My TechDecisions

Managed Service, Network Security

Selecting a Managed Service Provider in an Evolving Threat Landscape Requires Due Diligence

A rise in attacks against MSPs is leading to the creation of new verticals in the IT industry and a harder choice when selecting a provider.

Leave a Comment

Managed Service Provider Cybersecurity

You go to work in the morning, but your boss stops you before you can sit down and start up your computer at your work station. An attacker accessed your company’s networks and is holding your data hostage for a ransom of bitcoin, and nobody at the company can access the files they need to do their job.

The entire business is effectively shut down.

How is that possible? Your firm contracts with a managed service provider (MSP) that provides you with — on top of cloud services and tech support — security solutions that should have prevented this attack.

However, after due diligence, it’s discovered that the MSP itself is to blame. Somehow, the attackers first accessed the MSP’s network, which gave the criminals the keys to hundreds of other networks and a treasure trove of data.

So, how do you know which MSP will keep you safe — not only from attackers — but from themselves?

According to experts from IT trade association CompTIA, cybersecurity practices should be the leading concern when businesses of all sizes outsource their IT and security operations.

IT industry responds with new verticals

The rate of attacks against MSPs and other technology keyholders has increased so much that the industry has responded in kind and given rise to Managed Security Services Providers (MSSP), which are essentially MSPs with a focus on cybersecurity.

According to Carolyn April, a senior director of analysis at CompTIA, MSSPs are more of a pure play organization that hire a broad range of cybersecurity specialists and typically operate their own security operations center (SOC).

“They take cybersecurity a little more seriously than general MSPs,” April says.

Many IT providers are doubling down on their security options and becoming MSSPs. In addition to a good branding move for the company, it brings more security tools beyond a firewall and antivirus software.

That includes hiring chief security officers, security analysts, engineers, architects and high-level penetration testing experts. In contrast, regular MSPs may have just one or two security experts on staff.

“If they’re taking it seriously, they’re putting security as their foot first with customers,” April said.

Educate yourself

End users should come to these meetings with prospective MSPs with knowledge and questions, says Seth Robinson, a senior director of technology analysis at CompTIA.

If they don’t, they run the risk of drowning in IT jargon.

“It might sound good, but it might not fully answer the question,” Robinson says.

The threat landscape is evolving, and despite their expertise in network security, MSPs and even MSSPs aren’t immune. All it takes is a millisecond of a lapse in security or a deviation from normal security practices for dozens of clients to be compromised.

Read Next: The IT Industry Needs Everyone’s Help to Close the Cybersecurity Workforce Gap

There are now a number of ways and methods hackers will use to infiltrate an MSP’s client base, like phishing attacks, ransomware and compromising remote desktop applications.

The end user needs to be aware of those threats and come armed with questions about how their prospective provider fights those attacks.

“If end users want to ask their MSP or MSSP about their practices, the end user is going to have to be educated themselves to some degree,” says Robinson.

Quiz your potential security provider

Once the end user is educated, Robinson suggests they ask two key questions of their potential services provider:

  • What do they do around data security?

“If they’re a cloud provider and operations are spread across multiple locations, questions have to be around data security and not just network security,” says Robinson.

  • What is the MSP doing with their own staff?

“One of the primary types of attacks is phishing,” says Robinson. The end user should try to get some sense of what the MSP is doing to educate their own staff around modern security threats so they won’t fall victim to those sorts of things.”

According to April, end users shouldn’t take the providers’ alleged expertise for granted. Questions should dig deep into the MSP’s business, offerings and breach history:

Have they gone through the rigor of becoming an MSSP?

What percentage of their total revenue comes from security services or compliance services as opposed to something else?

“Ideally, they’re all about security,” April says.

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *

Get the FREE Tech Decisions eNewsletter

Sign up Today!

Latest Downloads

IT Management – Evaluating Direct Reports

Amongst so many things you have to learn when becoming a new IT manager, evaluating your direct reports is one of them. This is a daunting task, th...

Key Steps to Writing an Effective RFP for Building an Operations Center

When you’re in charge of a mission-critical operations center, you know there’s no room for error. These spaces must be resilient and operati...

The Ultimate Guide to RFPs – Everything a Technology Manager Needs to Know About Creating RFPs

You’re a technology manager in charge of hiring an installer to implement new technology into your organization’s workflow. The first thing you’re ...

View All Downloads

Would you like your latest project featured on TechDecisions as Project of the Week?

Apply Today!

More from Our Sister Publications

Get the latest news about AV integrators and Security installers from our sister publications:

Commercial IntegratorSecurity Sales