It turns out that the rise in volume and complexity of compliance requirements are opening up a huge opportunity for today’s managed service providers (MSPs).
Looking to take advantage of this area of security services and boost your MSP business?
You’ll need to research your customer segment’s compliance needs, and then make sure you have the technology toolkit to fill those gaps.
If your customers are financial organizations, regulations are an essential part of doing business. According to the LexisNexis True Cost of Financial Crime Compliance Study, it’s becoming increasingly hard for financial institutions to meet their regulatory obligations. Financial companies such as banks and insurance providers have an obligation to block and report financial crimes, and many of them are leaning on third-party managed services to take off the heat. To fill this gap, regulations you’ll need to be on top of include:
GDPR: The General Data Protection Regulation protects sensitive EU customer data, even for non-EU companies who work with EU residents. This isn’t Finance specific, but as finance companies work with some of the most sensitive data, it’s an essential one to have on the radar. US-specific equivalents are springing up all the time, such as CCPA in California. You’ll want to create tightly secure practices for defining, collecting, and storing customer data.
PCI-DSS: This is the Payment Card Industry’s Data Security Standards, and will be relevant for any company that is taking payments online, including retail and eCommerce. For processing, transmitting, and storing cardholder data, an audit would look at your firewall, your credential management, and your security tools such as antivirus and anti-ransomware. You’ll also want to ensure you can run routine testing and scanning on customer environments like you can with Atera’s Network Discovery.
SOX: The Sarbanes Oxley Act is a US-specific law that is intended to reduce corporate fraud in the financial industry. To support customers with their compliance responsibilities here, you’ll need to provide a thorough disaster recovery plan, including great backups. (Psst — Atera integrates with a number of smart backup choices, including Axcient!) You’ll also want to document all access controls to sensitive information. It’s also worth thinking about GLBA, which stands for Gramm-Leach-Bliley Act, and governs how customers need to be informed about how their data is used.
In healthcare, the stakes are high when it comes to regulatory compliance. You’re not only dealing with data, you’re dealing with human life. A cyberattack could have a measurable impact on health and safety. According to the 12th Annual Healthcare Compliance Benchmark Survey, the top priorities for healthcare organizations are evidencing the effectiveness of their compliance programs, improving ongoing monitoring, and increasing leadership support. To be a part of the solution, MSPs need to consider:
HIPAA: The Health Insurance Portability and Accountability Act is arguably the best-known compliance regulation in the healthcare industry, and if you work with customers in healthcare provision, you need to be compliant too. As part of HIPAA compliance, an MSP should create technology and operational business plan that ensures the confidentiality and integrity of all PHI, as well as ascertaining that it’s available to healthcare professionals and patients, and protect against all disclosures and threats that could be reasonably anticipated.
HITECH: The Health Information Technology for Economic and Clinical Health (HITECH) Act is actually an expansion of HIPAA, and is specifically meant to govern the use of EHRs, Electronic Health Records. HITECH also adds the need for compliance audits for all healthcare organizations, so documenting everything is essential.
In critical services like water, gas, electric, and other utilities, there are specific compliance requirements that may be relevant for one region over another. What brings them all together is data security, as the information that Utilities manage could have a measurable impact on essential public services.
NIS: These are the Network and Information Systems regulations, and were put into place in the UK back in 2018. Operators of essential services (also called OES) in energy, transport, water, healthcare, and digital infrastructure need to be compliant, as well as their digital service providers. The guidelines are fairly broad but involve showing that you are taking both technical measures and organizational steps to limit the risk of a data breach, and also that you’re protecting against loss of business continuity. Backups are essential here, as well as other incident responses.
NERC CIP: For North American companies, a similar compliance statute is in place, which stands for North American Electric Reliability Corporation’s Critical Infrastructure Protection. You need to have powerful logging and monitoring capabilities to show you how data is produced, processed, stored, transmitted, and disposed of. In addition, a risk assessment will be an important part of remaining compliant, such as credential management and access policies to ensure data is being viewed and managed by only those who need to access it. The guidelines recommend you segment data by Public, Company, and Restricted.
Make compliance your MSP value-add
As Harvard Business Review comments, “given all the complex regulations governing business today, it’s no wonder that companies struggle to understand and meet their legal and ethical obligations. It would be convenient if there were a one-size-fits-all yardstick that could show if a compliance program is on track or not. But simple univariate metrics will not adequately capture a program’s effectiveness. Successful compliance engineering requires some creativity, some testing, and careful model design to appropriately measure outcomes.”
Who is better to test, iterate and support compliance for customers than their managed service provider? With great partnerships for the specific tools you need to ensure the environments that you manage reach and retain compliance, you can use compliance goals to become an even greater trusted advisor in supporting customers with their goals.
The Atera integrations make it easy to offer a wide range of solutions for compliance goals. Check them out here!
See Atera in Action
RMM Software, PSA and Remote Access that will change the way you run your MSP Business