Listen in:
SpotifyIcon
Watch on:
10:00
Managed Service Provider Security With Richard Tubb
Try our Backup Interactive Product Tour

With hackers zoning in on MSPs as lucrative targets, MSP-centered breaches are grabbing the headlines. Managed Service Provider security has emerged as a central business priority for MSPs and resellers worldwide. If you’re an MSP reading this, you’ve hit upon a trove of practical and actionable insights on MSP security. In this interview, I talk to Richard Tubb – MSP mentor, founder of Tubblog, and TubbTalk podcast host. In Part 1: MSP Marketing Strategy of our discussion, Richard offered some helpful pointers to improve digital engagement in the post-pandemic world, harness digital disruption, and strengthen your cloud portfolio. In Part 2 we focus on Managed Service Provider security where Richard details best practices for MSP cybersecurity and Business Continuity and Disaster Recovery (BCDR).

Talk with a Partner Executive

Managed Service Provider Security: Best Practices

How Can MSPs Secure Themselves From Phishing, Ransomware, and Malware Attacks?

Teresa: Phishing and social engineering scams have gone up by 400% in Q4 2020. This sustained spike in malware attacks and the Solarwinds breach has made cybersecurity a key business focus for MSPs. What are some essential security best practices for Managed Service Providers that you recommend?

Richard: Yes! As we are recording this, there have been two massive breaches in the MSP industry. We’ve got SolarWinds, we’ve got Kaseya; it’s all over the news. So right now, MSPs are feeling very, very vulnerable, because cybercriminals are targeting MSPs. And they’re doing so for a reason, as MSPs are our gatekeepers. They hold the keys to the whole thing – if you can hack an MSP, you gain access to all of the clients. 

The first thing I would say to MSPs concerned about cybersecurity is to put in place the basic essential cybersecurity strategies. Make sure that your clients and your staff are using strong passwords that you’re using password managers not written-down passwords. This sounds obvious, Teresa, but, we know people in our industry who use really simple passwords and the same password for everything. That’s really bad security.

Another good practice is Multi-Factor Authentication (MFA). You know, if you’ve got a smartphone you can use MFA or Two Factor Authentication (2FA), as some people call it. So make sure that it is enabled both for you and for your clients. You’ve got to have a password, a strong password, and a code that’s generated together. Those are the basics. And make sure it’s not a case of “do as I say, but don’t do as I do”. As MSPs, we have got to be doing that internally. We’ve got to make sure all of our systems have strong passwords, we’re using password manager, and enabling MFA. It’s about building security into the culture of the business, make sure you are doing it first and foremost. What we’re seeing at the moment, is a lot of supply chain attacks – RMM vendors or PSA vendors – the MSP tools that we use are getting hacked into, and then cybercriminals getting in.

As Managed Service Providers, we can do the very best due diligence. We can ask the right questions and put in place security measures, but at the end of the day, if somebody is targeting a vendor to attack, they will find a way in eventually. It’s inevitable. So what I would say here to MSPs is to start investigating cybersecurity insurance now. This is not just for you as an MSP, but for your clients too. We will do our best for our clients, but we can’t keep everybody safe. So for anybody reading this, who hasn’t got specialist cybersecurity insurance for your business (not standard public liability and business indemnity insurance), go get it. Go to a specialized local insurance broker in your geography and say, “Hey, we need to keep our business. We need to mitigate the risk through insurance. And, we’ve got a lot of clients that are going to need this insurance as well. Can you be our partner and help our clients and ourselves through this?” For MSPs watching, I don’t want you to become an insurance specialist – it opens up a whole load of liability and challenges to you. But I do want you to build a relationship with an insurance broker who knows the IT market.

With good cybersecurity practices alongside cybersecurity insurance, you can sleep easier overnight. 

Managed Service Provider Security: Business Continuity and Disaster Recovery (BCDR)

Teresa: Business Continuity and Disaster Recovery (BCDR) planning can significantly blunt the impact of a data breach by reducing downtime and getting business back on track. What aspects would be central to an effective BCDR plan tailored for a Managed Service Provider?

