Security Best Practices for MSPs


While security has always been a key offering for MSPs, it’s more important now than ever. In the last year alone, phishing and social engineering scams have gone up by an astounding 400%. What’s more, two recent massive breaches—Solarwinds and Kaseya—show that MSPs are at an elevated risk.

As IT business growth expert Richard Tubb explained to CloudAlly, cybercriminals are targeting MSPs because they hold the keys to the whole kingdom. “If you can hack an MSP,” he says, “You can gain access to all their clients.” We talked to him about best practices MSPs can adopt to prioritize security and keep their clients safe in a security landscape that’s getting more complicated by the day.

Table stakes security

According to Tubb, every MSP should be taking two essential actions to strengthen their own security measures:

1) Prioritize basic, essential cyber security

Too often, says Tubb, MSPs will recommend extensive security measures for their clients, only to fall short of taking their own advice. Making sure strong passwords, password managers, and multi-factor authentication are in place are basic measures, but they’re also absolutely essential, and too often overlooked.

2) Investigate cybersecurity insurance

Unfortunately, we live in an age where supply chain attacks are becoming increasingly common. Tubb recommends that every MSP investigate cybersecurity insurance. “We can’t keep everyone safe,” he says. “We can do our best, but attackers will find their way in.”

Accepting this as an inevitability is the first step, and the second is to seek out specialized insurance for this type of attack. “Go to a specialized, local insurance broker and say ‘We need to mitigate our risk through insurance, and we need this insurance for our clients as well,” says Tubb. There are many brokers who know the IT market well, and building a relationship with them now will help you out down the line.

Rethink recovery

The Covid-19 pandemic changed business continuity and disaster recovery (BCDR) plans as more of the workforce was forced to work remotely. There’s still a need for traditional backup and disaster recovery, but with workers distributed across the world, most solutions are in the cloud. This brings a whole other disaster and recovery problem to the fore.

Some MSPs may assume they’re off the hook for backing up their clients’ cloud-based email, calendar, and business intelligence software—that the vendor will take care of it. However, most major cloud service providers (such as Microsoft and Google) actually recommend a third party backup as part of their service terms. Anyone who’s ever tried to recover or restore third-party, cloud-based data knows that this can take a long time, and the time spent waiting can cause major disruptions to operations.

Tubb argues that MSPs should be asking themselves what they’ve done to mitigate the risk in the event that the cloud-based provider loses the client’s data. Another way to think of this is: if a client wanted to move from one provider to another, how would you help them do the backup and restore to allow them to make that move?

The bottom line is, if your MSP is selling hosted, cloud-based software, you can’t rely on the vendor for backup. You should be offering a backup service as part of your bundled product offering, which will ultimately lower your cost of support and increase your revenue.

MSPs by the numbers: What to track

As Tubb tells it, there are a number of metrics and KPIs MSPs can use to get a read on how well your security measures are serving your clients. These fall into a few small categories.

Customer satisfaction

According to Tubb, customer satisfaction metrics are massively overlooked in the MSP industry. This is despite it being a great tool for direct customer feedback on what you’re doing well and what you could improve. There are two ways to gauge customer satisfaction overall.

The first opportunity is to directly solicit feedback on an interaction-by-interaction basis. As Tubb says, “You should have an option to send a request for feedback automatically with every ticket you close.” While the response rate for this kind of request is historically very low—about 1%—there are tools that make it easier for clients to give feedback that yield a response rate between 40 and 50%. This is a great way to collect feedback, because it gives you the opportunity to jump on a phone call with the client directly if you receive a bad score and see if there’s anything you can do better.

The second opportunity for client feedback is broader, but no less important: net promoter score, or NPS. This metric measures the overall loyalty that your customers feel toward your company, and it’s calculated by asking each customer, at regular intervals, “On a scale of 1-10, how likely are you to recommend us to someone else?” As Tubb explains, on an individual basis, anything less than a 9 should make you nervous, and anything below a 7 puts that client in “detractor” territory. NPS is important to track because it allows you to follow up with clients who give you bad scores to see how you could improve their experience, but it also allows you more generally to keep your finger on the pulse of how loyal your clients feel overall.

Keeping track of KPIs

Which KPIs an MSP should be tracking varies from business to business. Tubb recommends building a set of KPIs by asking yourself what’s important to your business.

For example, some MSPs might want to know their technician to node ratio (that is, how many clients a technician is looking after, where 250-400 is usually a healthy number). Others still might want to keep track of their ticket volume per day, per technician (here, 10-20 tickets per day is considered manageable).

Of course, there are financial KPIs you can track as well that will measure the health of your business. Gross margin will tell you how much revenue your MSP is generating after the cost of doing business, and calculating your percentage of recurring revenue will tell you how much of your revenue is reliably being repeated each month (typically, best in class for this metric is about 70%).

The security world is changing all the time, but introducing consistency around your MSP’s own security, recovery efforts, and KPI tracking can go a long way in ensuring continued success and continuing to serve your clients well.