MSP and ConnectWise exec discuss security pressures, readiness and tackling the issue
Cybersecurity is leaving MSPs constantly catching up and feeling intense pressure, according to channel players.
Joy Beland, senior director of cybersecurity education at ConnectWise, told CPI in an interview that MSPs trying to tackle cybersecurity head-on may be finding it "terrifying".
Meanwhile, Courtney Briddes, VP of managed services operations at Royersford, PA MSP Eb Logix, said that service providers are "behind the ball" when it comes to cybersecurity and that the situation is "scary".
"The first key impact is that [MSPs are] learning a new skill set, and not just protecting their own business but learning to protect their clients," Beland explained. "And that is something that is stressful and either can be something that they embrace and take on and reinvent themselves as a cyber superhero, or it can be terrifying and make them feel like they're behind in everything that they're doing, which is…a really stressful time for the engineers and the owners."
Briddes agreed, adding that MSPs are coming to realize that they are very likely behind the curve when it comes to keeping on top of cybercriminals.
"It's scary; very scary," she said. "It's one of those things where you think that you're doing what you need to do and then you find out ‘wow, we really need to step it up'. And…we're all behind the ball - the MSP industry as a whole is behind the ball and we're in a kind of reactive mode, which is not indicative of what MSPs are supposed to be about. We're supposed to be about being proactive and monitoring and taking care of things before they break."
One of the major problems, Briddes notes, is the resources cybercriminals have access to and how MSPs can tackle that.
"These guys have so much money…and I don't know how we can stay on top of it other than putting together a tool stack that helps to prevent these attacks."
When it comes to the pressure MSPs are feeling, Beland notes that MSP owners and in-house engineers are the people who will be feeling the most pressure from trying to get cybersecurity right. "I think that the owner is feeling such tremendous fiscal responsibility and fear behind everything they've built, and having the knowledge that they may be held accountable for something that they haven't clarified in their contracts, while having to rely on their staff who may or may not have the level of education or confidence or expertise [needed]…"
Technicians and engineers, meanwhile, may find themselves having to incorporate security without the time and money to get the proper education, Beland said, describing this as "a tremendous amount of responsibility on their shoulders".
This is all compounded by the pressure the MSP feels more broadly knowing the potential impacts of a customer breach.
"What I hear and what I see when I talk to MSP owners is how hard it is to be in business now, knowing you could lose it any day, knowing that your entire team - every resource you have - might have to be deployed on something and how are you going to be able to effectively manage the needs of all of your other clients? If there's a major breach at one of your clients, your engineers will be expected to do so much more to secure environments without being given a lot of technical training and support in how to do that."
One way MSPs can tackle the issue is by revisiting how they incorporate cybersecurity training into their culture, Beland said. It's important to consider the benefits of increased training, along with more remote working and more self-care initiatives, she suggested.
As an example, Beland noted that during her time as an MSP owner, she involved her entire staff in incident response training, including operations staff, accounting staff, "marketing, interns, the dispatcher - everybody", she explained.
"All of us went through it together so that the whole team could see what kind of burden is on the backs of the engineers when they go through incident response. And they would learn to support the engineers in ways like ordering lunch for them and just giving them the support that they need in whatever way is the most appropriate at the time."
This, she said, gave the engineers a better level of confidence for carrying out live incident response planning.
"I think the entire team was bolstered in a new way with our internal culture to be really all in and all for one. The separation that naturally starts to happen between technicians and marketing or accounting, for example, in any type of a technology service provider needs to be brought back together to really support the mental health of everybody and make them even more of a team in this kind of an environment."