When handling IT needs, many organizations utilize a Managed Service Provider, more commonly referred to as an MSP. The typical role of an MSP is in managing servers and desktops, helping with printers, and maybe doing email. Most people never even ask the MSP what their security practice is, let alone ask for a third-party assessment of the organization. I hope this post convinces anyone looking at hiring, or who already uses, an MSP to get verification of their practices.
“They Have It Covered - They Know What They Are Doing”
These were the words a sales rep at a local MSP said to me recently when I asked if they used a third- party to test their security. The “they” in the comment referred to the owners. This was terrifying, as there is no way to be sure that everything is covered if nothing has been actually tested to verify.
I asked the question to him because of some startling research that recently categorized MSP’s as the most targeted organizations by criminal attackers. The logic is that if you attack, and successfully gain access to an MSP, you will get access to dozens or hundreds of customers. And it appears to be working for the attackers.
Here are a few recent news examples:
Blue-Chip MSP Synoptek Hit By Ransomware, Paid Ransom To ‘Extortionists - CRN
Breach at IT Outsourcing Giant Wipro - Krebs on Security
MSP Ransomware Attacks Explode in 2019 - Calyptix
Working in IT is not the same as working in Cyber Security, the skill sets are different. If you are going to trust a third-party with managing and guarding your data, you should at least do your due diligence and get independent verification.
In our testing, up to 82% of employees at an MSP will fall for a phishing attack. If this were a real-world scenario, access to your data could be compromised through a targeted phishing attack on your MSP. Your data could also be held ransom via an MSP if they are not properly protected.
Additionally, an MSP should be insured for cyber liability coverage. These policies are different than what you would get for yourself. In most cases is it most likely a rider on your general liability plan. An MSP can get a specific cyber liability policy that extends coverage to you in the event that your data is breached or that they cause you downtime.
Taking Proactive Steps
There are some simple questions to ask to see where the MSP, or prospective MSP, ranks in terms of security practices. Consider the following.
What form of Multi-Factor Authentication do you use to protect data?
How often do you get a security audit by a third-party?
What are your procedures to change passwords and accounts when you terminate an employee?
What background check procedures do you employ for your team members?
How much are you insured for in the event I am the victim of a breach?
And there are some simple processes you should follow when contracting with an MSP:
Request annual third-party security testing results.
Never sign a contract for more than one year.
Annually ask for proof of liability insurance.
Never have your MSP manage cyber security products, use an MSSP (Managed Security Service Provider) for this.