You trust your IT service provider to help secure your network because they claimed to have the expertise, manpower, and skills to keep you safe. But are they applying that same rigor to their own internal security?

In some cases, the answer is no. In recent years, the IT services industry has seen a rash of high-profile attacks where cyber criminals have targeted managed IT service providers (MSPs) and their vendors, then used the privileged access they gained to infiltrate the network of the MSP’s clients.

These attacks have thrust MSP security into the front page of the technology media, and even prompted the Department of Homeland Security to issue an alert, warning businesses about the dangers of working with an MSP who isn’t taking its internal security seriously.

Here are some questions you can ask to determine if an MSP is doing enough to safeguard themselves.

How Do They Mitigate Employee Errors and Inside Threats?

The greatest cyber risk for any business is employee error, and an MSP is no different. Even well-educated IT professionals can fall for phishing threats, with disastrous consequences. Any security-minded MSP will make staff security a top priority. Here are just a few of the important elements of that effort:

Cybersecurity Awareness Training
Just like your MSP trains your end-users on how to spot the latest attacks and follow best practices, they must be doing the same for their own staff. However, the standards that an MSP holds its staff should be much higher than the average business.

For example, does the MSP regularly simulate cyber incidents within their environment to test the adaptability and knowledge of their staff? This sort of real-world, consistent training is the only way to ensure that the MSP’s team is ready for real-world problems.

Secure Onboarding, Training, and Off-boarding
Both new employees and staff that have recently left an MSP are some of the biggest cyber threats. New staff at an MSP must be taught how to safely use all the necessary systems and platforms without putting the company and its clients at risk.

Offboarding can be even more dangerous. Staff may unwittingly take valuable network credentials or property with them when they leave, or purposely take them to attack their former employer.

When interviewing a new MSP, you should dig deep into their HR processes, how they vet technicians and engineers, and how they manage employee turnover as part of their security process.

Do They Have a Framework for Internal Security?

An MSP’s internal security should not be an ad hoc collection of tools and processes. Instead, they must have a systematic, repeatable, and documented framework for securing their internal systems that covers every aspect of their operations.

While we can’t explore every aspect of an effective MSP cybersecurity framework in one blog (most of it would be highly technical), we can provide you with some directions on how to probe into an MSP’s overall security posture.

Risk Management and Audits
All MSPs should be proactively managing their internal cyber risk, referencing a trusted resource like the National Institute for Standards and Technology (NIST) Cybersecurity Framework, ISO 27001, or others.

Working off a clear set of standards provides the MSP staff with a clear set of guidelines for evaluating the risks to their business, identifying weaknesses in their security protections, managing technology assets, tracking, managing cyber events, and more.

Any reputable MSP will be upfront up which frameworks they’re working off and how frequently they audit their internal security.

Data Handling Processes
The staff at your MSP will have access to your network and sensitive data, such as personally identifiable information (PII), network credentials, and network management information. That makes it critical that the MSP enforces clear standards around the “who, what, when, and why” of how customer-sensitive data and PII get handled.

Encrypting sensitive data, limiting access to customer information, password management tools, and strict data collection policies are all tools that an MSP can deploy to safeguard its clients’ data from prying eyes.

Ensure You’re Protected from Their Vendors

Recent attacks on network monitoring tools Kaseya and SolarWinds thrust MSP supply chain attacks into the national headlines. Hackers used vulnerabilities in those network monitoring tools to infiltrate MSPs, which had a secondary impact on thousands of American companies.

Many MSPs will work with vendors to help with specialized technical skills, such as penetration testing, network security monitoring, and data backups.

Layered security systems, with external and internal firewalls, anti-virus, malware protection, and intrusion detection systems, are great ways for an MSP to insulate their clients from possible vendor compromises.

Network Monitoring and Incidence Response

A recent report from remote monitoring & management (RMM) company N-Able shows that over 90% of MSPs have suffered from a successful cyberattack in the past 18 months, with 90% of them seeing an increase in attacks since the COVID-19 pandemic.

Network security monitoring—a service that most MSPs offer to their own clients—must be an integral part of your MSP’s cybersecurity posture.

However, going beyond that, the MSP needs a plan for responding to incidents, seeing as they’re all but guaranteed to happen.

• Do they have clearly defined responsibilities for managing cyberthreats?
• Is there a clear set of policies and communication plans for coordinating stakeholders in their responses?
• How do they conduct internal forensics on cyber events to determine if they’re genuine threats or not?

Any MSP who hesitates to answer or can’t provide details isn’t doing their due diligence.

How Will They Handle Disaster Recovery and Business Continuity

Any reputable MSP will take time to develop a disaster recovery plan for your business.

Some organizations in the healthcare industry and other regulated fields may even work with their MSP to develop a comprehensive business continuity plan, including redundant infrastructure and office location.

Does your MSP have the same protection? Because your MSP is so important to your own stability, you should be proactive about clarifying how seriously they’re taking their own redundancy in case something should go wrong. That means multiple backups, both cloud and onsite, and regular testing of their recovery technologies and protocols.

Reliable Cybersecurity Partnership in Ohio

For 20 years, the Astute Technology Management Team has been providing comprehensive cybersecurity services in Columbus, Cincinnati, Cleveland, and their suburbs. Looking for an MSP with a dedication to security and stability? Our friendly team is here to help any time at 614 389 4102 or [email protected].