Essential Eight leads cybersecurity conversation for Aussie MSPs

Customers switch on to spooks’ warnings but mind your insurer, MSP warns

When cybercriminals took down David Norris’ managed service provider business with a supply chain attack over a long weekend in July 2021, he thought his insurer would have his back.

But Norris found himself on his own and out in the cold in a drawn-out fight just to get coverage he was owed.

“The insurance company came up to me and said, ‘We're not going to cover you’,” recalled Norris, founder and managing director of Nortec IT. Based on the insurer’s flawed understanding of Nortec’s operations, it cited a “breach of application”.

“I remember going home that Friday, totally devastated, saying to my wife: ‘We could lose everything’.”

It was a potentially extinction-level event for the plucky Castle Hill, NSW, reseller and CRN Fast50 alum that lost all its ASX-listed customers in the aftermath.

“We probably lost 25 percent of the business. That was a significant hit and we haven't fully recovered it yet.”

Norris spent over $250,000 recovering from the attack that encrypted up to 300 endpoints.

When his insurer subsequently ghosted him, Norris engaged the Insurance Ombudsman to haul them back to the table. So, after weeks of back-and-forth between the three parties, Norris’ insurer partially covered his losses but left him on the hook for the cyber part of his claim. The insurer then refused to reinsure him (Nortec has a new insurer).

“I honestly thought we would go bankrupt,” he said.

Compliance services emerge as critical (and lucrative) stream for MSPs

Norris’ lived experience had a silver lining: He and members of his staff are now Essential Eight assessors, around which Nortec offered new services.

“The way we sell a security package is – ‘Your insurance company is going to ask you, are you doing all these things? So, you're going to need it.’

“And then, if the people don't take it up immediately, when they next get their insurance renewal, they send it to us say, ‘Which of these things are we doing?’

“We say, ‘None of them. But if you take up our package, you're doing all of them.’”

Fuse Technology is another MSP deploying compliance as a service. It built a managed-services product with Level Two security compliance-as-a-service backed by service-level agreements, said Chuong Mai-Viet, managing director of the Microsoft-awarded MSP.

“If you get hacked on our watch, we will do service rebates and remediate for free. That's how much we back our ability to keep you safe and secure,” Mai-Viet said.

Such confidence arose from a shared commitment to security and compliance, including security-awareness training and transparency about where users are to protect against foreign bad actors.

“When we get that login from Alaska, we're not [asking], ‘Why is Bob in Alaska?’”

By bundling compliance services into its managed offerings, Fuse cut out complexity. It handles everything from technology deployment and management to documentation for audits and assessments.

“What we say to the customers is, ‘We will give you an outcome; not per user per month. We’ll let you sleep nights,” Mai-Viet said.

And while he baulked at identifying as a managed security provider (“anyone that needs a laptop to do a job is our ideal client”) Mai-Viet said, “security needs to be baked-in” to meet taxing compliance standards.

“For SMB clients, this provides assurance their security is as safe and secure as an enterprise environment,” Mai-Viet said.

Packages a cost-effective option for cash-conscious SMBs

Over on the west coast in Perth, James Sutton was also successfully packaging up security for Office Solutions IT’s customers.

Packages ranged from ‘Managed Security Basics’ (Office 365 multifactor authentication, ie MFA, antivirus/spam/phishing, full-disk encryption, and user training) to higher-end packages that encompassed 24/7 monitoring (including of the Dark Web), password auditing, mobile device management, breach detection, and a raft of other services including Essential Eight.

Ultimately, it was the customer’s decision as to what they chose: “If a client wants A, B and C, they get A, B and C without having to buy D and E,” Sutton said.

Office Solutions IT provided customers with a cybersecurity ‘health check’, of issues and risks, along with options and pricing. Some clients may object due to cost or changes to their business.

“Not everyone can spend $300 a user [on cybersecurity]. I wouldn't take that on as a 20-person business; I would live with a bit more risk because I wouldn't have the money.”

Essential Eight gains prominence but people still a top priority

Many organisations now view the Australian Security Directorate’s (ASD) Essential Eight as foundational. For Extel Technologies managing director, Bruce Fitzgerald, it also contributed to his decision as a customer to switch MSPs.

Extel's new MSP “took us through the Essential Eight and then the multiple levels within each of those eight elements,” Fitzgerald said.

“And there's no doubt that they've identified clear gaps or areas for improvement, to help elevate us and make us stronger in each of those key elements.”

Although “putting in the relevant software that manages and protects us," was critical to Extel’s security posture, “training and education of staff right throughout” the organisation was equally important, he said.

Through a layered approach addressing people, processes and technology, Extel gained the sophisticated cyber defences demanded by its industry. And Fitzgerald valued the multifaceted security support delivered by his new MSP.

Confessions from a reformed MSP: How to lead the security conversation with your customer

As a former MSP himself, Don Ribar led cybersecurity conversations with his SMB customers for years. Now, as an analyst with Gartner in the US, he counsels MSPs on how to engage their customers in similar talks.

An effective conversation-starter is to ask customers what threats they see in their own day-to-day as part of a fact-finding mission, Ribar said.

“There's got to be an educational component to what they [MSPs] put in their [cybersecurity] marketing and how they talk with their clients,” he said.

“Having those [trusted] relationships is so important because it's a lot easier to say, ‘There's this new thing that we're seeing some clients have, and I don't want you to have this problem, either’ so it doesn't come across as, ‘Oh, here's the next security thing to sell’.”

MSPs that cut through to customers tended to be those that “curate … transformational security technologies,” he said.

“So, you [the customer] don't have to worry about all these different tools; we're vetting them so, as the business owner, you focus on what you're good at.”

Perhaps the biggest barrier was overcoming an SMB owner’s innate reluctance to see themselves as a target.

“You're not too small to be a target; you're too small to make the news,” said Ribar.