Cybersecurity consistently ranks as a top-10 priority for the C-Suite. Yet, companies face both a lack of in-house infosec resources and a very limited, expensive talent pool in the market. So, where do SMBs and SMEs naturally look for knowledge, guidance, and talent when it comes to information security? Managed IT service providers (MSPs) and managed security service providers (MSSPs).
Cyber threats. Cybercrime. Cyber risk. Threats are increasing, regulations are growing, and the costs of managing a data breach are rising. In fact, according to the 2021 IBM-Ponemon Institute Cost of a Data Breach Report, the average global cost of a data breach has reached over $4 million.
Running a mature, effective, demonstrable information security program is no longer a luxury for small businesses and mid-sized enterprises. Their clients and prospect, partners, vendors, and insurance carriers now expect them to prove their ability to protect the information they create, store, and manage.
Beyond the obvious opportunity to generate additional recurring revenue, there are many compelling reasons MSPs and MSSPs are exploring information security compliance as a service line and growth opportunity.
1. Increasing Business Focus on Compliance to Combat Cybercrime
Cybercrime encompasses a variety of hacking activities—from data hacking and destruction to theft and embezzlement. According to a recent article by Embroker, overall cybercrime has increased 600% as a result of the COVID-19 pandemic. Moreover, businesses suffered 50% more cyberattack attempts per week in 2021 over 2020.
Companies face two compelling reasons for significantly enhancing their security posture. First, they want to reduce the risk and consequences of confidential data falling into the hands of criminals. Second, they want to avoid the cost of managing data breaches, which added up to more than $6.9 billion for U.S. businesses in 2021.
In conjunction with the configuration, assessment, and monitoring tools that an MSP/MSSP may use when managing a client’s IT environment, information security frameworks such as NIST CSF, SOC2, or ISO 27001, provide guidance for following internationally recognized best practices for securing information.
Complying with a recognized framework benefits an organization in three important ways. It allows them to:
- Demonstrate the quality and maturity of their controls, policies, and training to prospects, vendors, and partners,
- Create layers of data security, helping organizations avoid cyber-attacks or identify them before they become breaches that disrupt daily operations and service delivery, and
- Avoid long tail breach issues such as revenue loss, reputational damage, data forensic and restoration costs, legal fees, compensation, and other consequences.
Only 43% of businesses feel financially prepared to face a cyber-attack in 2022. There is a strong market for information security compliance services.
2. Stronger Information Security Requirements Drive Greater Demand for Services
As threats increase, legislation aimed at protecting data and information has evolved. In 2021, 36 states in the U.S. enacted new cybersecurity legislation. At the federal level, agencies such as the FTC, FDA, DOT, DOE, and the Cybersecurity and Infrastructure Security Agency (CISA) are developing an extensive array of new rules and regulations.
For example, the Cybersecurity Maturity Model Certification (CMMC) is the latest federal cybersecurity standard. It is expected to affect more than 300,000 public and private companies that serve as contractors and subcontractors to the U.S. Department of Defense (DoD).
The Strengthening American Cybersecurity Act, signed into law in March 2022, aims to boost cybersecurity for critical infrastructure and across the federal government by requiring, among other things, faster and more detailed incident reporting.
Today, companies must prepare for stronger enforcement of information security requirements. That includes reviewing policies and procedures to ensure they meet new requirements, updating ransomware policies and testing disaster recovery processes, and training their teams to identify and report information security risks.
With more mandates and greater enforcement at the state and federal levels, companies of all sizes can no longer ignore cyber risks or postpone security compliance to the next budget cycle.
3. New Compliance Requirements for Cyber and Professional Insurance
Advanced hacker strategies, mounting geopolitical issues, and the prevalence of ransomware attacks have driven cyber insurance premiums upward through Q1 2022 to an increase of almost 12%. The trend of rising coverage costs began with increased demand in 2019 and escalated throughout the pandemic.
Throughout that period, the insurance industry began experiencing unprecedented increases in cyber coverage claims related to ransomware attacks. Carriers gradually became more knowledgeable about the realities of cybercrime, the cost of navigating a cyber-attack, and ways organizations can protect themselves.
As a result, carriers have updated how they underwrite cyber risk. Insurance companies have adopted new minimum information security standards with which a company must comply in order to obtain coverage. More and more often, professional liability policies now include similar cybersecurity requirements.
