MSPs need to raise their cybersecurity game – but where to start?

The opportunities are huge but setting up a security practice is a high-stakes game for MSPs.

And if you think I’m being over-dramatic here, look no further than Joe Panettieri’s recent article for ChannelE2E – MSP Judgment Day: Ransomware Attacks Threaten Industry Credibility, Reputation. Written in the wake of the latest spate of cyberattacks on MSPs, Joe warns MSPs to raise their cybersecurity game – or face a credibility crisis.

The problem for many MSPs is where to start?

There is no shortage of information available as to what MSPs should be doing to secure their own and their customers’ infrastructures. There are standards, controls, checklists and certifications; a bewildering array of security tools and devices; international and local compliance regimes and regulatory mandates.

But as the Center of Internet Security (CIS) rightly points out, ‘all of this technology, information, and oversight has become a veritable Fog of More – competing options, priorities, opinions, and claims that can paralyze or distract an enterprise from vital action’. This concern drove the CIS to develop a set of 20 CIS Controls™ designed to cut through the ‘Fog of More’, by addressing the most critical security areas and providing a roadmap of fundamentals to help MSPs and businesses get on track security-wise.

Developed by a community of IT experts drawn from all sectors, the 20 CIS Controls prioritize the actions that should be taken according to the value they deliver – value here meaning ‘the ability to prevent, alert, and respond to the attacks that are plaguing enterprises today.’

I can hear alarm bells ringing: are the CIS Controls not simply adding to the ‘Fog of More’?

Absolutely not – and here’s why:

  • Recognise the real world

    Acknowledging that many organizations are strapped for resources and have to prioritize what they can do, the CIS effectively does this prioritization on their behalf, by offering three categories of control – basic, foundational, and organizational, with the introduction in V7.1 of three ‘implementation groups’ (IG), a subset of the Controls that are considered ‘reasonable to implement’ for organizations sharing similar profiles and resources.

  • A practical approach


    This is not theoretical advice; CIS Controls deliver concrete recommendations.

  • Ability to start small

    A comparatively small number of ordered and well-vetted activities can be used as a starting point to assess and improve the existing security state.

  • A holistic view

    CIS Controls are not restricted to data, software and hardware, but encompass people and processes too. Don’t forget that some 90% of data breaches are thought to be caused by human error.

  • Compatible with other standards

    The Controls also map to other compliance and security standards, such as NIST 800-53, PCI DSS, FISMA, and HIPAA.

The overriding reason for using CIS Controls, however, is that they have been demonstrated to work!

Just consider the evidence below:

If all 20 CIS Controls were implemented properly, up to 94% of all recent breaches in large US and Australian companies could have been avoided. There is a global consensus that implementation of just the ‘Basic’ six CIS Controls would have mitigated around 85% of the most common cyberattacks.

And by design, the most important elements of these first six Basic controls (CSC 1, 2, 3, 4, 5 and 6) are addressed by inSOC.

The benefits are so evident that MSPs should be stampeding to implement.

But many are not familiar with CIS – this was born out recently by the conversations I had with MSPs at the recent DattoCon19 in San Diego.

To find out more about the six Basic CIS Controls that could have mitigated around 85% of the most common cyberattacks, our Vulnerability Management partner, Rapid7 has produced a helpful series of blogs. Alternatively, you can download the latest CIS Report, V7.1.

Or, contact inSOC to find out why our ONE STOP SOC offering is based on the CIS Controls – and how we can help you to raise your cybersecurity game.