Make Sure Your MSP Isn’t Your Security Achilles’ Heel

While you might think your security is top-notch, are you sure your Managed Service Provider's (MSP) is too? In a recent advisory note, the 'Five Eyes' intelligence alliance (UK, Australia, Canada, New Zealand and the United States) reported an increase in hostile cyber activities targeting MSPs. They urged MSPs to harden their cyber security practices.

The report highlights that downstream risks to clients are likely to occur when an MSP falls victim to cyber vulnerabilities, which could result in an eye-opening digital supply chain attack.  
 
MSPs are vulnerable as hackers use the logic that if they attack, and successfully gain access to an MSP, they will get access to dozens or hundreds of customers. A high-profile supply chain cyber attack involved SolarWinds, a provider of IT management software back in December 2020. The attack involved malware, which spread around some of SolarWinds’ customers via their normal software update. Customers targeted included US Government agencies. A ransomware attack on US MSP Kaseya last year also affected up to 1,500 of its customers. And this year, targeting MSPs resulted in a cyber attack that caused the outage of the NHS 111 service
 
Whilst the ‘Five Eyes’ advisory caught headlines as a lesson on hardening cyber security best practices, there's a strong message that businesses using MSPs must make sure they pick the ones leading by example.  
 
Research by the Department for Digital, Culture, Media and Sport (DCMS) shows only 12% of organisations review the cyber security risks coming from their immediate suppliers. Only one in 20 firms (5%) address the vulnerabilities in their wider supply chain. 
 
The ‘Five Eyes’ advisory makes it clear that MSPs are under increasing attack and need to set an example of what cyber security should look like from the inside out.  So, how can companies assess the cyber security practices of their MSP to ensure they don’t become their security Achille's Heel?  
 
Here are the seven traits you need to identify to be sure your MSP has a strong security stance:  
 
1. Compliance.      MSPs are now being viewed as essential service providers by the UK Government. As a result, its Network and Information Systems (NIS) regulations is now being extended to MSPs. This means that essential service providers will be required to undertake risk assessments and put in place reasonable and proportionate security measures to protect their networks. They must report significant incidents and have plans to ensure they quickly recover from them. Although strict adherence to the Government regulations will soon be a minimum requirement, you should look for MSPs that can also demonstrate best practice in this area. Certification to a benchmarked standard such as ISO 2001 for information security and ISO 27032 for improving the state of cyber security is one of the best ways to tell that the cyber security plans of your MSP meet the industry standard. 

2. CIS Benchmarking.      The Center of Internet Security (CIS) has developed CIS Benchmarks, a set of globally recognised best practices to help security practitioners implement and manage cyber security defences. They exist to help organisations improve their cyber defence capabilities.  
 
CIS also controls the map to many established standards and regulatory frameworks, including the NIST Cybersecurity Framework (CSF) and NIST SP 800-53, the ISO 27000 series of standards, PCI DSS, HIPAA, and others. 
 
3. Depth of knowledge of security issues and tools.     There are a bewildering number of options when it comes to security tools for businesses, but an MSP should have a good understanding of your business and the security issues you face in order to evaluate your needs. Tools can be categorised as:     

  • Email management: To protect against spam, malware, ransomware and identity spoofing and they should also offer encryption, archiving or advanced threat protection.  
  • Advanced Endpoint Protection: This exists to satisfy the needs of a remote workforce and variety of end-user environments. As well as antivirus software, an MSP should also be able to recommend Endpoint Detection and Response (EDR) to identify suspicious system behaviour, block malicious activity and recommend action to restore affected systems.  
  • Web filtering: This includes the use of the Domain Name System to block malicious websites and unsafe content. This can help organisations control what websites employees are using and reduce likelihood of phishing attacks and malware.   
  • Managed Detection and Response (MDR) is a 24/7 threat detection and response offering to protect online operations.     
  • Penetration testing: An MSP should be able to offer you the expertise to carry out advanced pen testing; simulating a cyberattack so that you can better understand the vulnerabilities within your organisation’s infrastructure. 
  • Phishing prevention: Enhancing employee awareness around phishing attacks could be your organisation’s best line of defence. An MSP should be able to understand the specific needs of your organisation and deploy, manage, optimise and leverage security awareness training and phishing simulation techniques to meet them.  

4. The ability to connect the dots between disparate tools and skillsets.    A large, disconnected toolkit doesn’t win security battles. Having the expertise to deliver cutting-edge threat detection, response and resolution is how modern enterprises can reduce cyber security risks. An MSP should be able to bridge security gaps and vulnerabilities and offer access to advanced technology and skilled resources. 
 
