Managed IT service providers (MSPs) are experiencing an industry-wide revolution. Before the COVID-19 pandemic, most MSPs focused on technology solutions with cybersecurity as an afterthought. Cybersecurity wasn’t an aspect of technology many businesses wanted to invest in because there wasn’t a notable demand for it– data breaches were just unfortunate mishaps people hoped didn’t target their office next.  

Fast forward through COVID-19’s work from home status quo, quarantine shut-downs, and the mass business migration to cloud computing. For the MSP industry, there was a sudden spike in cyber threats aimed at their customers across all sectors. MSPs, who weren’t traditionally skilled, trained, or certified in cybersecurity, had to pivot fast to snuff out that risk and meet the demand.  

Some MSPs were able to take up the task, but others fell behind. After all, cybersecurity is complex and requires not just intelligence, but dedicated training and real-world experience to actually be effective. It’s not simple to just pick up and apply to any business who asks for cybersecurity solutions.  

The most challenging part in this new MSP reality is: how are customers supposed to decipher which providers know their security and which ones are still flailing?  

The answer: Cybersecurity certifications 

It’s similar to what you’d ask yourself for when hiring an attorney: do they have the education, the certification, the licensing, the know-how to ensure your success?   

Or in other words, would your clients trust an unlicensed attorney to win their case?  

Probably not. 

So, would you trust an uncertified cybersecurity provider to provide the best framework for safeguarding your firm’s infrastructure against rapidly evolving cyberthreats? 

Your answer, we hope, is no. Or at least, it will be after you finish this blog. 

Is it hard for an MSP to be cybersecurity certified? 

Yes, and it should be. Cybersecurity is not for the faint of heart. 

The measure of how seriously an MSP takes your firm’s safety is found in their cybersecurity certifications. 

Providers work tirelessly in a continual evaluation cycle to prove their understanding and expertise in cybersecurity’s complex set of guidelines, compliance requirements, tools, and frameworks. It requires extensive testing, annual audits, and providing verifiable evidence —many MSPs have a department dedicated to ensuring their staff are continuously adhering to their certification guidelines.  

Cybersecurity certified vs non-certified  

In today’s cybersecurity market, certifications are considered the MSP industry baseline and should be one of the first qualifications you look for.

Although cybersecurity certifications rarely tell the whole story of what a potential IT partner is capable of, they’re proof of how committed they are to your firm’s safety. Uncertified MSPs are not viewed as trustworthy by cybersecurity experts because they lack the proper controls and verifiable training in widely practiced security frameworks like NIST and the Center for Internet Security (CIS).  

In the heat of today’s technology climate, an effective cybersecurity strategy must be built on best practice frameworks to combat rapidly evolving cyber threats. 

The MSP you choose must be more than just the person you call on the phone when your email server is down. Their greatest role and benefit to you is as a strategic resource for your firm’s overall technology health, security, and scalability. 

Is cybersecurity certification mandatory for MSPs? 

No, and that should terrify you. 

Due to the nature of the legal industry and the confidential data accessed on a regular basis, law firms are at an especially high risk of attack.  

As a law firm, could you imagine permitting an IT provider access to all your sensitive data without the necessary proof of their cybersecurity controls? How do you know they’re capable of implementing a framework and strategy needed to deal with attacks and threats if they don’t have a paper trail? 

Though there is no law requiring MSPs to be cybersecurity certified (unless they serve the US. Department of Defense and other government organizations), neglecting certification will only harm your law firm, lulling you into a false sense of security.  

Highly sensitive information causes a domino effect of collateral damage, which is exactly what threat actors prey on for profit. At the end of the day, there is no firm too small for a threat actor’s attention; All they care about is an easy way to monetize your data. 

Once the threat actor gets what they want, whether it’s your customers’ personal identifiable information (PII), reputation, and money, they disappear. Retribution is rare. 

As compliance controls and cybersecurity insurance carriers refine their standards in response to the current cyberthreat environment, the MSP industry will see a push for mandatory cybersecurity training and credentialing, with New York already spearheading the cause. Otherwise, every business’s safety is at stake.

Cybersecurity certifications to look for 

Luckily, cybersecurity certifications are common in the modern IT market because of the industry disdain towards uncertified providers. The right certification, however, will depend on the services that your IT partner offers. 

In addition, even these certifications can vary based on the industry they support. If you need security support in a specialty area, be sure to do your homework when vetting your IT provider outside of what their representatives are telling you. Always ask for proof of certification and audit reports when weighing your options. 

If you’re looking for an MSP that has passed extensive training and testing, search for these cybersecurity certifications: 

• Service Organization Control 2 (SOC 2) 
• Statement on Standards for Attestation Engagements (SSAE) No. 19 

• International Organization for Standardization/International Electrotechnical Commission (ISO/IEC 27001) 

Still looking for a cybersecurity certified MSP for your law firm? 

At STS, we’re proud to be SSAE-19 certified, one of the rarest certifications in the MSP industry. Less than 2% of MSPs on the market have the operational maturity to achieve this recognition. 

We earned this certification by proving our ability to implement and maintain a thoroughly documented, scalable, and cost-effective approach to cybersecurity using a solid security technology architecture with a preventative focus on cloud computing, data security, compliance, and identity management.  

We utilize the SSAE-19 cybersecurity certification reports in conjunction with the Center for Internet Security – Top 18 Critical Security (CIS18) Controls every day to protect our organization and service delivery systems and extend that protection to your law firm’s technical environment. 

Not ready to take the next step?

Take this quiz to measure your firm’s current IT Vulnerability Score and get clear on your greatest cybersecurity risks.   

Looking for even more clarity around your cybersecurity risks? It’s time for an assessment. Learn more about our Security Maturity Level Assessment (SMLA) here.