Data loss, data breaches, BYOD, insider threats, Web threats and email threats are some of the most dangerous security...
risks facing an MSP practice, according to a recent webinar hosted by the MSPAlliance, an international association of cloud and managed service providers.
In the hour-long webinar, "The Most Dangerous Security Risks Facing Your MSP Practice in 2014," panelists, as well as virtual attendees, chimed in on top security threats that both managed service providers (MSPs) and customers face, as well as the role MSPs play in advocating, educating and providing services for their customers.
The live and interactive webinar included several panelists: Nelson Gomes, president, CEO and founder of PriorityOne Group, a company providing managed services and cloud services primarily to the healthcare vertical; Steve Ferman, president and CEO of Compunite Computer Inc., a pure-play MSP focusing on the legal services industry; Alex Chudacoff, senior sales engineer from security vendor EdgeWave Inc., which sponsored the webinar; and host Charles Weaver, CEO and founder of the MSPAlliance.
Setting the stage for the discussion on security, a quick audience poll found many customer companies are still wishy-washy when it comes to taking security seriously. The poll suggested 22% are serious about security, 67% are somewhat serious about security, and 11% are not serious at all about security.
That pretty much aligned with the panelists' experience. "Some are extremely serious about security, but the majority are not as aware of security threats and depend on us to protect and manage security for them," said Furman, who added that it's incumbent upon his organization to understand the security threats out there and to educate customers.
He also noted that organizations of 100 to 200 employees tend to be less aware than larger enterprises with IT staff.
Gomes said that it's the job of his company to educate customers about risk and protection. In fact, in the healthcare sector that PriorityOne Group addresses (healthcare provider practices with 1 to 40 professionals, surgical centers and ambulatory surgical centers), concerns go beyond security and privacy to compliance and the technology a company needs to put in place.
"A healthcare customer may or may not know about compliance and they may bring in someone to help them on the compliance side. But those people often fall short when it comes to providing the right solution for security and compliance -- so finding the right people is key," he added.
A data breach, the unauthorized access to data that belongs to a service provider's customer, was the first security threat addressed. Noting that there are security breach notification laws in place in more than half of all states in the U.S., Weaver mentioned the significant cost associated with a data breach.
Besides the cost, MSPs and customers both suffer loss of customer confidence and uncertainty around what was compromised following a data breach.
"People in healthcare are going to be held accountable and they're going to get hit in the pocket. When you have these kinds of laws in place, it's our responsibility to help them understand the risk if you don't do it," Gomes said.
It's equally important for an MSP to have its own policy in place for notification in the event of a security breach. "As an MSP, we're considered a 'business associate' to those healthcare clients, and if we touch, see or view PHI [personal health information], we need to be compliant," he said.
Moving on, the panel addressed risks stemming from the bring your own device (BYOD) and bring your own cloud (BYOC) trends. Panelists agreed that BYOD and BYOC present huge security risks for companies. MSPs have the opportunity to provide BYOD management tools, suggest BYOD policies and procedures, and help clients segment work and personal data and clouds.
"The truth of the matter is that most companies aren't 100% in the cloud, that they have some kind of mix as to where data resides, and that's a huge security risk," said Ferman, adding that online file-sharing companies such as Dropbox and Box have taken businesses by storm.
Revisiting the importance for an MSP practice to have security policies and procedures in place, Gomes added that as part of the onboarding process, MSPs have to ask customers about the types of devices employees use and the data they store, as well as where they store it and how.
"If I'm an MSP and I'm supporting a customer, this is the information I want to know," he said. This type of information is useful to help put together solutions that make customers secure and compliant.
From the vendor perspective, Chudacoff noted that while there may be several dozen mobile device management solutions on the market, products still need to be refined regarding balancing IT control of these devices and data and getting users comfortable with a certain level of control.
It's also important that MSPs put policies in place to protect their own data as well as their customers', Weaver said.
The next security risk addressed was data loss. It harms MSPs and customers in multiple ways: loss of confidence, negative publicity, legal costs and regulatory fines. MSPs can protect themselves and customers by having insurance, service-level agreements, internal controls, and physical and logical security.
Insider threats are often a bigger risk than a malicious data breach to MSPs and customers. The potential harm from someone on the inside, who may even cause a security risk by accident, includes legal liability, damage to or loss of MSP intellectual property, malicious harm to the MSP and customers, and accidental damage.
The panel consensus was that these threats and breaches are inevitable, so it's critical that MSPs and their customers have good data protection, good backup and good retention schedules in place.
"As an MSP, make sure that you have the right insurance," Gomes said. "At the same time, educating your client is key," he added.