Cybersecurity isn’t just about firewalls and patching. Cybersecurity is also about education and legislation — often, these two go hand in hand. The legislative landscape is continuously evolving as more rules and regulations attempt to add guardrails and protections to the increasingly massive amounts of data in the ecosystem.

Cybersecurity is no longer an amenity — it’s the law. MSPs who once found themselves servicing networks and dispensing rudimentary cybersecurity services now find themselves on the front lines of building defenses against hackers. This role, though, requires knowledge of the law.

MSPs working with new regulations

In fact, lawmakers are often looking at MSPs to help implement and spread the word about new laws. The California Consumer Privacy Act, which went into effect this year, is just one example of landmark legislation that MSPs are expected to know.

MSPs need to continually produce risk assessments of clients and figure out which legislation applies. MSPs must help clients be transparent with how data is being, collected, stored, and used as the CCPA mandates. Just because your MSP and your clients may not be in California, beginning to comply with its provisions will have you prepared when new regulations come to your area.

In this week’s Ask An MSP Expert, we talked to Dr. Nazli Hardy of Millersville University in Pennsylvania about how to stay on top of the changing legislative landscape. Now, we continue the discussion going beyond how to keep on top of laws and how to go about building a client culture that embraces the importance of these new regulations.

Smarter MSP caught up with Dr. Hardy to talk about how MSPs can adapt to the changing legal landscape. After all, if you save a client from a breach but aren’t complying with the legal requirements in other areas of cybersecurity, then all your good technical work is for naught.

Changing the customer’s company culture

MSPs need to know the law themselves but also need to make sure their clients know it too, and for that to happen, a new paradigm shift in company culture is necessary. Here are steps Dr. Hardy proposes to help facilitate this shift:

    1. Connect revenue and reputation with security and regulation. In other words, make sure clients and staff understand the importance of knowing the latest laws.
    2. Create a culture of consumer-protectionism — similar to the EU countries (as opposed to company-protectionism). This is a reverse from the traditional paradigm, where companies were worried about protecting their data first. This isn’t to say your own client’s data isn’t essential, it is, but your clients must put their customer’s privacy first. If they do that, customers will repay your loyalty with theirs. News reports and negative headlines have made data protection a top priority for consumers. The two need to work hand in hand. “In effect, the consumer-protectionism security will become company-protectionism because the former can ensure the latter,” details Dr. Hardy.
    3. Prioritize consistent education and support of employees by connecting their professional success and growth with security and industry regulation, as opposed to just an annual to-do list. The connections are crucial for making the employees not just job-doers, but stakeholders.
    4. Create security and regulation controls at several points in the process and at many levels in the employee hierarchy (as opposed to one fall guy).
    5. Create a position at the top of the corporate hierarchy that is responsible for the deployment of security and regulation culture and education — this sends a message of seriousness throughout the company.
    6. Educate employees on the occurrence, frequency, severity, and impact of past breaches, rather than covering it up to save your reputation.
    7. Connect consumer trust to strict security regulations and connect strict regulations to revenue.
    8. Security breaches should be disclosed to consumers in a timely manner, along with preventative measure that will be taken. Waiting months before issuing an explanatory press release weakens customer trust.
    9. Support security education at earlier stages, by working with local schools and helping to educate school kids as part of company community service.

Implementing these steps will make laws seem less onerous and more woven into the fabric of the corporate culture.

MSPs should anticipate security risks by studying and knowing current threat trends like ransomware. Dr. Hardy advises that MSPs and other security professionals should not grow complacent with common threats like viruses, worms, and trojan horses.

Often, new laws grow out of high-profile incidents. If you are continually monitoring threats and trends, you won’t be caught off guard by new legislation. If the past few years are any indication, there will be new legislation and MSPs have to be prepared to interpret and implement it.

Photo: Worawee Meepian / Shutterstock

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *