Many companies hire managed service providers (MSPs) to handle their IT needs, but just because you have an MSP doesn’t mean that your security needs are covered. It is imperative to verify that your MSP is doing all it can to prevent a catastrophic attack on your IT system by taking a security-first mindset. Here are key steps to take and important factors to keep in mind when assessing how much protection your MSP is providing for your organization.
An upsetting shock awaits those companies that just assume their MSP is handling their cybersecurity. The truth is that some MSPs focus only on IT operations. They work to support the users, make necessary upgrades, ensure the operability of the technology and, in general, keep the lights on. They may not view it as their job to monitor threats, identify gaps in protection or prevent attacks.
It’s important to verify that your contract with your MSP includes cybersecurity, and that you’ve defined what that protection looks like. You can start by asking if your MSP has top-tier cybersecurity professionals who offer security services, take a proactive approach to identifying security threats, and can respond quickly if necessary.
Working with a MSSP could be the right solution, but some companies balk at the cost of hiring and managing another provider. While budgetary concerns are always relevant, it’s important to keep in mind that a serious data breach can be costly to repair and can irrevocably damage a company’s reputation. Regardless of whether you have one provider or two, the principles of cybersecurity are the same.
Furthermore, cyber insurance is difficult to obtain in the first place if you are not taking well-established, documented steps to secure your environment and your users. Cyber liability insurance carriers are creating more requirements and conducting more thorough reviews of organizations before offering coverage. They want to make sure, understandably, that an organization is taking the necessary precautions to decrease the odds of a big claim being filed.
For all these reasons, many companies benefit from hiring an experienced provider that can focus on their cybersecurity needs.
To verify that your MSP is itself secure, ask to see the firm’s latest SOC-2 audit. This report details organizational controls related to security, availability, confidentiality, and other important functions. In addition, make sure that your MSP has policies and procedures that protect the operational aspect of their services. These include third-party certifications and details about how the MSP ensures the quality of its work.
Once you are satisfied that your MSP can handle your cybersecurity needs, the next step is to confirm your requirements. Perform a thorough gap analysis or, at the very least, undertake a one-time security baseline assessment. Your MSP should be skilled at identifying solutions for your situation.
Workflows and written procedures are essential, of course, but there are always intangibles that will decide if the engagement is a successful one. Foremost among these is good communication. An effective MSP should be in regular contact regarding the state of your IT environment, possible challenges, and technological innovations. Your MSP should make you aware of any potential security gaps and have a plan for addressing them.
In recent years, many companies have suffered major breaches that originated with their providers. Third-party cyber incidents have become both more common and more severe. Therefore, it is your responsibility to engage with your provider to identify how the MSP is part of the solution and not part of the problem.
At a minimum, your provider must ensure that your IT system’s most critical components are taken care of. Achieving that goal includes answering the following:
- Are software patches being applied?
- Is the company’s backup environment protected?
- Is the system set up to recover crucial data and functions if there is a breach?
- What about important concepts such as multifactor authentication, endpoint detection and response, unsupported software in your environment, and end-of-life software?
- Has there been a firewall rule review to make sure that all devices configure properly?
- Is there risky ingress traffic from the internet?
- Are there unsupported systems?
- Is active directory hygiene being done?
- Has the company moved to the cloud to reduce its attack surface?
- Have you established formal governance – written information security policy, incident response plans, and so on?
- Have the recommended EDR solutions been discussed?
Those are just some of the key concepts that your MSP should be discussing with you during regular communications. If your MSP isn't at least broaching those conversations, it could be time to find a provider that will be proactive about keeping your company safe.
While your MSP can’t hover over staff members to prevent them from clicking on the wrong link, your provider can definitely provide training to minimize the chances of a breach. Your MSP should be willing to educate your employees on best practices and provide real-world examples of do’s and don’ts when it comes to cybersecurity.
In the end, the most critical piece of any organization's security posture is the human firewall. Your MSP should be more than just a behind-the-scenes firm that handles tech issues. Your provider needs to be an effective collaborator in ensuring that your company stays safe in the cyberworld.
Corey Weeklund is a Managed Technology Services Director at RSM US LLP. He can be reached at Corey.Weeklund@rsmus.com.