(April 12, 2021) You partner with a managed services provider to enhance the support and security of your IT systems. How can you ensure that your managed services provider (MSP) is secure?
On June 12, 2020, the U.S. Secret Service issued a security alert warning that hackers were targeting managed services providers in an effort to gain access to their customers’ systems. Specifically, threat actors were using compromised IT management and automation platforms to execute business email compromise and ransomware attacks and to exfiltrate data from point-of-sale systems.
MSPs use an array of tools to monitor their customers’ environments, perform administrative tasks and troubleshoot problems. This helps to improve security by ensuring that systems are kept up-to-date and vulnerabilities are promptly addressed. However, if MSPs fail to follow security best practices, they can introduce threats into their customers’ IT environments.
To minimize this risk, organizations should carefully evaluate a managed services provider’s security compliance practices before signing on the dotted line. Here are seven questions to ask:
Is the MSP certified? Industry certifications provide a measure of an MSP’s capabilities. In order to qualify for the MSPAlliance Cyber Risk Verify and MSP Verify programs, for example, an MSP must meet or exceed standards of excellence in cybersecurity and customer care. The Service Organization Control (SOC) Type 2 report demonstrates that the MSP adheres to essential security control objectives. It is based on an audit conducted according to American Institute of Certified Public Accountants (AICPA) guidelines.
Do the MSP’s security controls follow industry standards? Security frameworks provide industry-recognized guidance for managing cybersecurity risk. MSPs that follow these guidelines are more likely to have robust security controls.
What are the MSP’s policies? Policies and procedures play a critical role in cybersecurity. MSPs should enforce least-privilege access policies, meaning that staff should only have access to the resources they need to do their jobs. Individual technicians should have their own login credentials with strong passwords and multifactor authentication.
What tools does the MSP use? Best-in-class MSPs have invested in proven IT management platforms that are protected by industry-leading security tools. Ideally, MSPs will use the same security technologies they recommend to customers, and promptly apply any patches and updates within their own environment.
Does the MSP monitor for threats? Threats can get past even the best security tools. MSPs should monitor their environment for suspicious behavior or unauthorized activity, and promptly investigate any threats that are detected according to a well-established incident response plan.
Does the MSP’s staff keep their skills current? It’s not enough that the organization is certified — individual members of the MSP’s team should be required to keep their skills up to date. While there’s no substitute for real-world, hands-on experience, training is also necessary to stay current with the latest threats and techniques for combating them.
Does the MSP outsource? Smaller MSPs often outsource some of their operations to third-party providers. Customers should conduct further due diligence and ask for assurance that the third party has security controls that meet or exceed those of the MSP.
Law enforcement officials have warned that managed services providers are under attack. MSPs that lack the certification, expertise, and processes to secure their own environments extend their risk of compromise to their customers. By asking the right questions, customers can assess the competency and compliance posture of the MSP. Quality MSPs should have no difficulty answering these types of inquiries from current or potential customers.
ABOUT MAINSTREAM TECHNOLOGIES
Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting custom software development and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.
Jeff Pracht
IT Business Development Manager
(479) 715-8629 Office
(501) 529-0008 Mobile