For many MSPs, compliance has become a full-time job with high client expectations. Few businesses understand the IT requirements associated with industry mandates and federal, state, and local laws ‒ especially with email.
Most SMBs simply assume their IT providers have them covered, though the increasing amount of regulatory changes and the related notifications hitting their inboxes are surely raising concern. Email is one area garnering a lot of that attention. With the rise in phishing and ransomware, and concerns about information storage, MSPs with experience in retention, archiving, and encryption solutions are in high demand.
Between the dizzying amount of management processes and all the data being sent and received, most business owners don’t know where to start. That’s an area where MSPs can differentiate their services and boost their bottom line revenue. Email security and encryption expertise will set your IT business apart from the competitors who “plug in” common commercial applications without implementing additional protection layers.
Pay Attention to the Shifting Regulatory Landscape
With email security and management playing such a crucial role in compliance, MSPs must work harder to keep up with all the changes. Between new regulations and industry standards, and amendments to existing rules, that’s no easy task.
The good news for MSPs is the IT security requirements typically have some common components and processes, especially around email security and retention. Security experts expect the adoption of high-level protection protocols to continue in upcoming rules and regulations.
Most SMB owners still struggle to understand the complexities involved in compliance ‒ including the tools and processes ‒ but with NIST becoming the core of many cybersecurity standards, MSPs should be comfortable with most current requirements. That commonality lowers the learning curve for providers.
Of course, each industry puts its own spin on cybersecurity standards to address the unique concerns of its members, such as PCI’s protection of consumers’ credit card information or HIPPA’s patient privacy measures. MSPs should always consider compliance rules as a baseline. Mandates are conversation starters that allow you to uncover information which can be used to tailor your security solutions to meet that client’s specific business and compliance needs.
Email is the perfect starting point for those discussions. In fact, there are five regulations with specific security and retention requirements for electronic messages, including:
1. Financial Industry Regulatory Authority (FINRA)
These rules cover email correspondence between registered brokers and dealers (includes certain bank and credit union employees). Electronic messages ‒ whether created in the office, at home or elsewhere ‒ are subject to this provision. Every device and management system must be properly protected, with all emails retained and readily accessible (using FINRA’s prescribed methodologies) for at least three years.
2. Health Insurance Portability and Accountability Act (HIPAA)
These rules help protect patient information, regardless of where it’s sent or stored. Whether that data is kept behind a medical office’s firewall, received in an email message, or transmitted to others, it must be safe from prying eyes (unauthorized individuals). Encryption is a useful tool, ensuring message contents, including text and files, cannot be accessed. MSPs must also take other steps to simplify and standardize electronic data exchange and protect patient confidentiality. HIPPA prescribes seven-figure fines and criminal charges for failures ‒ though enforcement of those penalties has been minimal (so far).
3. Sarbanes-Oxley (SOX)
This act requires publicly-traded and private organizations to establish reliable records retention policies and procedures, as well as access controls for managing and protecting data. All information sent and received via email must be secured, including text and all attachments, with several specific archiving and retrieval stipulations. SOX threatens non-compliant organizations with heavy fines.
4. General Data Protection Regulation (GDPR)
While created and enforced by the EU, GDPR covers any company that processes the personal data of subjects from those countries. MSPs can help by implementing security measures and policies that help organizations prevent, detect, and report breaches. With email being one of the highest risk activities (think phishing and general employee naivety), the opportunities for those who understand protection and encryption methodologies will surely rise in 2018.
5. New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500)
Banks, insurance companies, and other financial services institutions ‒ including non-NY-based companies doing business in the state ‒ must have specific programs in place to protect consumers’ private data. This legislation contains controls and strategies to secure that information and processes for reporting cybersecurity attacks. MSPs should get well versed on these requirements since New York is just the first of what the experts expect will be many similarly structured data protection standards in the future.
A Valued Service
With a comprehensive understanding of the compliance issues that affect your clients, along with proven expertise and solutions, your firm will be in a stronger position to secure new business.
More than ever, organizational leaders need someone to guide them through the labyrinth of new and updated regulations. Most don’t want to deal with the issues on their own.
The SMB will increasingly place more value on MSPs equipped to address a varying number of compliance requirements ‒ and let them focus on what they do best. Are you ready to accept that challenge?