We recently returned from MSPWorld Spring 2022, hosted by MSPAlliance and we’d like to share that it was stronger (in-person) together and great to reconnect with old friends and make new acquaintances. The focus of the conference was to connect MSPs with inspiring people and visionaries, powerful business resources, relevant and innovative technology, and insightful and educational resources.
And you will be able to see from the copious notes that our COO Linda Daniels took, that mission was accomplished. For those of you that attended, here are some highlights from the conference. And for those of you who couldn’t make it, we’re happy to share our takeaways.
Sponsors for this year’s event can be found on the MSPWorld website: https://www.mspworldconference.com/page/1963819/sponsors
Here is our day-by-day recap of the conference.
Day 1 – Tuesday, March 22nd
Charles Weaver – Opening Remarks Summary – 10 mins
Charles welcomed attendees and mentioned a couple items that MSP Alliance is focusing on for MSPs:
- Cyber Insurance for MSPs – working on getting reasonable insurance premiums.
- MSPAlliance – working with companies to provide input to colleges and universities creating an MSP service curriculum.
Steven Talent – Cybereason, Topic – Ransomware: The True Cost to Business
Ransomware is as big of an issue now as it has ever been.
$70M – Largest demand 2021 – Kasaya supply chain attack. Thousands of businesses impacted.
Average downtime of a ransomware attach is 16 days. 80% of businesses and individuals who paid experienced subsequent attacks, and some went out of business.
Historically businesses have not really understood security. Critical Infrastructure of the most targeted areas in order are:
- Finance
- Education
- Healthcare
80% of businesses faced ransomware attack and an attack occurs every 11 seconds.
“Bad Actors” can now launch ransomware attacks with an attacker toolkit:
- It’s extremely lucrative,
- No longer need to be programmers to get into ransomware business.
- Easy to do – don’t need much skill to get into ransomware, 60% of returns go to depositor, 40% go to ransomware software manufacturer,
- And now there is double extortion – pay to release data and pay to prevent publishing data.
$500K average ransomware attack, $146 per record, and ransomware insurance coverage is not paying ransom anymore.
In the beginning, 73% Cybercriminals successful in encrypting data and 24% stopped before the data could be encrypted.
Cybercriminal success rate decreased to 54% in 2017 and 51% in 2020 due to backups.
Risk now is even greater with employees working from home and out from the company firewall. Detection and response a more challenging thing to do. Need endpoint detection.
Common steps to prevent ransomware attack:
- Email security – 80% of attacks coming through email
- Data backup recovery
- Endpoint protection
- Security of operation.
Firewalls – getting easier to install now but what’s not getting easier is ransomware detection and response.
By 2024 – 90% of buyers looking to outsource threat detection and response.
Things to consider in defending against ransomware:
- Training – follow security hygiene best practices
- Deploy multilayer prevention – endpoints, firewall, etc. (XTR, MBR)
- Offsite backups – Ransomware now looking for backups
- Implement extended detection and response solutions across the environment for visibility to end advanced ransomware attacks.
Discussed founding of Cybereason and what they offer.
Panel Discussion– MSP Regulation: 2022 and Beyond
Moderator: Charles Weaver, CEO, MSPAlliance
Panelists: Robert Scott, Managing Partner, Scott & Scott, LLP: Ken Stringer, CTO, CMA Technology Solutions: Brent Watkins, Director of Business Development, Tego Cyber
End of 2019 – start of MSP regulation in Louisiana
Ken – read publication of Louisiana Secretary of State blasting MSPs then met with him to find out his comments were taken out of context. MSPAlliance participated in the formulating of government regulations: MSP registration, how MSPs respond to attack, very other minimal regulation. Legislation was passed and is law in Louisiana.
Rob – Registration law – Government using to help in Ransomware problem. Expects other states will follow Louisiana.
Brent – Investigated computer intrusions for 12 years starting in 1996. New bills trying to get better security. Also, don’t confuse compliance with security.
Charles – Louisiana Act 117
- MSP Registration
- Governs MSPs servicing public agencies
- Establishes ransomware disclosure obligations on client and MSP
Encourage reading it as other states are currently considering similar registration. Other states, PA, NC, NY, TX.
Rob – Regulations that impact public sector eventually leak into private sector.
