Questions to ask your MSP about your security

Malicious attacks on managed service providers (MSP) are on the increase. Hackers are infiltrating MSP networks enticed by the chance to victimise multiple companies with just one hack. Guy Lloyd explains the impact and highlights the questions all SMEs should be asking their service provider

New research has revealed that cyber criminals have identified MSPs as a high value target and are systematically carrying out attacks. Typically, MSPs have access to the systems of multiple customers, enabling hackers to launch malicious attacks on many organisations with just one hack. The research showed that 74% of MSPs themselves have suffered at least one cyber-attack, with 83% reporting that their SME customers have experienced an attack[i]. With MSPs now in the spotlight as an entry point, SMEs need to start asking some hard questions to ensure the risks are managed. Here are 5 questions for IT service providers:

  1. Governance Framework – what governance framework is used? Managed service providers should have a security governance framework.  For example, any SMEs operating in the EU will require an MSP to comply with the General Data Protection Regulation (GDPR). Equally if HIPAA[ii] or PCI DSS[iii] are important to your business, your MSP should be able to prove it has the tools and certifications to meet with the legal requirements of the regulation. Any technical controls deployed outside of this framework will be fundamentally undermined, so SMEs should check what framework the MSP is adhering to and that it meets their needs.
  2. Secure development – are the services offered by your MSP designed and developed with security in mind? The services should be able to identify and mitigate security threats. Solution offerings that do not have security built in may be vulnerable to threats which could compromise an organization’s data, cause loss of service or enable other malicious activity.
  3. Personnel security – where MSP employees have access to your systems and data, it is vital to have a high degree of confidence in their knowledge, expertise and trustworthiness. Ask questions about your MSP’s screening process. Check what audit processes they have in place to ensure only authorised personnel have access to your systems. People are the first and best line of defence, when security trained, so check what your MSP’s policy is on training their staff. These steps reduce the likelihood of accidental or malicious compromise by internal personnel.
  4. Operational security – the fundamental cornerstone of good security is good cyber hygiene. Systems that use default passwords, are not patched regularly, or are misconfigured, often become compromised. SMEs need to check with their MSP that the service is operated and managed securely in order to impede, detect or prevent attacks. Good cyber hygiene is about getting the basics right and performing them regularly. A good MSP should be able to demonstrate they are carrying out these tasks regularly and keeping your systems secure.
  5. Supply chain security – under GDPR, data controllers are responsible for their own compliance as well as that of any third-party processors. The fact that an MSP is handling data does not absolve SMEs from responsibility in the event of a breech. The MSP should be able to evidence that its supply chain satisfactorily supports all of the security principles which the service claims to implement. Mistakes can be costly, SMEs should ensure their MSP has appropriate technical and organizational measures in place or risk falling foul of GDPR and incurring a hefty fine.

Outsourcing the role – but not the responsibility

Managed services providers can help an SME accelerate its business growth – if there is a good fit and the relationship is handled properly. However, it is important to understand that outsourcing your IT doesn’t mean handing over the reins to external experts and being absolved of all responsibility. It is the responsibility of the SME to ensure their MSP has data security credentials which stand up to scrutiny in the event of a data breech. When choosing a dependable MSP, you’re investing in the stability of your business, so it’s worth doing the research and asking the right questions.

To read more download CySure’s latest white paper entitled “SMEs: Cybersecurity questions to ask your MSP” visit www.cysure.ltd

Guy Lloyd is a Director at CySure.

[i]  https://mytechdecisions.com/network-security/state-msp-cybersecurity-research/

[ii] HIPAA – Health Insurance Portability and Accountability

[iii] PCI DSS – Payment Card Industry Data Security Standard