If security is the responsibility of everyone within an organization, not just the MSP that's serving that business, how do you get your clients to take compliance regulations seriously? How does BYOD increase security risks in verticals like healthcare? What don't your clients understand about data storage and information sharing?
Last year at our inaugural user conference, Navigate, we assembled some of the brightest minds in IT security and compliance to answer these very questions. To get our partners excited about Navigate 2015 in Vegas, we're taking a look back at one of our most engaging panel discussions from the event. Even if you're not a partner, you'll want to learn how your MSP peers navigate this ever-changing dimension of managed IT services, especially if you're serving one of the main verticals.
Featured Speakers & Panelists:
- Nicholas Bruno, Chief Information Security Officer at Continuum (November 2013 - April 2015)
- Charles Love, Director of Service and Cloud Operations for Big Sur Technologies
- Chris Johnson, CEO and Co-Founder of Untangled Solutions
- Win Pham, VP of Software Development for RapidFire Tools
Security and compliance creates a lot of opportunities for an MSP. How do you approach your clients and what risks do you take on?
As you'll see when you download the full recording of the panel below, the general consensus was that you have to know what you're signing yourself up for when you enter a vertical with its own set of compliance regulations. Take healthcare IT, for example. If you're going to serve clients in this space, you have to understand that there is significant risk involved, and then take proactive measures to reduce that risk and liability. Within the HIPAA compliance context, Chris stresses that you get Business Associates (BA) Agreements signed with indemnification clauses worked in.
When detailing compliant services, MSPs often make the mistake of over-promising. The panel also unanimously held that you should NEVER tell your clients you'll make them compliant. No guarantee, no promise.
You brought up that education is key and that you should be educating clients on best practices for compliance. There are also security risks that MSPs help their clients with. What are some of those risks that you should be addressing for your clients? What do you educate them on, and how do you help them?
Charles advocates basic user education. You need to teach your clients not to send social security numbers (SSNs) and medical information in emails. As I'm sure you've found in your own experience, people still do. How then do you respond? By establishing a system that protects them. For Charles and Big Sur Technologies, that means putting policies in place, be it third party tools or whatever, that help them fix the error-prone human element. One of their big defenses is email encryption.
The other main theme that arose was how we often forget about the many places information is stored and how that data is shared. Two of the main culprits? Office copiers and USB drives. Chris shared experience working with a client whose finance department repeatedly stored scan jobs in an anonymous folder, but hadn't purged the contents of that folder in two years. Think about all of the W2 forms, social security cards, and driver licenses that were scanned over that time period. To just have that data living there unregulated for anyone to access is a huge security concern, but clients often don't realize this.
This ease of data transferring becomes even more troubling in the world of mobile IT. Chris once noticed a bank was offering charging stations for anyone to plug their phone into. The risk of allowing hotspot-enabled mobile devices to connect to bank terminals had not originally occurred to management.
The topic of mobile device management then sparked a conversation around BYOD...
Are there any other concerns with BYOD? What other risks should we be educating clients on?
All of the panelists agreed about the security concerns regarding BYOD with varying levels of intensity. Chris simply stated that "BYOD is bad," but then acknowledged that many companies can't afford to get rid of it. While a BYOD business model that's used as a pane of glass to remotely access data where that data is not being transferred between host and endpoint is obviously a better approach than others, how do you handle those clients that insist on bringing mobile devices into the office? Charles reminds us that for the concern of a phone acting like a USB drive, for instance, you can disable this feature with mobile device management (MDM) instituted. If anything should happen to an employee's phone, that data can also then be wiped. Note: that is not always the case with companies that give staff phones to use for business and personal use.
Who’s using social media as a business tool? What should we be telling clients and what methods should we take to balance our risk with social media?
The panelists described how the security problem is similar to clients opening unknown email attachments. If clients don't know what they're clicking on or where it leads, they could be inviting all kinds of malware or viruses. Especially with social media, link shorteners mask the actual URL so people who see it don't know where they'll be redirected to. Attackers can take advantage of this and tease a malicious link with copy they think would encourage the click. Then, once they have your clients, these hackers can access the data on their devices. What data do you think they'd find if they gained entry to your customers' devices and/or networks? This very real threat is why Charles reminds fellow MSPs to be prepared with firewall, antivirus, and malware protection.
Also, encourage clients to exercise discretion. Is there such a thing as Internet privacy when everything that happens online stays online? Even in their own personal social media use, clients should understand that everything they do or post could either reflect positively or negatively on their companies.
How do you get clients to take compliance regulations seriously?
What do you do when your clients don't take compliance regulations seriously? Make sure your MSP business is covered! In the panel, Charles explained how he handles healthcare customers that won't sign BA Agreements. Instead, he makes them sign a separate statement declaring that his company advised them to sign the BA Agreement, but they opted out. This prevents them from turning around and saying they didn't know about [insert HIPAA compliance regulation], and deflects the blame from you as their trusted advisor. Your job revolves around protecting your clients, but you also have to look out for yourself and your own MSP practice.
Speaking of BA agreements, Chris dissuades you from setting one up with someone who's using your services for project work, but won't be a client after that work is completed. Similarly, he urges MSPs with prospects that are already asking them to sign BA agreements to highlight how they're currently managing the associated compliance regulations for their businesses. Unless these agreements have a lot of indemnification policies, don't sign until you start dialing in their business.
Ready to journey back to our inaugural user conference with this full Navigate discussion?
- 7 Things to Know about (Inbound) Marketing: Navigate 2014 Flashback
- What MSPs Need to Know about Compliance: Your IT Policy Checklist by Vertical
- How to Add HIPAA Compliance to Your Service Offering
Looking for more information on Navigate 2015?
Follow Navigate 2015 announcements and buzz here!
By Meaghan Moraes
By George Anderson
By Gretchen Hoffman