Brent – When ransomware first started, government stated not to pay, then stated only if you want to, now back to not paying. Compared to possibly following HIPAA evolution.
Rob – Encourages MSPs to stay out of Ransomware situation for a client. To ensure this, Ransomware situation should be defined in MSP contract with customer.
Ken – Always advise customers not to pay ransom.
Question
What happens if customer asks if you could receive data being sent back to customer. Rob – Don’t get involved in anyway. The only opportunity to get in trouble is to get involved in anyway. Have client be recipient of data from Ransomware and you get data from customer to rebuild what needs to be rebuilt.
Charles – look at your own states laws and customers and focus sales in being familiar with laws.
Charles – What to expect next? Does this make it easier for MSPs to articulate security requirements to customers?
Rob – MSP can state government requires customer to comply in some way. Regulatory piece becomes driver for those businesses who don’t think they are high target businesses.
Managed Services are security.
Ken – Impact is we are looking deeper at software tools the customer has. MSP now needs to look at what 3rd party software customer may have for security purposes.
Rob – Thinks this will push more companies toward Managed Services because of the regulator compliance.
Rob – Certifications and background, continuing education are critical to determining a serious MSP vs. side hustle. Credentials that show this is the MSPAlliance Verification program.
Question
Would MSPs be faced with licensing like Doctors, Lawyers, professionals, etc.
Charles – Historically MSPAlliance was anti regulation. Now not anti-regulation, really anti-licensing. Does not think licensing is in the best interest of MSPs currently. Does not think it will benefit the industry. Believes there are far fewer MSPs that are qualified to do the work and licensing would restrict that even more.
Rob – credits Charles with being proactive in preventing more MSP regulations from being passed. Feels self-regulation circumvents this and Charles has done a good job in creating a verification process to prevent more regulations from being passed.
Brent – CMMC certification. If customer has a contract with DOD, does their MSP need to comply as well?
Question
Seems little is being done in pursuing attackers.
Brent – Article on how FBI helped Kasaya with their problem and they were there from the beginning.
Rob – Billions of dollars being stolen, and government can’t keep up with it. Do have to look at behavior of victim.
Rob – Referred Malcolm Gladwell book on how NYC police figured that focusing on turn stile jumpers and graffiti artists would reduce crime. We need to do something similar, like with email phishing attacks.
Day 2 – Wednesday, March 23rd
Keynote – Brian McCarson, Intel: Making Sustainability a Key Asset in your Services Portfolio
How is sustainability viewed in market?
96% IT leaders committed to sustainability and targeted IT infrastructure
Over 50% would only interact with companies committed to sustainability. Beginning to be institutionalized in finance organizations. Becoming dominate factor in buying in IT space.
Opportunities – Environmental Sustainability, Responsible Sourcing, Sustainability as Technology Buying Factor.
Software must run on hardware.
- Repair hardware
- Upgrade hardware
- New tech
Something refreshed in 2 years is less sustainable than something refreshed in 5 years.
Intel NUCs (Next Unit of Computing) – very small computing products.
Intel committed sustainability:
- 100% of products returned through the return material authorization program are reused, repaired, with recycling or reclaiming as a last resort.
- 5% of all returned material out of landfills
- 95% of packing for all NUC products are designed to be recyclable or reusable in secondary markets.
You can go to red hat or VMware to id certified NUCs and Energy star certifications.
Call to action – Consider
- Modularity
- Repair
- Sustainability implications of hardware purchases.
Intel celebrating 10-year anniversary of NUC.
Panel Discussion: Security in Managed Service: Where do we go from here?
Moderator: Charles Weaver, CEO, MSPAlliance
Panelists: Johnny Burgess, President, Mainstream Technologies, Inc.: Travis Springer, Vice President, Sagiss, LLC: Brent Watkins, Director of Business Development, Tego Cyber
Security is on the mind of almost everyone these days.
Do we have an MSP security problem?
Travis – Yes
John – Historically we have done well, but response mostly Ad Hoc, now need to be more conforming.
Brent – Had issues for a while, nothing new. In 2016 the FBI stated that a new MSP was a large target. Now have supply change, MSP and customer issue. MSPs are targeted because they are the “vault door to the bank”.
Travis – Target is RMM. Run powershell scripts, thinks users of RMM products are the ones being targeted.
