A Managed Services Provider (MSP), basically, takes a company's IT burden off their shoulders. They are typically a strong IT services and cyber security solutions provider, also offering desktop and workstation management, virtual or physical server implementation, a Help Desk partner, and offering solutions for just about any other IT need. They specialize in managed IT services for small businesses but can expand to the large enterprise as well. A good team of IT technicians will have the expertise to handle any IT problem (and they will have the certifications to prove it). They are an exceptional resource and businesses around the world are needful and thankful for the services they provide.
That being said, and data hackers being what they are, there are (and will be) security breaches. Spin the nastiness of security breaches and hacking any way you want, it has, can, and will continue to happen. Let's explore the causes and costs to an MSP when a data breach occurs, and discuss some prevention techniques to, hopefully, mitigate the damage.
According to a recent post from Mitnick Security, there are 5 predominant types of hacking:
- Social Engineering and Phishing
- Malware-Injecting Devices
- Missing Security Patches
- Cracking Passwords
- Distributed Denial-of-Service (DDoS)
“Hackers are usually after two things from your business: data or money. Usually they’re motivated by both, as uncovering a wealth of data can help them to cash in,” the post relates. “According to a data breach investigation by Verizon, 43% of breach victims were small businesses.”
Costs of a data breach
In a recent 2020 report from the Ponemon Institute and IBM Security, the average total cost of a data breach this year, to date, is $3.86 million – a dip from last year’s number of $3.92 million but an increase of 12% in the past five years. So, who pays the costs – the customer or the managed service provider? It depends. Some MSPs have contracts and service level agreements that absorb the costs in total or either indemnifies them, or provides for a portion of the costs, which is normally absorbed by business insurance. It could be that the end customer pays the entire costs, regardless of an MSP being involved – but that's a rarer scenario, these days. Rest assured, the costs are shared by both, one way or the other. Let’s break it down.
According to SolarWinds, for MSPs, there are different types of “costs”: direct costs, indirect costs, and hidden costs. For our purposes, we’ll translate these simply to customers and loyalty, brand reputation, and finally, the loss of cold hard cash.
Customers & Loyalty
How long did it take you to get that customer? What resources were consumed in getting that lead, nurturing it, bringing it to close and then its total lifetime value (loyalty)? Tough to calculate but based on business size, let’s guesstimate:
MSP Average Revenue
• $1M to $50M = $1 Million (based on 5-year contract)
• $50 to $100 Million = $2.5 Million (based on 5-year contract)
• $100 to $500 Million = 3.95 million (based on 5-year contract)
In this example, the average cost to acquire that customer and keep them loyal (lifetime customer value) is $2.05 million. Got that lying around?
Brand reputation is a tougher one to calculate, so we don’t offer an actual number but rather some things to ponder. How much did you invest in building your business? Do you rely on referral business from satisfied customers? How many employees rely on your business to sustain their families and way of life? What would it cost you, today, to rebuild that business, if it were lost due to a massive payout due to a client data breach you were responsible for? Suffice it to say, don’t damage your brand’s reputation – it is the foundation of your business.
The actual amount of cash lost is also varying, depending on the type of breach, payout (if any), and legal damages brought on by customers. Hackers can demand a percentage of your annual revenue, payable in bitcoin or other digital, monetary medium to an untraceable digital address or account. For larger client companies, this could be in the many millions of dollars. If your customer is an SMB, a hacker could just flat out ask for a standard, small and easily payable amount between $10K - $20K.
On the other hand, they may not ask for anything and merely might have stolen the data for resale on the dark web or for the pure psychotic joy of it. How much is your customer’s data worth?
Tips for MSPs looking to keep their customers safe
In our recent blog we mapped out the major tips for keeping customers safe. The same applies for MSPs – but even more so! The below is a summary taken from that latest blog:
Keep an eye out for security breaches:
- Adopt a more proactive outlook to strengthen your clients’ overall strategy.
- Remind their employees to carry out general security checks, use security best practices, and review and update any disaster recovery plans.
Develop a sustenance plan for business continuity for your client:
- This should be an efficient plan for sustaining critical infrastructure at the time of crisis for quick disaster recovery. Train for it and practice it with trial runs.
- With the current pandemic, an increase in remote teams means stressed IT teams for you and your client, so opt for web-based service portals to support these business needs.
- Implement emergency outreach and response operations for workforce communication to share important updates and provide a centralized system for outage reporting, resource requests, management, and tracking.
Practice good cyber hygiene:
- MSP’s and their clients should communicate the security plan to employees. This plan should include security software standards that should be run on every device on which work is done, company policies and procedures to secure data, along with cybersecurity awareness and training to keep everybody on the new and informed.
Remind client end-users to take the following measures:
- Refrain from installing new applications without the MSP/IT team's approval.
- Disconnect devices from the corporate VPN when not in use.
- Identify and report malicious phishing scams or malware – these are commonly spread through emails, text messages, or social media.
- Do NOT use personal devices for work-related purposes.
- Make sure that corporate or personal WiFi routers are up to date and equipped with WPA2 security or higher.
- Secure all client accounts with strong passwords and two-factor authentication.
GlobalSign works with MSPs across the globe, providing PKI-based identity and authentication solutions. We would be happy to discuss any of the above practices and decide on a plan that suits your MSP business to help you meet customer needs. Let’s talk!