A managed service provider’s business has turned risky as more valuable information is digitized and entities look to their IT partners for assistance in securing and locking down that data.
An additional layer of complexity comes into play when certain businesses must comply with federal rules and regulations. That's particularly true for MSPs doing business in the healthcare space.
MSPs -- including Charles Love of Big Sur Technologies, Win Pham of RapidFire Tools and Chris Johnson of Untangled Solutions -- discussed the difficulties in securing clients’ data at Continuum’s Navigate conference in September.
[Related: Should MSPs retire the ’Trusted Adviser’ Label?]
Johnson, of Los Angeles-based Untangled Solutions, said most people think their information is secure when it isn’t.
’I would suspect in any of the breaches everyone’s talking about (now), they thought they were doing everything they’re supposed to …,’ he said. ’It’s never a promise or a guarantee. It’s always a best effort. … At the end of the day, it’s really about the people.
The panel, which convened in Boston, advised MSPs working with their clients to ensure the proper policies and procedures are in place so businesses are protected. For businesses that must comply with HIPAA, the experts recommended a HIPAA compliance officer be hired to keep the MSPs’ processes on track.
Love, of Big Sur in Tampa, Fla., said even the most basic principles should be taught over and over again by MSPs, and a back-up should be put into place for clients.
’(Tell them,) ’Don’t send social security numbers in emails. Don’t send medical information in emails.’ People still do,’ he said. ’As an MSP, we’re kind of responsible for educating those customers to say, in the event you do send that kind of stuff, we’ll put a system in place to protect you. We’ll put policies in, be it third party tools or whatever, to help them fix the human element.’
Pham, of RapidFire in Atlanta, pointed out MSPs should also keep track of devices users wouldn’t think to secure, from USB drives floating around the office to even the hard drives in a digital copier. He shared an anecdote of a hospital that was oblivious to how office staff potentially compromised information with a leased copying machine.
’Every single thing that was ever copied at this hospital was on that hard drive …,’ he said. ’It’s not encrypted, just because it’s in your office and you don’t think about it.’
Johnson warned about other unconventional ways data can be snatched, including for example, possibly in a bank where he saw an open and unsecured charging stations for visitors to plug in their phones.
The panel also warned about the security implications and difficulty controlling a BYOD or ’bring your own device’ work environment. All the panelists said they strongly advise against the use of outside devices in offices, especially considering sensitive information cannot be cleared once a person quits and takes a personal device home. Pham said there are also issues with employees using their own personal email accounts in a secure office.
’You’ve got Yahoo, Gmail, in financial industries, or a person in accounting who doesn’t realize they’re communicating financial information over the open Internet,’ he said. ’You benefit and strengthen by just thinking up these unusual ways that people have information sharing back and forth.’
Love said he typically advises his clients to follow HIPAA compliance standards, even if they aren’t in healthcare, to ensure everything is safe.
’HIPAA rules are a nice overview of what you’re supposed to do,’ he said. ’Even if (your client) has a car wash (business), they should still be adhering to the ’Don’t have a password for more than so many months’ standard.’
Sheryl Cherico, CEO of the Atlanta-based Tier3 MD, said her business focuses solely on the health care vertical and HIPAA compliance has been a focus of her firm’s since the law’s inception. She said the matter has become of greater importance in recent years, especially since the adoption of the ’HIPAA omnibus rule,’ which puts more responsibility on MSPs when it comes to user compliance.
’We do HIPAA awareness training with our staff. We put a cage in our office to lock up equipment,’ she noted. ’We’ll go pick up a PC. We’ll lock it in the cage. We do that every day.’
She said the daunting prospect of releasing valued information is a concern, but a task she proudly takes on.
’That’s the nature of our business. It’s risky for a heart surgeon to go in and crack someone’s chest open,’ she said. ’You do what you can.’
John Grein, senior systems engineer with the MSP Computer Troubleshooters (CT) Boulder in Boulder, Colo., said his company is beginning to do initial work with compliance for its customers. Of about 200 clients, he said the company is starting to do assessment work to secure these businesses since times are changing and more companies are looking to be protected.
’I think we’re not seeing clients feel that pressure yet, but I think because we’re out there educating ourselves, we’re starting to see the potential problems well in advance of what might be causing our client issues,’ he said. ’So when we start adding up all of these possibilities for security issues, they start to make us not sleep well at night.’
Grein said the challenge is in finding the problem and fixing it for a client, while also convincing a client to let his MSP technicians come in, do a full overview of office practices and secure and advise from there.
’A lot of times, people think we just want to do this to get billable hours,’ he said, ’but that’s not it.’
PUBLISHED SEPT. 30, 2014
related stories
Video
trending stories
sponsored resources

Cysurance
Cyber Insurance 360

Tenable
Cyber Risk 360

Application Integration 360

Carbonite
Cloud Storage 360

NPD
Industry Trends 360

Veeam
Veeam

Comcast Business
Comcast Business Learning Center

Cato Networks
SASE & SD-WAN 360

CyberPower
CyberPower

Channel Chief Showcase

CRN Showcase

APC by Schneider Electric
Digital Services for Edge Learning Center

Dell Technologies
Dell Technologies Cloud Learning Center

Dell Technologies
Dell Technologies Server Learning Center

Dell Technologies
Microsoft HCI Solutions from Dell Technologies Learning Center

Dell Technologies
Dell Technologies Storage Learning Center

BlackBerry
BlackBerry Learning Center

Fujifilm
Fujifilm

Wasabi
Wasabi

Acer
Remote Workforce 360

Webroot
Webroot Learning Center

Cyber Protection 360

Cradlepoint
5g for Business 360

eSentire
Managed Detection and Response 360

Smart 3rd Party
3rd Party Maintenance 360

Trend Micro
Trend Micro Learning Center

HubStor
Cloud Backup 360

VMware

EPOS
EPOS

Sophos
Sophos Cybersecurity Learning Center

iboss
Cloud SASE Platform 360

Sherweb
Sherweb

Vonage
Vonage

Vertiv
Edge Computing Learning Center

Comm100
Collaboration & Communications 360

Hitachi Vantara
Hitachi Vantara
