As a business owner, it’s natural to worry about the accountability of your IT service provider if something goes wrong with your IT systems. After all, your IT infrastructure is crucial to the success of your business and any downtime or data loss can be catastrophic.
You probably have enough worry about the risks your company faces as it is, you donâ€™t then want the added stress of thinking about the risks your managed service provider (MSP) faces. Knowing where the responsibility falls when you become a victim of a ransomware attack or other type of Cyber Security incident can be confusing.
Managed Service Providers are external entities that specialise in providing IT services and support to organisations. Their primary goal is to ensure the smooth operation and security of a company’s IT systems. MSPs work on a subscription or contract basis, offering a comprehensive suite of services tailored to meet specific business needs.
MSPs play a crucial role in enhancing an organisation’s IT capabilities. By using their expertise and resources, businesses can offload certain IT functions to MSPs, allowing them to then focus on core business objectives. MSPs provide proactive monitoring, rapid issue resolution and strategic guidance, ensuring that IT systems align with business goals.
While MSPs offer valuable services and support, it is important to recognise that despite their expertise, MSPs cannot shoulder full accountability for your IT systems.
Limitations of MSPs in Taking Full Accountability
While MSPs offer valuable services, there are inherent limitations that prevent them from assuming full accountability for your IT systems. Understanding these limitations is vital for maintaining a realistic perspective and ensuring effective collaboration. Let’s explore some of the key reasons why MSPs cannot take complete responsibility.
Shared Responsibility Model
When engaging with an MSP, it is essential to establish a shared responsibility model. This model defines the division of responsibilities between the business and the MSP. While MSPs take charge of certain aspects like infrastructure management and proactive monitoring for reliability, businesses retain ownership of critical decisions, application management and user access controls. Therefore, the accountability for configuring and maintaining specific applications or ensuring user compliance remains with the organisation.
Limited Control over Infrastructure
Although MSPs play a crucial role in managing IT infrastructure, they often operate within the confines of the systems and technologies already in place. They may have limited control over the underlying infrastructure, which can impact their ability to implement certain changes or optimisations. Critical decisions regarding hardware upgrades, network architecture or data centre infrastructure typically require coordination and approval from the organisation’s management.
MSPs have their own tech stacks and baseline software and hardware that they require their clients to adopt. This is for several reasons; the MSP is familiar with running the infrastructure and can ensure it is working as it should, and these are the best recommendations the MSP can give their clients that will actively protect them or suit their budget. For example, while Cisco is a fantastic piece of software, it is also incredibly expensive. We have found that Sophos is also incredibly effective but at a much cheaper price point, so thatâ€™s what we implement within our clientsâ€™ businesses. If you donâ€™t want to implement these, we usually wonâ€™t take you on as a client, but some MSPs will still work with you, and if youâ€™ve ignored their recommendations, thatâ€™s on your business.
Risk is an unavoidable factor that comes with running a business, but there are ways to mitigate these risks, hence why you work with an MSP in the first place. Another way to do this is to implement effective Cyber Security practices to protect yourself from the majority of cyberattacks. If your business refuses to implement these, the MSP will continue to pressure you to pursue these methods which can cause tension within the relationship. Your business should be implementing the recommendations of the MSP as if you did your research and are working with a reputable provider, they will have your best interests at heart rather than just pushing processes on you to make you spend money. Not only that but if you donâ€™t implement effective Cyber Security strategies, you either wonâ€™t be eligible for Cyber Insurance or your current insurer wonâ€™t pay up.
When it comes to risks, failure often leads to blame. With Cyber Security though, thereâ€™s no question of if you will be hit by an attack, but when, as the majority of the time, breaches occur due to human error within your business, so your business canâ€™t then blame the MSP. Employees should be paying close attention to what is happening on their devices and follow best practices. What the MSP should be doing is proactively monitoring your systems to then isolate the breach when it occurs and fix issues as soon as they happen. If they fail to do this, then you can hold them accountable until they fix the issue.
You should also be monitoring that your MSP is being diligent in reducing the liabilities within your business as well as their own if your business becomes exposed to an attack. MSPs should have strict internal Cyber Security policies and should demand the same from your business as a breach on your end can impact them.
MSPs cannot guarantee that nothing will go wrong with your IT systems. What an MSP does is implement mitigation measures to protect your business against the vast majority of risks out there and ensure that if something does occur, you can get operations back up and running. In that sense, there is no full accountability, other than a determination to fix issues at their root to mitigate threats in the future.
Choose a Reputable MSP
Businesses need to choose their managed service provider wisely and do some research about the provider to see if they are right for them. It’s crucial to understand your IT service provider’s track record. Check their references and read reviews online to get an idea of how they have handled issues in the past. Have they responded promptly and effectively to incidents, or have they been slow to act or unresponsive? This information can give you insight into how they will handle issues with your business’s IT infrastructure.
It is the responsibility of the MSP to use a proactive management approach when protecting your businessâ€™ systems and they must be regularly assessing their security systems as well as adding new measures to reduce both partiesâ€™ liability if an attack does occur. Cybercriminals are constantly testing new methods, so MSPs should be constantly learning and improving their defences. Make sure that your IT service provider has a clear process for reporting incidents and that they provide you with regular updates on their progress in resolving them. This communication is essential to ensure that you are fully informed of any issues and that your provider is working towards a solution.
As a business, youâ€™re aiming to work with your MSP for as long as possible and to do that, you need to create a strategic relationship. This allows them to become invested in your business which then increases their dedication to ensuring your business is protected. The MSP should clearly be outlining their expectations of you and your expectations of them so that you both know what you are each responsible for. Doing this also allows the MSP to help plan your businessâ€™ technology and help you navigate as you grow as a business. They will take your ideas, goals and concerns as a company into consideration when they recommend software and hardware.
What Can You Do Now?
To help you understand if your MSP is doing right by your business, there are several areas you can assess them on.
- How are they taking your concerns and needs into consideration?
- How often are they meeting with your team to discuss priority items and long-term goals?
- Have you experienced any additional, hidden fees outside of the MSPâ€™s fixed costs?
- Has the MSP been working on any projects/goals they outlined with your business?
- Is the MSP showing you the results of their plans/actions?
If youâ€™re truly concerned about whether your MSP will look after your business, make sure youâ€™re asking them questions when you hear of new cyberattacks happening to other businesses to see how they are protecting yours.
The managed service provider you work with is there to look after you and if you have chosen a reputable one, they will do this with your best interests in mind. Accountability for your IT systems is on you though, as if you decide not to implement any of the recommendations the MSP is providing, then they are not to blame.
While MSPs cannot assume full accountability for IT systems, their collaboration with organisations remains essential for efficient operations and robust security