Monetizing Essential Eight: How MSPs Can Boost Revenue with Compliance Services

There’s a growing emphasis on cybersecurity in Australia—and managed service providers (MSPs) have reason to pay attention. Just this July, Home Affairs Minister Clare O’Neil referred to cybercrime as “…the fastest growing national security threat we face,” and called on banks, telcos, and technology vendors to do more to protect small businesses and consumers.

“This is the fastest growing national security threat we face.”

– Home Affairs Minister Clare O’Neil

Then, in early October, the Australian government introduced the long-awaited Cyber Security Legislative Package. If passed, it will become Australia's first standalone Cyber Security Act, bringing new measures such as secure-by-design mandates, ransomware reporting rules, and the establishment of a Cyber Incident Review Board.

In the meantime, the Australian Signals Directorate (ASD) has been leading the charge in educating businesses and organizations about the importance of cybersecurity. Since 2018, a large part of that mandate has been Essential Eight. Here’s why it matters to MSPs.

Essential Eight: The Basics

The ASD developed Essential Eight to help organizations protect their internet-connected information technology networks. The recommended mitigation strategies include:

Patch applications
Patch operating systems
Multi-factor authentication (MFA)
Restrict administrative privileges
Application control
Restrict Microsoft Office macros
User application hardening
Regular backups

We think it’s important to emphasize that these eight controls form a baseline for cybersecurity. The ASD’s Strategies to Mitigate Cyber Security Incidents includes 37 strategies and even more controls. Essential Eight features (as the name suggests) the eight most effective controls of that larger framework.

Yes, they’re considered basic, but these measures make it far more difficult for malicious actors to compromise systems. And, in terms of the time and money it takes to manage compliance, it’s far easier for a business to start with these basic controls than to jump into a more complex framework off the bat.

Who Must Comply?

Essential Eight is recommended for all Australian businesses, government agencies, and entities operating in the country, but it’s not required. With that said, it’s only getting harder for Australian companies to ignore compliance.

In addition to the incoming Cyber Security Act, the last few years have seen the Privacy Legislation Amendment Bill 2022 raise fines for serious data breaches and introduce oversight measures, director ID requirements, and proposed amendments to the Security of Critical Infrastructure Act 2018.

Taken together, these measures signal coming changes for the Australian compliance landscape—and that represents a big opportunity for MSPs.

A Golden Opportunity

Think about it: to run a compliance program, you need awareness of and access to, your client’s most sensitive data. It takes a great deal of trust to run a compliance program, and you’re already their trusted service provider. What’s more, being proactive about security demonstrates a commitment to your clients’ well-being, which ultimately strengthens that trust and positions you as an invaluable partner.

Not to mention that the very basic controls of Essential Eight likely align with services you already offer or are capable of offering. Application management, backups, managed security—these are things that most MSPs have in their toolkit, it’s just a matter of re-packaging it as Compliance as a Service (CaaS). Of course, that’s an entirely new revenue stream for your MSP, but it also sets you apart from your competitors, who are only offering basic IT services.

Compliance Considerations (From the Experts)

Based on a recent conversation with our friend Hendrik van Zyl, Solutions Architect at Interdata Solutions and a veteran of the security and compliance spheres in Australia, we’ve pinpointed three key items for MSPs to consider when taking on Essential Eight compliance services—or any compliance service, for that matter.

Be the Expert

According to van Zyl, Australian businesses, large and small, haven’t been inundated with security and compliance to the extent that we have in the US. As a result, MSPs really need to step into a space of expertise and guidance here.

That means being proactive. Don’t wait for your clients to come to you with questions.

Perform a gap analysis and present it at your next Quarterly Business Review (QBR). Show your clients where their vulnerabilities are, and how those risks can affect their reputation and revenue if they’re ever exploited. From there, you can introduce the idea of an Essential Eight compliance program, and explain why you’re the one to lead them through that.

Get the Buy-In

MSPs moving into the compliance space should understand the importance of working from the executive level. According to van Zyl,

“Having customer engagement is critical from what I see in compliance. If you don’t have buy-in from the top level, the program will never succeed.”

– van Zyl

To effectively engage executives and drive compliance initiatives, MSPs can present their solutions in a way that resonates with business leaders. Frame compliance as a strategic investment that protects the organization's bottom line, focusing on tangible benefits such as reduced costs, improved operational efficiency, and enhanced reputation.

Stay Organized

In our conversation, van Zyl told us he’s seen “some large pharmaceutical companies running compliance programs in spreadsheets and docs.” That’s a horror story we’ve heard one too many times. Not only does it make it difficult to prove compliance, but it also makes it difficult to manage.

The solution to this problem is having a platform. A platform that gives you visibility to track progress against a base, stores everything in one centralized repository, and has a client-facing portal that brings the client into the compliance process.

Learn to Leverage Compliance Scorecard for Essential Eight

The imperative to prioritize security is becoming more urgent in Australia, and it will continue to get harder for businesses to ignore compliance. MSPs that proactively engage with these trends stand to benefit significantly.

Getting ahead of compliance allows you to position yourself as a valuable partner and secure long-lasting business relationships that generate new revenue. Leveraging Essential Eight is one way to go about that without straying too far from a stack you’re already comfortable with.

For the pieces you’re unsure of, Compliance Scorecard fills in the gaps. It empowers MSPs to have risk conversations through assessments and scorecards, brings clients into the process through its versioning features, and keeps everything in one place.