Article

Is your managed service provider as secure as you think?

How to ensure that your MSP is protecting your IT system

Oct 14, 2022

Key takeaways

It’s crucial to ensure that your managed service provider offers cybersecurity

Your provider should be proactive when it comes to security

Cyber insurance is not sufficient protection

Best practices help ensure your IT platform is protected

#
Managed technology services Managed security services Cloud services
IT infrastructure Managed IT services Cybersecurity Managed services

It doesn’t matter what industry you are in, or how big your company is—the attacks never stop. Cyberthreats are constant, and they include everything from hackers trying to take over your systems through ransomware attacks to scam artists sending phishing emails.

Many companies hire managed service providers (MSPs) to handle their IT needs, but just because you have an MSP doesn’t mean that your security needs are covered. It is imperative to verify that your MSP is doing all it can to prevent a catastrophic attack on your IT system by taking a security-first mindset. Here are key steps to take and important factors to keep in mind when assessing how much protection your MSP is providing for your organization.

A dangerous assumption

Just a few years ago, cybersecurity for most companies consisted of little more than antivirus software and a basic firewall. Today, companies need a much stronger defense. As cyberattacks have increased in both frequency and sophistication, organizations can no longer sit back and hope that no one gains unauthorized access into their IT environment to unleash havoc. However, many companies simply do not have the internal resources to set up and maintain a powerful cybersecurity platform. Hiring and retaining a staff of qualified security professionals who will focus on cyberthreats is beyond the reach of most organizations.

An upsetting shock awaits those companies that just assume their MSP is handling their cybersecurity. The truth is that some MSPs focus only on IT operations. They work to support the users, make necessary upgrades, ensure the operability of the technology and, in general, keep the lights on. They may not view it as their job to monitor threats, identify gaps in protection or prevent attacks.

It’s important to verify that your contract with your MSP includes cybersecurity, and that you’ve defined what that protection looks like. You can start by asking if your MSP has top-tier cybersecurity professionals who offer security services, take a proactive approach to identifying security threats, and can respond quickly if necessary.

Take action: Watch our 2022 cybersecurity update on key trends in an evolving landscape

Do you need a managed security service provider (MSSP)?

If your MSP does not handle cybersecurity, you may need to consider hiring a managed security services provider (MSSP). These organizations specialize in security and provide 24/7 cybersecurity services.

Working with a MSSP could be the right solution, but some companies balk at the cost of hiring and managing another provider. While budgetary concerns are always relevant, it’s important to keep in mind that a serious data breach can be costly to repair and can irrevocably damage a company’s reputation. Regardless of whether you have one provider or two, the principles of cybersecurity are the same.

Take action: Compare your cyber risk with our two-minute cybersecurity benchmarking assessment

What about cyber insurance?

Some organizations may argue that obtaining cyber liability insurance is all the protection that they require. However, while cyber insurance can be a vital part of a company’s overall strategy, it is not a sufficient defense by itself. That’s like refusing to wear your seat belt and driving through red lights at top speed because you have car insurance.

Furthermore, cyber insurance is difficult to obtain in the first place if you are not taking well-established, documented steps to secure your environment and your users. Cyber liability insurance carriers are creating more requirements and conducting more thorough reviews of organizations before offering coverage. They want to make sure, understandably, that an organization is taking the necessary precautions to decrease the odds of a big claim being filed.

For all these reasons, many companies benefit from hiring an experienced provider that can focus on their cybersecurity needs.

Take action: Find out if your company is eligible for cyber insurance

Do your research

It’s one thing for your MSP to offer cybersecurity services. It’s another for your provider to actually deliver.

To verify that your MSP is itself secure, ask to see the firm’s latest SOC-2 audit. This report details organizational controls related to security, availability, confidentiality, and other important functions. In addition, make sure that your MSP has policies and procedures that protect the operational aspect of their services. These include third-party certifications and details about how the MSP ensures the quality of its work.

Once you are satisfied that your MSP can handle your cybersecurity needs, the next step is to confirm your requirements. Perform a thorough gap analysis or, at the very least, undertake a one-time security baseline assessment. Your MSP should be skilled at identifying solutions for your situation.

Workflows and written procedures are essential, of course, but there are always intangibles that will decide if the engagement is a successful one. Foremost among these is good communication. An effective MSP should be in regular contact regarding the state of your IT environment, possible challenges, and technological innovations. Your MSP should make you aware of any potential security gaps and have a plan for addressing them.

Take action: Read our latest Cybersecurity Special Report to understand why cybersecurity continues to be a top concern for companies

The best defense is a strong offense

It is not enough for your MSP to simply monitor the cyber landscape. A provider that is not actively working to thwart cyberattacks could be putting your organization at risk.

In recent years, many companies have suffered major breaches that originated with their providers. Third-party cyber incidents have become both more common and more severe. Therefore, it is your responsibility to engage with your provider to identify how the MSP is part of the solution and not part of the problem.

At a minimum, your provider must ensure that your IT system’s most critical components are taken care of. Achieving that goal includes answering the following:

  • Are software patches being applied?
  • Is the company’s backup environment protected?
  • Is the system set up to recover crucial data and functions if there is a breach?
  • What about important concepts such as multifactor authentication, endpoint detection and response, unsupported software in your environment, and end-of-life software?
  • Has there been a firewall rule review to make sure that all devices configure properly?
  • Is there risky ingress traffic from the internet?
  • Are there unsupported systems?
  • Is active directory hygiene being done?
  • Has the company moved to the cloud to reduce its attack surface?
  • Have you established formal governance—written information security policy, incident response plans, and so on?
  • Have the recommended EDR solutions been discussed?

Those are just some of the key concepts that your MSP should be discussing with you during regular communications. If your MSP isn't at least broaching those conversations, it could be time to find a provider that will be proactive about keeping your company safe.

Take action: Learn 10 key steps to reduce the impact of cyberattacks

The human element

No matter how good your MSP is, there will always be one aspect beyond its direct control: your staff members. The number one threat vector is an employee who clicks on a malicious link in their email or web browser. All the technological barriers and advanced controls in the world will fail if an employee unwittingly introduces a virus or gives an intruder access to the system.

While your MSP can’t hover over staff members to prevent them from clicking on the wrong link, your provider can definitely provide training to minimize the chances of a breach. Your MSP should be willing to educate your employees on best practices and provide real-world examples of do’s and don’ts when it comes to cybersecurity.

In the end, the most critical piece of any organization's security posture is the human firewall. Your MSP should be more than just a behind-the-scenes firm that handles tech issues. Your provider needs to be an effective collaborator in ensuring that your company stays safe in the cyberworld.

RSM contributors

  • Corey Weeklund
    Director
  • Braden Daniels
    Director
See related insights