5. Security that doesn't sleep (i.e. it's 24/7 or "always on" and alerted).     To identify problems before they even occur, an MSP should be able to demonstrate round the clock security provision for your business. The benefit of having an MSP handle your security is that they are free from distraction so they can focus their time and energy on finding indications of threat or compromise. Your partner should be able to demonstrate its ability to continuously monitor for anomalies to ensure risks are reduced and your business is safeguarded. 
 
6. Layering of appropriate technologies (and taking a tech-neutral approach for best outcomes).     A vendor and technology neutral MSP model - in which the MSP prioritises outcomes above a technology vendor - means that they can focus solely on putting the best interests of your business first. Apply a degree of caution to any MSP that is attempting to drive spend towards one service provider more than any others.   
 
7. Value-add versus simple reselling.
     It’s important to review how much value your MSP will provide you as a business. This isn’t simply to do with price or service – although both are important – but it applies to the impact and relationship that it offers you as a trusted partner.  
 
Can your MSP report to you in metrics that matter to you as a business? For example, can it demonstrate the percentage of downtime it’s preventing or the number of malware attacks its tools are preventing at the weekends or late at night?

For an MSP to add value, they need to understand your specific requirements and get ‘under the skin’ of the business.  
 
Your MSP should be able to proactively recommend cyber security services from a full portfolio without leaving gaps or vulnerabilities in your overall security posture. For example, a security solution stack should provide a first and last line of defence, as much as route to recovery in the event of a breach.

The big question is, does your MSP have the skills and resources available to make sure you win key security battles?  By working with the right MSP, you can not only maintain a strong security posture as a business, but also demonstrate to customers that you take the management of third-party risk seriously.  

Leyton Jefferies is Head of Cyber Security Services at CSI Ltd 

You Might Also Read:  

How To Outsmart Increasingly Complex Cyber Attacks:

 

« US Military Involved In Ukraine's Cyber Defences
Artificial Intelligence & Its Impact On Cyber Security »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

baramundi software

baramundi software

baramundi software AG provides companies and organizations with efficient, secure, and cross-platform management of workstation environments.

Mimecast

Mimecast

Mimecast delivers cloud-based email management for Microsoft Exchange and Microsoft Office 365 including archiving, continuity and security.

National Centre of Incident Readiness & Strategy for Cybersecurity (NISC) - Japan

National Centre of Incident Readiness & Strategy for Cybersecurity (NISC) - Japan

NISC was established as a secretariat of the Cybersecurity Strategy Headquarters in collaboration with the public and private sectors to create a "free, fair and secure cyberspace" in Japan.

Lacework

Lacework

Lacework brings speed, scale, and automation to cloud security and allows security and DevOps teams to collaborate on keeping data and applications safe.

NXO France

NXO France

NXO is an independent leader in the integration and management of digital workflows with services covering digital infrastructures, communications & collaboration, and security.

Absolute IT Asset Disposals

Absolute IT Asset Disposals

Absolute IT Asset Disposals is an IT asset disposal (ITAD) company providing safe and secure recycling of IT assets.

Seccuri

Seccuri

Seccuri is a unique global cybersecurity talent tech platform. Use our specialized AI algorithm to grow and improve the cybersecurity workforce.

Cyber7

Cyber7

CYBER7 is a National Cyber Security Innovation community initiated by Israel National Cyber Directorate, Ministry of Economy and Israel Innovation Authority led by Tech7 – Venture Studio.

Intelligent CloudCare

Intelligent CloudCare

Intelligent CloudCare, a division of IPS, is a full IT Services provider serving the needs of SMBs in the metropolitan New York City region.

Hexens

Hexens

Hexens introduces a whole new approach to cybersecurity solutions. Indisputable skills and a unique super-focused perspective on every single case are the values we create.

Securadin

Securadin

Securadin - Defending Your Data Security. We will assist you in learning how to maintain the confidentiality, integrity, and availability of your organization's assets.

Conceal

Conceal

Conceal’s mission is to stop ransomware and credential theft for companies of all sizes by developing innovative solutions that provide social engineering protection in any browser.

Leo CybSec

Leo CybSec

Leo CybSec unites a group of Cyber Security experts with 20+ years of collective expertise to help our clients realise and mitigate the cyber challenges and risks facing their business.

SyberFort

SyberFort

SyberFort offers a suite of SAAS-based platforms designed to fortify your digital defenses including Threat Intelligence and Brand Protection.

Mantodea Security

Mantodea Security

Mantodea Security is an industry-agnostic powerhouse backed by extensive experience and expertise in the realm of IT security.

Dryad Global

Dryad Global

Dryad Global offers a comprehensive suite of maritime intelligence solutions, including a best-in-class situational awareness, planning and security system and industry-leading cyber protection tools.