Implementing an effective information security program does more than just enable companies to access insurance coverage. It can lead to lower insurance premiums. In a recent report from Gallagher, the median rate increase for cyber coverage was 37% in Q1 2022. For the top 25% of companies, cyber rate increased 83.3%.
With rising labor costs, materials costs, and budgets needed to comply with regulatory and business requirements, organizations are looking for ways to decrease their spend. A demonstrable program designed to improve cybersecurity is one way to do that.
Cyber insurance is an extension of a company’s IT security measures, not an alternative. By providing compliance services, MSPs and MSSPs can become a valuable resource to help clients meet insurance industry demands.
4. Assessing Vendor Information Security Risk: A Trending Opportunity
Today, organizations face a new demand from customers, prospects, vendors, and partners: Frequent assessment of their information security practices.
Vendor risk management is a hot topic in the IT marketplace. No one in the C-suite wants to partner with a company that brings rampant data breach risk to their organization. To gauge an organization’s information security prowess, businesses use lengthy questionnaires to assess whether an organization can and will protect the information shared with them.
When the answers to survey questions fall short of best practices, and the company cannot demonstrate its security program, the target organization is at risk of lost business deals, customers, prospective partnerships, and long-standing vendor relationships. Those losses can add up in terms of lost revenue and missed growth opportunities. And those risks rise above and beyond the direct risks associated with a data breach.
Vendor Risk Assessments create an opportunity for MSPs and MSSPs, which often receive requests to help their clients answer survey questions. As service providers, they often have unparalleled visibility into the potential security gaps and risks within that organization’s ecosystem. They are in a perfect position to educate clients about strategies and methods that can be implemented to boost security maturity.
Performing and evaluating information security assessments is a value-added service clients and prospects may not get from other vendors. Compliance services are a way to set your MSP or MSSP apart from the rest.
5. Remaining Competitive in a Dynamic MSP/MSSP Market Requires Innovative Solutions
In a market that’s ripe for consolidation and the creation of large players through acquisition, MSPs and MSSPs must position themselves for growth. These outsourced service providers can fill a critical service gap by offering infosec compliance services that enable clients to achieve their security goals, meet regulations, and reduce risk.
Because information security compliance work isn’t sexy, it may be one of the few areas companies want to tackle. The good news? MSPs and MSSPs don’t have to do it alone. They can partner with companies that focus specifically on compliance management to develop programs and handle the day-to-day work, either on a reseller or referral basis. The MSP maintains ownership of the client relationship and all the IT services they have always performed.
There are benefits to MSPs and MSSPs, too. By including compliance in a services portfolio, providers can reduce potential client attrition to larger providers that already offer compliance services. If a client can’t get the compliance services they need from their MSP, they will be forced to work with a different company and may take their IT work with them. In addition, offering holistic compliance services can differentiate an organization in the marketplace for targets and prospects, helping MSPs and MSSPs grow their client base and increase their recurring revenue.
Adding infosec compliance to a services portfolio helps MSPs support existing clients’ needs, meet the changing demands of prospects and the market, accelerate sales, and evolve their services lineup to stay relevant.
6. As Trusted Advisors with Unique Visibility into Gaps and Risks, MSPs Can Offer Long-Term Value
MSPs are very familiar with their client organizations’ technical inner workings — from their IT environment and tech stack to their leadership and IT staff. They know how well (or not) their cloud is protected against threats, how well MS 365 is configured for data security, what applications are most critical to the organization, and where security gaps may exist.
Businesses that outsource IT needs to an MSP, or their security monitoring and operations center to an MSSP, often look to those same companies as a resource for information security compliance. Why? When possible, most clients prefer a single relationship – one partner – who can either do it all or can guide them to a trusted, proven resource.
As a result, they expect MSPs to guide them on compliance requirements and infosec strategies while also providing the resources they need. If they aren’t asking for help today, you’re losing an opportunity to serve them and grow your business.
Clients look to their MSP or MSSP as a trusted advisor. Leverage that status to become the infosec compliance resource clients and prospects need today and will need for decades to come.
EXTEND Resources partners with MSPs to provide industry-leading information security compliance services to clients of all sizes. EXTEND Resources enables its MSP partners to fill gaps in their service portfolio, extend their talent resources, and improve their own security posture.
Benefits to service providers include access to in-demand talent, increased recurring revenue, solidified client relationships, appeal to a new/broader audience, enhanced market position, and security compliance as a competitive differentiator.
Contact us to learn more.