John – agrees with Travis we have a tools security issue. These are legacy designs and architectures that pre-date the security issues we have now. Manufactures with licensing models are not eager to leave that model behind to address software deficiencies.
Brent – yes, they have been victims of hackers.
Travis – just because you have an RMM does not make you an MSP and does not mean you can use the tools well which makes them target.
John – “A fool with a tool is a damn fool”. Feel the main targets are the unskilled MSPs.
Charles to Ken – are bad actors aware of MSP maturity problem?
Brent – yes. Bad actors will evolve faster on tool education than novice MSPs.
Travis – need to conform to standards so new MSPs come up to speed.
John – feels new MSPs need to understand that the stakes have changed from 10 years ago. Feels new MSP landscape has changed and they need to be far more aware of industry security needs than 10 years ago.
Charles – What to about customers that are non-compliant?
Travis – MSP must decide if they are going to keep or release customer as MSP is the one with the risk.
Charles – Is there are reputational risk with non-compliant customer?
Travis – shouldn’t be but may not be unavoidable.
Brent – MSP customers may not be doing what they are being told to do about security but you as MSP can continue to educate on secure technologies.
John – Changing regulatory landscape is making things different. It is possible that in the future, there could be punitive damages MSPs could sustain for customers that are breached.
History of Managed Security:
- Goes back to mid 90s
- Security specialists have always existed in the MSP profession
- Even general practitioners have included security in their offerings
Charles – Up until 2 or 3 years ago, were MSPs not aware of security?
John – Think we were always aware but not educated as much.
Charles – Antivirus was popular in early 2000s.
Travis – Antivirus, firewall are core principles that MSPs have been handlling for years. Now EDR, XDR. Bad guys just got better.
John – 5-10 years ago contracts were geared to SLAs, now more added to it.
MSP Security vs Customer Security
- Not the same thing
- Customers often reject MSP suggestions
- MSPs have gone “beyond” the agreement, possibly creating confusion
John – MSP needs to manage risk, must be educated enough to converse with customer.
Travis – application for cyber insurance has gone up significantly. Believes some customers will change answers to get coverage.
Charles – We now use password managers, what are your assessments?
Brent – MSP sector has been trying to demonstrate to insurance companies that they have been employing security software and practices, so they get lower insurance premiums.
John – now there is a real risk with going above and beyond what the contract is between MSP and customer. Now seeing more HIPAA, PCI, now more scrutiny being applied.
Brent – Compliance is not security.
The Security Consultants
- New consultants cropping up everywhere
- Not versed on managed services
- Largely pushing CMMC
- Claim MSPs are part of the problem
Charles – new field seems to indicate MSPs are unsafe
Travis – don’t think much of them at this point.
John – some are legit, some are just trying to get a piece of the industry.
Brent – it does encourage MSPs to have someone “come look under the hood”. But need to find the expert.
Brent – CMMC is important, but government does not want to create a new list of standards. Feels CMMC is getting smart, not another checklist.
John – where in CMMC hierarchy do I fall? Is info we are getting from government going to where it needs to be?
Charles – MSP vs MSSP
What can MSPs Do Better
- Tools
- Practices
- Push back on customer demands to go easy on security
Charles – believes MSPs are getting push back from customer because they don’t have the budget for security services but want MSP to take risk.
Travis – Cannot not accept, in a sense will have to fire the customer if they do not wish to implement suggested security strategy.
Brent – everyone told you need to transfer risk.
Questions
How should MSP respond to supply chain risk?
John – what is nature of contract of risk with supplier? Need to determine how to assess risk and what to do when there is a failure.
Brent – MSP should have relationship with incidence response firm.
