Time for some cold hard truth about security, folks. Around this time last year, the Department of Homeland Security issued a warning that hackers were increasingly targeting managed service providers (MSPs) to launch ransomware attacks across end-customer systems. The Australian government echoed these concerns, noting that the trend is global in nature. Since then, we’ve seen high-priced ransomware attacks executed, following the pathway of moving from the MSPs system across to their client’s, crippling end user organizations. Most recently, an MSP in Spain was targeted and faced ransom demands of just under US$836,000. The problem, of course, is that many MSPs overestimate the adequacy of their security preparedness.
For any MSP concerned about security, best practice is to place security at the top of the list when vetting vendors—not flashy dashboards, and certainly not price.
For those who weigh pricing as a top priority, consider the following. No one is denying that low monthly fees are desirable, especially for an MSP just starting out with a relatively modest client base. However, this is an incredibly short-sighted approach to take. If a cybercriminal were to successfully attack your MSP and access your client’s data, how would this impact your business? When compared to a $150,000 ransomware attack, the monthly fees are eclipsed.
This notwithstanding, your business’ reputation takes a substantial hit, potentially putting an end to its ongoing viability. What about the expenses from a lawsuit launched by clients whose data was compromised? Even the most comprehensive insurance plan won’t be able to cover the impact to your reputation, and following an attack will likely increase your premiums and demand that you improve security.
Let’s do the math
You’re looking at the cost of a cyberattack, weighed against the money you think you’re saving.
20% of SMBs have fallen victim to a ransomware attack. The average cost of a ransomware attack in the US is now $36,295. There’s also the cost of the 9.6 days of average downtime, too. But you don’t pay that. Your clients do, and then you risk being sued to recover compensatory and punitive damages.
Multiply this by the number of customers you have.
If you face legal action, what’s the court going to say when they find out you prioritized cost over security? Will the judge celebrate your astute attention to your bottom line? Or will you get hit with a damages award so big you have to declare bankruptcy?
Now, how much money are you actually saving?
Have you ever had a client that looked you in the eye and said “security is really important to us” and then cheaped out when you offered them your best security package? That’s the difference between words and actions right there. Ask anybody if security is important to them and they’ll say “yes”, but talking a good game and playing one are two entirely different things. In the real world, only one of those things counts.
Here are some questions to think about when vetting potential vendors for the quality of their security.
What are their security credentials?
The gold standard is SOC 2, Type II. This signifies that the vendor has not only designed a full suite of security practices that meet a high standard, but actually implements them. SOC 2, Type II demands a substantial investment of time and expertise. Because this certification requires that an independent accreditor conduct the assessment, it also requires a financial investment that vendors with rock bottom pricing are likely unable to allocate funds towards.
How many security features does their software provide?
Adequate security entails reducing your risk by implementing multiple security measures. A security-minded platform will take this to heart and provide features such as MFA, SSO, granular security permissions, and host-proof hosting for passwords.
Compromising on security is not a rational decision. It’s a gamble, and simply not worth the risk.
IT Glue is the most secure documentation solution on the market, and it’s not close. Download our Security Whitepaper to learn the nitty gritty details about how we protect your data.