How Secure Is Your MSP?
Qualified managed services providers take steps to secure their own environments to reduce risk to their customers.
Managed services providers (MSPs) help protect their customers from cyber threats with advanced security solutions such as remote monitoring, endpoint protection, risk assessments, patch management and more. In some instances, however, MSPs can actually introduce security vulnerabilities.
Because MSPs are connected into the IT environments of multiple clients, they have become a primary target of cyberattacks. In fact, one recent study found that MSPs are more likely to be targeted than their customers. Conducted by research agency Coleman Parkes, the survey found that 90 percent of MSPs had suffered a cyberattack in the preceding 18 months. Eighty-two percent of MSPs also saw attacks on their customers increase, but not at the same rate.
That’s why it’s critically important to evaluate the security of an MSP. Best-in-class providers use highly secure technology tools and follow industry best practices rigorously to protect their customers’ environments.
A Matter of Trust
Because a single MSP may have hundreds of customers, a compromised provider gives malicious actors a platform for conducting large-scale attacks that infect multiple companies. That allows criminals to launch so-called “buffalo jump” attacks in which an MSP and all of its customers are simultaneously ransomed. The most notorious example of this type of attack occurred in 2019 when a malicious actor used a compromised MSP to launch concurrent ransomware attacks on 22 different Texas towns, causing a reported $12 million in damages.
In some instances, MSPs have been compromised because they failed to install security patches or other updates to their third-party remote management tools. That’s a shortcoming that can really undermine trust in a partner who has privileged access to the company’s most sensitive resources. It’s difficult to sustain a good relationship with an MSP that doesn’t adhere to industry-standard security practices.
What to Look For
If an MSP is providing security services, it’s fair to ask what steps they are taking to ensure their own security. When evaluating a potential provider partner, here are a few questions companies should ask to determine the provider’s commitment to security:
How do they secure their environment? Reputable providers will have multiple levels of security. Check to see if they use virus and spam prevention, intrusion detection, encryption, access controls, next-generation firewalls and other measures. Ask to see their disaster recovery plans and their plans for responding to data breaches or other security incidents.
Do they comply with industry standards? SOC 2 is a set of security standards created specifically for tech companies with online systems that store confidential information. SOC 2 requires that companies establish and follow strict information security policies and procedures. Additionally, MSPs should comply with the SSAE-16 auditing standard for verifying the physical and environmental security of systems.
Are they certified? The MSPAlliance is an international consortium of MSPs that establishes certain standards for providers. Two key certifications — MSP Verify and Cyber Verify — signify that providers meet essential control objectives for IT governance, cybersecurity, physical security, confidentiality, privacy, data management and more.
Do they evaluate their security measures? Risk assessments and security audits are essential to a solid security environment. Because cyber threats are continually evolving, MSPs can’t understand their risk exposure unless they regularly review their current security posture.
How do they identify threats? MSPs should continually monitor their own systems to identify any unauthorized activity, and regularly review access logs of remote connections to their clients’ networks to spot anything suspicious.
Are they self-sufficient? Many smaller MSPs don’t have their own network operations center (NOC), so they outsource some of their services to local or offshore providers. That doesn’t necessarily mean they are unqualified, but it should prompt additional due diligence.
Are they insured? MSPs should have cybersecurity liability insurance to protect customers. Cyber insurance policies usually cover business losses, ransomware payments, investigation and remediation costs. They also provide protection from any lawsuits stemming from a security incident.
By some estimates, more than two-thirds of all businesses in the U.S. work with an MSP to improve the efficiency, reliability and security of their critical IT operations. Not all providers are of equal ability, however. When evaluating providers, organizations must do their due diligence to find a provider that has invested in the tools, controls and certifications necessary to protect valuable customer resources.