Day 2 Panel Discussion: MSP Valuations, M&A, and Investment Outlook Panel Session
Moderator: Charles Weaver, CEO, MSPAlliance
Panelists: Chris Caprio, CFO at Focus Technology Solutions: Karl Springer, CEO and owner of Sagiss, LLC: Kevin Cook, CEO of The Purple Guys, a Managed Services Provider
This session focused on the current state of M&A activity in the MSP industry. Here are the kep points from the panel discussion:
- Lot’s of VC/PE money on the sidelines
- Number of VC/PE firms has increased from 12,000 to 18,000 in the past decade
- Security concerns are driving up valuations for MSPs that provide security services
- Current MSP valuations are based on a multiple of EBITDA between 8X and 15X
Day 2 Break out session – How To Lower Your Legal Risks in Managed Services
Speaker: Julie Machal-Fulks, Partner, Scott & Scott, LLP
First – Know What the Risks Are
Internal Risks
- Human Resources
- Physical Security
- Training
External Risks
- Solicitation of Employees
- Threat Actors
- Liability for Errors
- Third-party Services Providers
- Software Licensing and Audits
- Privacy and Security Regulations
- Changes in Laws
- Client Refusal to Accept Recommendations
- Intellectual Properties
Internal Risks – Human Resources
- Customers taking employees, taking property:
a. Mitigate by non-compete (if can be enforceable).
b. Tell client they cannot higher employee – client has to pay damages (100% of employees yearly salary)
- Employee negligence – have insurance, general commercial liability. Think of possible employee negligence and make sure insurance can cover this. Have to know what state offers as well. If employee’s car gets stolen or has accident, would be against your policy.
Internal Risks – Physical Security – locks
20% still a problem because of physical security – Cabinet and door locks
Mitigation – locks, training, processes
Internal Risks – Training
Sales Process, Quality of Services, Security
Mitigation – Insurance coverage for employees actions, increased training, contract provisions. Need to have good training protocols for sales, quality of services and security. Employees – tell them ok if they do not know, don’t make up.
Follow up with training to make sure employees are following those procedures
External Risks – Solicitation (clients hiring your employee)
Mitigation – a no hiring provision in customer contracts, non-solicitation provision in employee agreement. Also, provision in employee agreement that employees don’t form own company and hire new person to work at client.
External Risks – Threat Actors
Huge issue right now
Business e-mail compromise
Phishing, ransomware, etc.
Mitigation –
Disclaim liability for criminal acts of third parties
Insurance
Verbal Confirmation of Electronic Payments
Actual case – Julie had client that had a threat actor that had hacked into them and communicating both ends in email for 7 months.
Multifactor authentication
Need good forensic investigatory team.
First party cyber liability insurance.
External Risks – Liability for Errors and Omissions
Failed Backups
Data Incidents
Mitigation
Errors and Omissions Insurance Coverage
Increased Training
Have customer keep own local backup and in contract state not fully responsible
Data Incident – sending confidential information to the wrong entity. Has to involve electronically stored information.
External Risks – Third-Party Service Providers
Who is liable for service failures?
Do your clients know you use third-party services?
Have your clients accepted third-party service terms?
Mitigation –
List showing all third-party service providers and their terms
Limitation of liability for third-party services
Agreements with third-party service providers accepting liability
External Risks – Software Licensing and Audits
Who is responsible for software licensing?
Need Accurate recordkeeping of resold software
Audit preparation
Mitigation
Client indemnification for damages resulting from audits
Periodic internal audit readiness assessments
External Risks – Changes to Laws
Taxes
State, Federal, and International Privacy and Security Laws
Mitigation
Regular review of data privacy and security provisions
Insurance coverage, where possible
Know if your tax authority begins to tax managed services
Must make sure in agreement with customer that if a new tax is enacted, they will have to pay it.
External Risks – Clients Refusal to Accept Recommendations
Mulit-factor authentication
Secuirty Training
Other recommended protections
Mitigation – in contract, be clear that if customer does not follow recommendation, anything that happens as a result of not following is on customer.
External Risks – Intellectual Properties
Trademarks
Copyrights
Confidential Information
Mitigation
Any licenses granted to clients expire automatically upon termination of agreement.
Register any copyrights or trademarks with the appropriate agency.
Work for higher – if hire someone to write something for you, person hiring is owner, not worker. If not work for hire, property belongs to creator
Find websites that do law tracking for you.
The MSPAlliance is the world’s largest professional association and accrediting body for the managed services industry. For more information on the MSPAlliance visit www.mspalliance.com.
BTW – If now is the time for your MSP to consider adding D3UC’s white label UCaaS solution to your portfolio of services, please reach out to contact Chuck Daniels at 973-333-3322 or chuck.daniels@d3uc.com and we will set up a demo to show you everything we have created exclusively for MSPs to help them grow their revenues and business.