Richard: Yeah, great question. So traditionally, if you’d asked me that question two years ago, I would have said you can find some BCDR software or cloud hosting provider and maybe a little box that sits in the corner. You’ll back everything up every fifteen to thirty minutes, and you’ll be good to go. 

But then the COVID-19 pandemic happened. And now members of staff are dotted all over the world, in different locations. So whilst there is still a need for traditional backup and disaster recovery with most solutions now being in the cloud, I want MSPs to have a look and see if this service is available. How do we keep our clients running? Whether you use Google Workspace, Microsoft 365, or another provider as an MSP, you probably make an assumption that the provider does all the backups for you, but when’s the last time you tried to recover some data from that side. I can tell you from experience – we use Google Workspace, which is all on the cloud. But if we want to restore an email or we want to look for something specific. If you go to Google and say, “We want you to restore that email!” They’ll say, “Sure, we will get back to you in a week”. And you have to wait for them and it’s not much fun at all. 

So there’s an opportunity for MSPs. Lower your cost of support and increase your revenue. Go out to clients and talk about email archiving solutions, talk about SaaS cloud backup solutions. We use a tool internally that backs up our Google workspace. And if we need to restore an email or a calendar or a mailbox, anything like that, we can go in and within a few clicks, the tool has pulled it all out. We don’t have to rely on Google, so it speeds up the time to recover. When it comes to disaster recovery, MSPs need to be looking at their clients’ software as a service application and saying, “If that provider lost the data, what have we done to mitigate the risk?”. 

Here’s another way of looking at it; if our client came to us and said, “We want to move away from this provider to that provider”. How would you help them to do the backup and restore between the two services? It’s different, but it’s still backup and disaster recovery, and a slightly different mindset that goes into it. There’s a huge amount of growth for MSPs in offering their clients software as a cloud-based service backup solution. 

Taking it further, we’ve got this distributed workforce where everybody’s got their own router, maybe a network switch, firewall, all of these different things going on. There’s an opportunity for MSPs to provide their clients with an automated backup service for network equipment too. There’s a whole new set of tools out there that enable MSPs to backup configurations of network equipment, track the changes and restore. So just food for thought there, and I think that will become more important to the MSP industry.

Managed Service Provider Security: Cloud Backup for MSPs

Teresa: With the cloud backup market expected to grow to USD4.13 billion in 2022, what suggestions would you give MSPs seeking to expand their business by tapping into this lucrative market?

Richard: Yeah. So as, as we mentioned earlier, if you are selling hosted email, cloud-based email contacts, and things like that, don’t rely on the manufacturer for the vendor backup. I want you to be adding a backup service that you can either sell to your clients, or you can offer in this part of the managed service bundle. Again, you’re going to lower your cost of support. You’re going to increase your revenue. Absolutely important. Anything that you would miss if it failed, you need to be backing up.

So we’ve already talked about network configuration, email, calendar, and contacts. What about your online accounting system or the online accounting system that your clients have? Most of them have a facility to make a backup, but it’s a manual process, right? So could you be setting reminders? You could set a recurring ticket within your healthcare system to remind you to back up QuickBooks or Xero. Could you script something that goes and does those backups, or could you find a service that does it? 

And finally, I’ll throw out another big area that I see MSPs overlooking. Traditionally we’ve always backed up servers, but we don’t really bother about workstations so much. Even with cloud services, are there workstations within your client’s infrastructure that are critical to the business? For example, I know lots of engineering companies that have an old Personal Computer (PC) in the corner that runs the payroll software. If that PC dies, none of the staff get paid. That is a critical workstation. So you should be backing that up so that if the hardware fails, you can spin up a virtual machine and still keep it running. Another example would be the PCs of salespeople or C-level executives. While we encourage employees not to store files on the computer and to store them in the cloud, we all know that people do store data on CD drives and local folders. So I would encourage MSPs to have a look at critical workstations that need to be backed up as well, 

Teresa: Run through the business workflows and identify all the weak spots.

