Managed IT Services: Do You Really Know What You’re Getting?

Cameron G. Shilling
Director, Litigation Department & Chair of Cybersecurity and Privacy Group
Published: New Hampshire Bar News
April 20, 2022

Republished in NH Society of CPAs’ Connection newsletter (7/15/2022)

Many businesses rely on managed services providers (MSPs). Doing so can be an effective solution to obtain technology services that businesses need but lack the personnel or budget to support internally. However, businesses all too often do not understand the scope of the services they are purchasing, resulting in gaps that lead to debilitating and costly cyber attacks and breaches. Do you really know what services you are receiving from your MSP?

Three factors are typically responsible for the disparity between the managed services businesses believe they are receiving and the services their MSPs are actually providing.

First, many business leaders are unaware that information technology (IT) and information security (IS) are different. The primary purpose of IT is to support the equipment and devices necessary to operate a system (e.g., computers, servers, routers, switches, etc.), and to ensure that the system operates as seamlessly as possible (e.g., maintaining operating systems, email, electronic records, databases, etc.). By contrast, the primary purpose of IS services is to implement safeguards to ensure that information is not lost, stolen, or otherwise used or disclosed improperly, and that the system is not prone to cyber attack.

Purchasing managed IT services does not mean that a business will also receive IS services. In addition, knowing where IT ends and IS begins can be confusing, particularly for business leaders who lack technological expertise. For example, managed IT often includes some basic security services (e.g., passwords, anti-virus/anti-malware, firewalls, patching, etc.), but those basic services are insufficient to protect a business from common cyber attacks. Additionally, some MSPs include more security services in their IT programs (e.g., encryption of devices, multi factor authentication, etc.), whereas other MSPs do not.

The solution for this first issue is easier to describe than it is to implement. It is the next factor typically responsible for this problem.

Second, to borrow a line from the movie Cool Hand Luke, “What we’ve got here is failure to communicate.” MSPs insist that they explain to their business clients that the businesses need to purchase additional services if they would like to implement IS safeguards, and that business leaders decline, typically to save costs. Businesses are equally adamant (usually after a cyber attack or breach has occurred) that their MSPs never discussed such services with them, and that the business never would have spared expense to ensure proper security.

While one or the other may or may not be correct in any particular circumstance, the likely reality is that they have failed to effectively communicate. MSPs need to explain (in language understandable to business people) the scope of the services they are actually providing, the particular services they are not providing, the value to the business of purchasing additional services, and the potential risks if the client does not do so. In turn, business leaders need to educate themselves about the types of IT and IS services appropriate for their businesses, and commit the time and energy to listen to and understand the information provided by their MSPs about the services being proposed when their MSPs do so.

Both parties can feel a bit handicapped in such discussions. For example, businesses may feel that MSPs are just trying to sell them services that they do not necessarily need, and capitalizing on their lack of technological expertise to do so. By contrast, MSPs may feel that businesses do not commit the time to truly understand IT and IS, or simply perceive their services as a cost without comparable benefits. If that occurs, both can benefit from involving an independent third party who can bridge the divide, explaining in non-technical terms the particular IT or IS services involved and the cost-benefit considerations for the business.

Third, not all MSPs are the same. For example, some MSPs really only provide IT, while others provide both IT and IS, and still others provide only IS. Similarly, some MSPs are aware of their strengths and limitations, and earnest in communicating them to clients, while others are not. Some MSPs are more suitable for mid to large businesses, while others can effectively serve small and mid-size clients. Finding the right MSP for your particular business is critical, but business leaders often feel that they lack sufficient expertise to do so. Again, assistance from an independent third party can be invaluable in that type of situation.

Managed IT and IS services are integral to business operations. MSPs need to ensure that they are properly explaining the actual scope of the services they are providing to their business clients. By the same token, businesses need to commit to listening to their MSPs and truly understanding the scope of the IT and IS services they are purchasing. Otherwise, both MSPs and businesses might be unhappily surprised with the outcome.