You go to work in the morning, but your boss stops you before you can sit down and start up your computer at your work station. An attacker accessed your company’s networks and is holding your data hostage for a ransom of bitcoin, and nobody at the company can access the files they need to do their job.
The entire business is effectively shut down.
How is that possible? Your firm contracts with a managed service provider (MSP) that provides you with — on top of cloud services and tech support — security solutions that should have prevented this attack.
However, after due diligence, it’s discovered that the MSP itself is to blame. Somehow, the attackers first accessed the MSP’s network, which gave the criminals the keys to hundreds of other networks and a treasure trove of data.
So, how do you know which MSP will keep you safe — not only from attackers — but from themselves?
According to experts from IT trade association CompTIA, cybersecurity practices should be the leading concern when businesses of all sizes outsource their IT and security operations.
IT industry responds with new verticals
The rate of attacks against MSPs and other technology keyholders has increased so much that the industry has responded in kind and given rise to Managed Security Services Providers (MSSP), which are essentially MSPs with a focus on cybersecurity.
According to Carolyn April, a senior director of analysis at CompTIA, MSSPs are more of a pure play organization that hire a broad range of cybersecurity specialists and typically operate their own security operations center (SOC).
“They take cybersecurity a little more seriously than general MSPs,” April says.
Many IT providers are doubling down on their security options and becoming MSSPs. In addition to a good branding move for the company, it brings more security tools beyond a firewall and antivirus software.
That includes hiring chief security officers, security analysts, engineers, architects and high-level penetration testing experts. In contrast, regular MSPs may have just one or two security experts on staff.
“If they’re taking it seriously, they’re putting security as their foot first with customers,” April said.
End users should come to these meetings with prospective MSPs with knowledge and questions, says Seth Robinson, a senior director of technology analysis at CompTIA.
If they don’t, they run the risk of drowning in IT jargon.
“It might sound good, but it might not fully answer the question,” Robinson says.
The threat landscape is evolving, and despite their expertise in network security, MSPs and even MSSPs aren’t immune. All it takes is a millisecond of a lapse in security or a deviation from normal security practices for dozens of clients to be compromised.
There are now a number of ways and methods hackers will use to infiltrate an MSP’s client base, like phishing attacks, ransomware and compromising remote desktop applications.
The end user needs to be aware of those threats and come armed with questions about how their prospective provider fights those attacks.
“If end users want to ask their MSP or MSSP about their practices, the end user is going to have to be educated themselves to some degree,” says Robinson.
Quiz your potential security provider
Once the end user is educated, Robinson suggests they ask two key questions of their potential services provider:
- What do they do around data security?
“If they’re a cloud provider and operations are spread across multiple locations, questions have to be around data security and not just network security,” says Robinson.
- What is the MSP doing with their own staff?
“One of the primary types of attacks is phishing,” says Robinson. The end user should try to get some sense of what the MSP is doing to educate their own staff around modern security threats so they won’t fall victim to those sorts of things.”
According to April, end users shouldn’t take the providers’ alleged expertise for granted. Questions should dig deep into the MSP’s business, offerings and breach history:
Have they gone through the rigor of becoming an MSSP?
What percentage of their total revenue comes from security services or compliance services as opposed to something else?
“Ideally, they’re all about security,” April says.