How to Ensure Your MSP Takes Security Seriously
In today’s technology-driven world, cyber-attacks have become a big problem. When looking for a Managed Service Provider (MSP), you need to select the one that is prepared for the inevitable and can shield you against malicious attackers. They are responsible for regular support and administration of an organisation’s IT environment, ensuring IT systems are functional and available to your staff. However, due to the pandemic and increasing reliance on managed services, MSPs are rapidly becoming a prime target for hackers. Due to the increased commercialism of cyber-crime and ransomware being so prevalent, it is more efficient and cost-effective for hackers to compromise a single organisation that provides them backdoor access into hundreds, if not thousands of other organisations, essentially providing them more bang for their buck. Let’s face it if your MSP is performing IT Support and Administration duties remotely, that means they have the keys to your kingdom.
Depending on where you look, research and news articles are claiming anywhere from 50% – 70% of MSPs have experienced at least one cyber-attack. Due to the increased targeting of MSPs in recent years, organisations need to stop blindly trusting IT providers and do their assessments, whether their MSP/IT providers are taking their own and your security seriously.
If you want to determine whether your MSP is taking your and their security seriously, then this questionnaire is a must-read. We’ll go over several questions that you need to ask your MSP, to provide you with an indication they’re implementing best practice security measures.
The Importance Of Choosing A Secure MSP
It’s critical to ask your MSP the right questions when it comes to cyber security. Evaluating your IT provider’s capabilities and security practices can provide organisational confidence that your IT environment is in the right hands. Outsourcing your IT to an MSP can help lessen operating costs and offer an extra layer of security measures to ensure risks and vulnerabilities and managed. However whilst this is the ideal situation, what if instead of providing essential IT defences, your MSP themselves have been compromised by cybercriminals. To avoid scenarios like this from happening, it is crucial to determine if your MSP is proactively managing their defences to avoid supply chain attacks.
For this purpose, we have created a list of a few essential questions for you to ask your prospective/current managed IT provider.
Questions To Ask Before Selecting A Managed Service Provider
1. Does Your MSP Undertake Regular Penetration Testing?
Confirm with your MSP whether they undertake penetration testing regularly. To gain a deeper understanding of how secure your MSP is, you can request a penetration test report or attestation letter. This will provide you with an outline of their current security posture and if they have appropriate vulnerability management policies and procedures in place. This will not only assist you in determining whether you’ve partnered with the correct MSP but also help you in developing effective business security practices, to reduce the risk of handing an insecure IT Provider the keys to your kingdom.
2. Does The MSP Patch Their Windows and Non-Windows Systems / Applications Regularly?
Proactive cyber hygiene is a key component of any organisations security. Systems and applications which aren’t regularly updated and patched may be prone to becoming misconfigured, potentially causing vulnerabilities in your security perimeter. To ensure your environment is managed properly, inquire into how much experience they have in patching complex systems or managing systems substantially similar to your own. Additionally, ask if they use vulnerability scans on your system regularly and how they are informed of new patches/updates.
3. What Industry Certifications Do They Currently Hold?
An Important aspect that you need to pay attention to is the security governance framework your MSP adheres to. The baseline requirement you require to conduct business in Australia is alignment to the Australian Signals Directorate Essential 8.
- If your organisation processes credit card information, are they PCI DSS certified?
- If you’re looking to engage with corporate and fulfil government contracts are they aligned to Essential 8?
- If you are looking to / currently engage with European customers, is your MSP compliant with GDPR?
- If your organisation is engaging customers who are ISO 27001 certified, ensure the MSP can show alignment to ISO27001 or provide certification.
4. What Access Controls Does Your MSP Employ?
Entering into a contract with an MSP will grant them access to your systems and data. Ask about the personnel security rules and access restrictions they impose on individuals across their organisation. Do they have policies and controls in place for preventing unauthorized personnel from accessing your systems or data? How do they store client data and who has access to it? It is also highly recommended to be informed of and log which personnel have access to your data. Enquire around their knowledge and existing solutions to authenticate credentials and if they use password managers. MSPs generally use different processes to secure MFA such as Azure AD Multi-Factor Authentication, Auth0, Authy and more.
5. Do They Have An Information Security Policy (ISP)?
An Information Security Policy will outline the processes and rules for MSP staff members. This document dictates what is an acceptable use of data, client information, IT infrastructure and communication network within their organisation.
6. In The Event Your MSP Suffers A Serious Internal Failure, What Business Continuity Plans Do They Have In Place?
Business continuity plans outline and highlight ways an organisation will defend against cyber security and general IT risks. This document will show how an MSP plans to protect critical applications and data, whilst outlining what they have in place to recover essential functions after a breach or serious failure.
7. What Disaster Recovery Plans / Incident Management Plans Do They Have?
- Disaster recovery Plans are an essential organisational roadmap of restoring access and functionality to IT infrastructure, ensuring continuity of essential services that have been affected by natural disasters, cyber-attacks or other acts of God.
- Additionally every MSP should also have an Incident Response Plan, outlining a strategy for responding to and mitigating the after-effects of a cyber attack. Enquire how they plan to protect your sensitive/confidential data during a security incident, to ensure they will be able to control a potential breach.
8. What Policies And Procedures Do They Have In Place To Mitigate Supply Chain Risk?
Supply chain risk management is essential for any organisation outsourcing a specific IT function. This strategy is important when managing minimal risks like project delays, all the way up to serious risks such as if their software partner suffered a security breach. If the MSP uses vendors and/or IT partners to assist in managing your environment, ensure they have a strategy in place to reduce your vulnerability.
9. What Policies / Procedures Are In Place To Screen The Employees Handling Your Data?
To ensure whether an MSP is a secure choice for your organisation, we recommend enquiring about their employee and contractor screening process. To ensure the integrity of personnel managing your data, Inquire about how they hire staff and what background checks they run on current staff / new hires.