Cybersecurity Is An ‘Ongoing Battle’ Not A Technical Fix: Attorney

MSPs also need to recognize that clients are placing enormous trust in them when it comes to security issues, says cybersecurity-focused attorney Shawn Tuma.

Cybersecurity is not a purely technical problem and is “not going to get fixed,” regardless of how hard MSPs might try, cybersecurity-focused attorney Shawn Tuma told an audience of MSP executives Tuesday.

“It’s battle. It’s warfare,” said Tuma, partner at Spencer Fane LLP, during XChange Security 2024. The conference is hosted by CRN parent The Channel Company and is being held this week in Dallas.

[Related: 10 Major Cyberattacks And Data Breaches In 2024 (So Far)]

The cybersecurity space, he said, involves “an active adversary attacking with any and all means available. And the minute you put up some defensive mechanism—policies, procedures, tools—they counter it and they change their tactics. And they find a new way. And then they attack you where you weren’t looking—usually with the people.”

Other people-related matters are also paramount to consider when it comes to cyberdefense, Tuma said. For instance, clients are placing enormous trust in their MSPs to follow through on their commitments to secure them, he noted.

Tuma offered an example—unfortunately not uncommon, he said—where an MSP committed to implementing data backups for a client but “forgot.”

Theron McLarty, founder and CEO of Atlanta-based Skout Advisory, said there’s no question that clients are in a “precarious place” in having to trust other professionals with their security.

“A lot of them don’t know anything about cybersecurity. Or they know just enough. But they’re in this place where they really are at the mercy of the professionals that they’re hiring,” McLarty said.

“And on the other side of that coin is, we who are on the professional side—the MSPs, solution providers—we all have a duty to honor our contracts, to do what we say we’re going to do in terms of protecting our clients in cybersecurity,” he said.

The bottom line for MSPs and their clients is that everyone needs to recognize that cybersecurity does not have a short-term fix but is, instead, “a process,” Tuma said.

“We have to engage in the process because remember, we’re at battle. We’re in a war. Cybersecurity is not going to get fixed and it’s not going to go away,” he said. “It’s an ongoing battle.”

Ultimately, MSPs have to help clients understand that “they don’t need us for a one-time this or a one-time that,” Tuma said. “They need us as a team working together and collaborating—going through a process that, when you get to the end step, you start all over again. That’s how we have to manage this risk.”