MSPs are in a constant struggle to find the right balance between protecting client data, protecting privacy, and complying with regulations. Finding the right balance is something that MSPs must figure out in order to remain competitive.
Customers expect companies they do business with to protect their data from breaches, they also don’t want their data collected if it doesn’t need to be, and they don’t want their data shared or sold without their knowledge or permission. Customers also expect MSPs to comply with data privacy regulations like GDPR in Europe, or HIPAA in the US, which covers health-related data.
But simply complying with regulations isn’t enough because compliance only covers what’s on paper, not the day-to-day implementation of security policies and procedures. Compliance audits might occur every year or every 18 months, while new threats emerge all the time and companies need to stay ahead of the attackers. Media Sonar asked 200 security professionals how often their organization runs compliance audits. The results are shown below. More than half said their organization runs compliance audits once a year, while only 32% run them more than once per year.
How can MSPs Increase Security Compliance?
In a recent survey by McKinsey, 87% of global respondents said they would not do business with a company if they had concerns about its security practices and 71% said they would stop doing business with a company if it gave away sensitive data without permission.
According to McKinsey, “Because the stakes are so high, the way companies handle consumer data and privacy can become a point of differentiation and even a source of competitive business advantage.”
Organizations need to constantly be on the lookout for new threats, whether those threats are coming from external sources or from insiders, whether those threats are percolating on the Dark Web or on social media channels, whether the targets are sensitive data or reputational attacks against executives.
By using open-source intelligence (OSINT) and data from Deep and Dark Web forums, organizations can search for hacker chatter, tools and methods being shared that could harm their clients. And by using a platform that integrates multiple OSINT tools, companies can automate the investigation of incidents. OSINT toolsets also provide an audit trail to demonstrate to auditors that the organization is in compliance with regulations.
SOC2 Compliance Becomes a Pay-to-Play
One certification that is becoming the de facto global standard is called SOC (System and Organization Control), developed by the American Institute of CPAs (AICPA.) The standard provides a framework that allows service organizations to select and implement control measures for protecting data.
Examples of service organizations include software-as-a-service (SaaS) vendors, credit card processing platforms, cloud computing firms, Web hosters, data centers and colocation providers and managed security service providers.
SOC audits can be performed by independent CPAs or accounting firms and if an organization passes the audit, it can issue a compliance report that can be made available to regulators and business partners to demonstrate how the service organization manages its data.
The SOC standard doesn’t tell organizations what tools to buy or how to run their business, but it does set out five areas in which companies need to implement controls. These SOC2 principles can be applied to all organizations that want to secure assets: security, availability, confidentiality, processing integrity and privacy. (Media Sonar is in the process of becoming SOC2 compliant.)
Compliance vs Security
SOC2 compliance is important but simply passing the test isn’t enough. A SOC2 report of a service organization’s internal controls is a review that takes the auditors between six months and a year to complete. Once the report is issued and the company is SOC2 certified, follow-up audits might be conducted annually.
But security threats are constantly evolving, Zero Day attacks are on the rise and adversaries are getting more sophisticated. At the same time, the organization is constantly changing. New applications are being launched in the cloud, employees are working from remote locations, new partnerships or relationships with third-party vendors are being created.
In other words, companies that pass a compliance audit shouldn’t become complacent. Effective security requires consistent attention, a flow of Web intelligence, and being constantly adaptive to the threat landscape.
MediaSonarVantage for MSPs
The penalties are harsh for MSPs who do not take security seriously. Not only does expanding service offerings with platforms like Media Sonar enable MSPs to be more confident about their strategies and establish repeatable revenue streams, it instantly boosts compliance and helps validate security controls. MediaSonarVantage expands coverage of your client’s digital attack surface to better protect their digital data, reputation, bottom line and deliver on your trusted advisor promise.
Will we see you in Las Vegas at Channel Futures Conference & Expo?
Media Sonar is looking forward to attending this year’s annual Channel Partners Conference & Expo on April 11-14 in Las Vegas. The theme of this year’s event is “The best is yet to come”. This will be the 25th year of bringing together channel professionals to build relationships, showcase top solutions & stay up to date on the latest trends. If you’re attending, our Channel Program Manager Deno Kotsabas would like to speak with you about a potential partnership.
Set up your time to meet at the conference here.