Is Your MSP Taking Its Own Security Seriously?

Image

Most small and midsized businesses trust an IT services partner to help them secure their networks.

A few years ago, high-profile cyberattacks targeting MSP vendors Kaseya and SolarWinds thrust the security risk of relying on a complex chain of vendors into the technology media and moved the Department of Homeland Security to issue a statement about the need for greater security in the IT services industry.

In the intervening two years, the FBI, CISA, and NSA have continued to ring the alarm bell of MSP-based attacks. Despite sustained attention, supply chain attacks surged last year by over 40% from the previous year to become the number one threat vector, and the average MSPs can expect to face 1,362 attacks per week.

In this new reality, businesses cannot simply trust their IT service partners to protect themselves as they should. Here’s how a business can screen an IT services firm to see if they’re approaching security or if they’re quietly a source of cyber risk.

They Have a Documented Framework for Internal Security

The internal security of your IT services company shouldn’t be a random collection of tools and processes. It should be a repeatable and documented framework that their leadership enforces that enables them to secure each part of their operations.

Here are some questions you can ask to probe into their security posture:

Data handling policies

The staff at your IT partner will have access to your sensitive data, including Personally Identifiable Information (PII), network credentials, and network management information.

It’s critical that your IT firm enforces clear standards around who can handle customer-sensitive data and PII, when they can handle it, and how. This includes consistently encrypting sensitive data, strictly limiting access to customer information, and enforcing password management tools and data collection policies.

Risk management and audits

All IT services firms should proactively manage their internal cyber risk by referring to best practices like the National Institute for Standards and Technology (NIST) Cybersecurity Framework, or the International Organization for Standardization (ISO) 27001.

Working off a proven framework provides the MSP staff with a clear set of guidelines for evaluating risks, identifying weaknesses, managing technology assets, and responding to cyber events. Any reputable firm will be transparent about which frameworks they’re referring to in their work and how frequently they audit their internal security.

They’re Proactive About Managing Insider Threats

Like any business, IT services firms need to equip their staff for defense. Even IT professionals can fall for advanced phishing threats, which can have terrible consequences for your business. A security-minded firm will make securing its staff a top priority.

Here are some of the elements of that effort:

Clear Onboarding and Offboarding Processes

New employees, and staff that have recently left a company can pose a cyber risk. In an oft-cited study by the Ponemon Institute, over 50% of those surveyed admitted to taking information from a former employee. In newer research from the same group, Ponemon found that insider threats increased 47% from 2018 to 2020 before the work-from-home trend intensified.

New staff at IT services firms must be taught how to safely use the network management platform without putting the company and its clients at risk. Similarly, staff that depart the organization must be promptly and fully removed from the systems.

When interviewing a new IT partner, dig deeply into their HR processes. Make a point of asking how they vet engineers and technicians, and ask to learn more about how they manage employee turnover as part of their overall security posture.

Cybersecurity awareness training

Just as a Managed Service Provider (MSP) will help your team spot the latest attacks and adhere to the latest cybersecurity best practices, they must be doing the same for their own staff. However, the standards for internal awareness of the latest threats should be significantly higher than what’s acceptable at other businesses.

Does the MSP regularly simulate cyber incidents within its environment to test the adaptability and knowledge of its staff? Are they running team-focused training to practice how effectively they can launch a coordinated response to large-scale attacks? This style of consistent training is the only way to ensure that an IT service team is ready for real-world problems.

They Insulate You from Your Vendor and Partners

Recent attacks on popular IT service vendors thrust supply chain attacks into the national headlines, sounding an alarm bell that organizations like the Five Eyes (FVEY) agencies, NCSC-UK, ACSC, CCS, CISA, NSA, and FBI have continued to ring.

Most IT firms work with vendors to help fill technical shortcomings or streamline the efficiency of their penetration testing, network security monitoring, and data backups. Each of these vendors enlarges its attack surface by creating areas for egress or ingress that could be exploited.

A layered security system with external and internal firewalls, malware protection, and Intrusion Detection Systems (IDS) are the bare minimum that any IT firm should possess to insulate its clients from possible vendor compromises.

They’re Vigilant About Monitoring Their Network

A report from Remote Monitoring & Management (RMM) company, N-Able, indicates that “almost all MSPs have suffered a successful cyberattack in the past 18 months, and 90% have seen an increase in attacks since the pandemic started”, which puts them ahead of any other industry vertical as the main target of malware, phishing, and ransomware attacks.

Network security monitoring must be an integral part of your MSP’s cybersecurity posture. Beyond that, the MSP needs a plan to respond to these inevitable incidents.

• Are there policies and communication plans in place to help coordinate stakeholder efforts around a cyber response?
• Do they have clearly defined roles and responsibilities for managing cyber threats?
• What internal forensics will they perform to determine whether cyber events need further examination or not?

A mature IT services firm will be able to talk candidly about the above points and the other security measures they’re taking to secure its network. If they’re unable to talk openly and at length about those measures, it could indicate an immature approach to security that could put your business at risk.

About the author:

Eric Madden is the President of Astute Technology Management. For over 20 years, his team has been providing businesses in Ohio with the strategic and technical skills necessary to achieve total IT confidence. At his core, he still considers himself the nerdy kid who got a Tandy as a gift from his father and enjoys learning about all facets of technology—especially cybersecurity—to leverage and improve the lives of those around him.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.