James Steidl - Fotolia

MSP cybersecurity concerns may inspire break/fix nix

The heightened publicity surrounding cyberattacks targeting managed IT service providers was a central focus of the MSPAlliance's MSPWorld Conference.

LAS VEGAS -- Managed service providers face a public perception challenge amid growing publicity around the cyberattacks targeting the industry. The MSP cybersecurity issue may call for companies to accelerate their move away from the low-end, break/fix services.

Security incidents involving service providers and how to deal with the fallout were topics much on the minds of presenters at this week's MSPWorld Conference. Awareness of MSP-focused attacks has grown in recent months. A year ago, the U.S. Department of Homeland Security's Computer Emergency Readiness Team (CERT) published an alert specifically citing MSPs. Last month's ProPublica article portraying MSPs as a target for cybercriminals brought the issue to a wider audience. And additional visibility may come from a National Institute of Standards and Technology project that aims to improve MSP cybersecurity. A public comment period is open through Nov. 8.

Charles Weaver, CEO and co-founder of MSPAlliance, which hosts the MSPWorld event, said, based on the publicity, customers are questioning MSP safety. "These are legitimate questions your customers and prospects are probably thinking in their heads, if not verbalizing to you," he said.

While MSPs should acknowledge the potential for attack -- and prepare themselves accordingly -- Weaver suggested the greater danger stems from less-mature companies that may term themselves MSPs but offer reactive break/fix services. That task for MSPs is to put some daylight between themselves and the old-school break/fix-oriented firms.

Charles Weaver

Weaver framed the undertaking as an opportunity for companies to "draw a line in the sand" and define what they are -- and what they are not.

"It's up to us to educate our clients, prospects -- the community at large," agreed Travis Springer, COO at Sagiss, an MSP in the Dallas-Fort Worth area. "What does it mean to be an MSP? What are the things that [prospects] need to be checking on and asking about?"

"As we separate ourselves from the reactionary providers, there is some market education that we have to do," added John Burgess, president of Mainstream Technologies, an MSP based in Little Rock, Ark.

Education is particular important for customers who lack the savvy to distinguish different types of MSPs.

"It's good to keep in mind that the less-mature providers are serving a market of less-mature customers, customers that have either lower awareness or lower expectations," Burgess said.

Breaking with break/fix?

A change in business approach, as well as a customer education campaign, may be in store for some MSPs.

John Burgess

Weaver challenges MSPs to ask themselves whether they should still be doing break/fix and whether that type of business still has value today. He suggested MSPs think about abandoning all of their low-end break/fix and reactive business by the end of 2020 and "be true MSPs."

He said the question for industry participants is whether they want to remain in the business model many companies have been trying to shed for a quarter century or commit to proactive managed services.

"Are we going to be that profession or are we going to be the MSP who stops the problems from happening before they happen?" Weaver asked, who noted the "long, arduous march" from older business models to managed services.

The shift may be easier said than done, as break/fix persists as a revenue contributor. SolarWinds MSP earlier this year reported that three in four MSPs continue to offer break/fix services.

Weaver, meanwhile, emphasized that his challenge to jettison break/fix business applies to low-end services as opposed to professional services, which might be billed outside of the monthly recurring revenue model.

The risk of security-lax customers

MSPs face another obstacle in the path of proactive security services: Customers who don't want to spend money on them and, as a result, put MSPs at risk.

As we separate ourselves from the reactionary providers, there is some market education that we have to do.
John BurgessPresident, Mainstream Technologies

Burgess said MSPs can try to educate such customers on the downside of successful cyberattacks. But that may not always be enough to sway a company reluctant to invest in security.

"In some cases you just have to let them go, and they will either come around for some reason or they won't," he said.

"I think you need to look at the risk to your MSP of having insecure customers," Springer said. "At a certain point, you have to part ways with them."

Telling customers you have to drop them because they don't take security seriously enough can prove an effective way to change their minds, he added.

It's a tactic that could also keep an MSP out of future headlines.

Next Steps

How channel partners navigate the security vendor landscape

Dig Deeper on MSP business strategy