In the wake of major cyberattacks on US businesses, IT professionals across the country are rightly raising red flags and collectively asking what more they can do to secure themselves and their customers' data. On the national stage, recent ransomware and supply chain attacks have prompted executive action from President Biden and federal agencies in multiple forms, including guidance for IT professionals, specifically managed service providers (MSPs), on how best to secure their IT networks and guard against cyberattackers. These destabilizing and alarming events have renewed Washington's focus on cybersecurity, and there's reason to believe further action will force IT professionals to improve or be left behind.
Three Signs of Greater Cybersecurity Enforcement for IT
While legislative gridlock could hold up wide-reaching national cybersecurity regulations, federal and state-level actions have a greater likelihood of affecting IT professionals and MSPs in the near term. Movement across these two areas has recently increased and shows no signs of slowing down.
The Cybersecurity and Infrastructure Security Agency (CISA) recently launched a new Stop Ransomware program to share resources, knowledge, and best practices. One resource the agency shared is a free Ransomware Readiness Assessment to help organizations identify weak spots in their defenses and better adhere to federal cybersecurity standards. This ramped-up public awareness is sure to help some organizations adopt tighter security controls, but without a mandate establishing a baseline for security among businesses and IT service providers, many won't change.
The federal government is seeking to establish that baseline through new contractor requirements like those introduced by the Cybersecurity Maturity Model Certification (CMMC) for the Department of Defense (DoD). Under the CMMC, contractors and subcontractors must meet a minimum level of security compliance to win a contract. The downstream effects of securing the DoD could bring much-needed security improvements to hundreds of businesses that may be a few levels removed but are ultimately still part of the DoD supply chain. While the CMMC is still being refined, it's plausible that new or additional cybersecurity certifications will be required for contractors and subcontractors working with other federal agencies. Any MSP or IT professional working on or adjacent to local, state, or federal contracts should pay close attention to this area and work proactively to address potential cybersecurity requirements.
Legislative action at the state level is also on the table after Louisiana passed a landmark law establishing the first MSP registry in the country. After severe ransomware incidents that took down major cities, the Louisiana legislature acted to enforce oversight and improve the cybersecurity services being offered to state agencies. Following a spate of cyber incidents and ransomware attacks in other states that have disrupted public life, the chances for heightened scrutiny and oversight of the MSP industry seem likely.
How IT Pros Are Responding to These Changes
As a means of confronting a potential patchwork of legislation that makes it harder to deliver managed services, many MSPs themselves are stepping up and trying to lead conversations about the future of their industry. Karl Palachuk, a well-known figure in the MSP space that popularized the business model, recently established the National Society of IT Service Providers (ITSP) as a vehicle for advancing MSP regulations in statehouses across the US. The draft legislation developed by ITSP and Palachuk offers a straightforward path for MSP regulations and is designed to elevate and professionalize IT service providers. From establishing registries of MSPs working with state agencies to mandating the disclosure of cyberattacks, it's notable that the IT services industry is acknowledging that some level of public oversight is needed.
Rather than fight against the tide of higher security standards, MSPs and IT pros should follow the lead of organizations like ITSP and start actively taking part in their own destiny. Since recent cyberattacks involving SolarWinds and Kaseya, active review of remote monitoring and management tools and identifying sources of IT tech debt should be a top priority for MSPs and IT pros, along with proper patch management and use of automation to tackle low-hanging fruit. The next step should be implementing a cybersecurity framework, such as those offered by the National Institute of Standards and Technology (NIST). By following these frameworks, organizations can likely meet the requirements of new potential regulations that raise cybersecurity standards.
The mounting toll of ransomware has forced the Biden administration to take swift steps to secure the nation's cyber defenses. By bringing the issue front and center to the national and international stage, IT service providers and professionals should count on stricter oversight and rules. Now is the time to prioritize IT and security modernization that allows organizations to flourish.