Richard: Yeah, exactly. Yes. You’ve put it very concisely there. Thank you.

Metrics For MSPs

Teresa: Metrics can be a guiding light for all organizations. What are some of the key metrics that MSPs should monitor? And how can they measure some crucial, but seemingly intangible parameters like ‘customer satisfaction’ ?

Richard: So if we start with customer satisfaction, it is massively overlooked in the MSP industry. With customer satisfaction, there are two areas to it. 

MSPs should on an interaction-by-interaction basis ask their clients how they are faring. If you’ve got a professional services automation tool, you’ve probably got an option at the bottom of every ticket asking, “Hey, how did we do?”. However, the response rates to such questions are incredibly low.  I would encourage MSPs to see how they can make it a lot simpler for clients to give feedback. Investigate tools because a good response rate should be between 40 and 50%. If you’re thinking, “No way!”, I can tell you it’s doable; I speak to MSPs that have 40 to 50% as their response rate. What it means is that when a ticket comes back and the client says, “That’s great!”, then it’s brilliant. But if it comes back and the feedback is not so great, then you need to take manual action; jump on the phone and ask how you can fix the situation. So that’s the first thing, ongoing customer service. 

And the second one I’d throw out there is what’s called Net Promoter Score (NPS). Net Promoter Score is basically a single question that you would ask your clients, not after every ticket but every three to six months – “On a scale of one to ten, how likely are you to recommend us to someone else?” I’ve learned this the hard way from running an MSP, that if people give you a nine or a 10, you are doing a good job; but if people give you an eight or a seven, it means they are not so sure about you. If they give you below a seven, I would be picking the phone up to them and resolving their grievances. This is a great way for managed service providers to keep their finger on the pulse – on the client’s relationship. Customer satisfaction C-SAT and a net promoter score, are two things that you can integrate that can have a huge impact. 

Now in terms of Key Performance Indicators (KPIs), it can vary based on the business and age of the MSP as to which metric is important to you. But one I would say that all MSPs can keep track of is the technician to node ratio. What I mean by that is how many client endpoints is each technician looking after. So typically, research has shown me that if the figure is between 250 and 400; if you’ve got one engineer and they’re looking after 250 to 400 endpoints, it’s great. But, if they are looking after more than that, say they’re looking after 600 to 800, then you may be overworking your engineers and they may not be giving the level of service that they really should do.

You will notice that because your customer satisfaction will go down. But if you’ve got one engineer who’s looking after 150 or 200, there’s probably some room for improvement there and they could be doing more stuff. 

And the other one, people ask me quite often is how many tickets per day should my technicians be looking after? Well, if it’s a first-line help desk technician and they are looking after ten to twenty tickets per day, that’s a decent place. Of course, I know people are going to be reading this and saying, “Well, my engineers look after a hundred!”.  Great! But I’m just speaking from what I see out in the market. So there are two service desk or service delivery metrics.

The other one I want to put out there are financial metrics. So businesses say to me, “How can I tell whether I’m doing well or not?”. Two metrics that you should look into is the gross margin – the revenue that you generate minus the cost of doing business. Gross margin is really important and that should be going up. But the other one if you are a Managed Service Provider is how much in percentage terms of your revenue is recurring revenue. Monthly recurring revenue (MRR), as we call it in the industry. In my experience working with MSPs is that typically best in class is around 70%. If 70% of your revenue is recurring revenue, you’re doing a good job, I would say. And of course, that differs depending on what stage of growth you’re at, but those are the figures to aim for.

Teresa: Wow! What a goldmine of information about managed service provider security. Thank you, Richard, I’m sure all the MSPs and resellers reading this will truly benefit from these actionable insights.

Don’t miss out on Part 1 where Richard details practical pointers for fine-tuning an MSP Marketing Strategy.

Our other Thought Leader Talks:

Try a hands-on Interactive Product Tour

Right Here and Right Now!