user training—since your team is likely supporting thousands of endpoints, making sure that they are trained beyond the basics is important. They should have some understanding of hardening all your security layers. Our partners benefit from Security Operations (SecOps) trainings.

Make sure you are managing your access controls— one of the biggest weaknesses across many MSPs is they don’t make sure their accounts are MFA-enabled. Many also do not monitor for changes in accounts, leaving themselves vulnerable to lateral attacks that can be crippling.

Focus on the state of your cyber hygiene— instead of simply focusing on patching (which often breaks down in the testing phase), your team should be able to identify the easy to fix gaps within your security program. Our partners typically rely on monthly assessments of their networks to ensure that changes did not open the door to attacks.

Prioritize data encryption— you probably fall into the mantra of encrypting your data, but we see countless MSPs storing sensitive data that is not encrypted. Create a data access management policy and plan (and spot check that your plan is working) to avoid having information drift of sensitive data.

Assess your vendors—make sure all your vendors have proof that they are keeping your network secure—especially those that have direct access on your network and that of your clients. At very least, have a detailed questionnaire to certify the control they have in place to mitigate attacks. For specific vendors with extended reach within your network (think your RMM), you might want additional validation points in place.

Cybersecurity risks shouldered by MSPs don’t have to be as heavy as they currently seem. The more you optimize your processes and policies, the better off you will be in terms of risk load.

Want to evaluate your cyber stack?

Consider evaluating your vulnerabilities at www.galacticscan.com/stack.