Is your managed service provider as secure as you think?
ARTICLE | October 14, 2022
Authored by RSM US LLP
It doesn’t matter what industry you are in, or how big your company is—the attacks never stop. Cyberthreats are constant, and they include everything from hackers trying to take over your systems through ransomware attacks to scam artists sending phishing emails.
Many companies hire managed service providers (MSPs) to handle their IT needs, but just because you have an MSP doesn’t mean that your security needs are covered. It is imperative to verify that your MSP is doing all it can to prevent a catastrophic attack on your IT system by taking a security-first mindset. Here are key steps to take and important factors to keep in mind when assessing how much protection your MSP is providing for your organization.
A dangerous assumption
Just a few years ago, cybersecurity for most companies consisted of little more than antivirus software and a basic firewall. Today, companies need a much stronger defense. As cyberattacks have increased in both frequency and sophistication, organizations can no longer sit back and hope that no one gains unauthorized access into their IT environment to unleash havoc. However, many companies simply do not have the internal resources to set up and maintain a powerful cybersecurity platform. Hiring and retaining a staff of qualified security professionals who will focus on cyberthreats is beyond the reach of most organizations.
An upsetting shock awaits those companies that just assume their MSP is handling their cybersecurity. The truth is that some MSPs focus only on IT operations. They work to support the users, make necessary upgrades, ensure the operability of the technology and, in general, keep the lights on. They may not view it as their job to monitor threats, identify gaps in protection or prevent attacks.
It’s important to verify that your contract with your MSP includes cybersecurity, and that you’ve defined what that protection looks like. You can start by asking if your MSP has top-tier cybersecurity professionals who offer security services, take a proactive approach to identifying security threats, and can respond quickly if necessary.
Do you need a managed security service provider (MSSP)?
If your MSP does not handle cybersecurity, you may need to consider hiring a managed security services provider (MSSP). These organizations specialize in security and provide 24/7 cybersecurity services.
Working with a MSSP could be the right solution, but some companies balk at the cost of hiring and managing another provider. While budgetary concerns are always relevant, it’s important to keep in mind that a serious data breach can be costly to repair and can irrevocably damage a company’s reputation. Regardless of whether you have one provider or two, the principles of cybersecurity are the same.
What about cyber insurance?
Some organizations may argue that obtaining cyber liability insurance is all the protection that they require. However, while cyber insurance can be a vital part of a company’s overall strategy, it is not a sufficient defense by itself. That’s like refusing to wear your seat belt and driving through red lights at top speed because you have car insurance.
Furthermore, cyber insurance is difficult to obtain in the first place if you are not taking well-established, documented steps to secure your environment and your users. Cyber liability insurance carriers are creating more requirements and conducting more thorough reviews of organizations before offering coverage. They want to make sure, understandably, that an organization is taking the necessary precautions to decrease the odds of a big claim being filed.
For all these reasons, many companies benefit from hiring an experienced provider that can focus on their cybersecurity needs.
Do your research
It’s one thing for your MSP to offer cybersecurity services. It’s another for your provider to actually deliver.
To verify that your MSP is itself secure, ask to see the firm’s latest SOC-2 audit. This report details organizational controls related to security, availability, confidentiality, and other important functions. In addition, make sure that your MSP has policies and procedures that protect the operational aspect of their services. These include third-party certifications and details about how the MSP ensures the quality of its work.
Once you are satisfied that your MSP can handle your cybersecurity needs, the next step is to confirm your requirements. Perform a thorough gap analysis or, at the very least, undertake a one-time security baseline assessment. Your MSP should be skilled at identifying solutions for your situation.
Workflows and written procedures are essential, of course, but there are always intangibles that will decide if the engagement is a successful one. Foremost among these is good communication. An effective MSP should be in regular contact regarding the state of your IT environment, possible challenges, and technological innovations. Your MSP should make you aware of any potential security gaps and have a plan for addressing them.
The best defense is a strong offense
It is not enough for your MSP to simply monitor the cyber landscape. A provider that is not actively working to thwart cyberattacks could be putting your organization at risk.
In recent years, many companies have suffered major breaches that originated with their providers. Third-party cyber incidents have become both more common and more severe. Therefore, it is your responsibility to engage with your provider to identify how the MSP is part of the solution and not part of the problem.
At a minimum, your provider must ensure that your IT system’s most critical components are taken care of. Achieving that goal includes answering the following:
- Are software patches being applied?
- Is the company’s backup environment protected?
- Is the system set up to recover crucial data and functions if there is a breach?
- What about important concepts such as multifactor authentication, endpoint detection and response, unsupported software in your environment, and end-of-life software?
- Has there been a firewall rule review to make sure that all devices configure properly?
- Is there risky ingress traffic from the internet?
- Are there unsupported systems?
- Is active directory hygiene being done?
- Has the company moved to the cloud to reduce its attack surface?
- Have you established formal governance—written information security policy, incident response plans, and so on?
- Have the recommended EDR solutions been discussed?
Those are just some of the key concepts that your MSP should be discussing with you during regular communications. If your MSP isn't at least broaching those conversations, it could be time to find a provider that will be proactive about keeping your company safe.
The human element
No matter how good your MSP is, there will always be one aspect beyond its direct control: your staff members. The number one threat vector is an employee who clicks on a malicious link in their email or web browser. All the technological barriers and advanced controls in the world will fail if an employee unwittingly introduces a virus or gives an intruder access to the system.
While your MSP can’t hover over staff members to prevent them from clicking on the wrong link, your provider can definitely provide training to minimize the chances of a breach. Your MSP should be willing to educate your employees on best practices and provide real-world examples of do’s and don’ts when it comes to cybersecurity.
In the end, the most critical piece of any organization's security posture is the human firewall. Your MSP should be more than just a behind-the-scenes firm that handles tech issues. Your provider needs to be an effective collaborator in ensuring that your company stays safe in the cyberworld.
This article was written by Corey Weeklund, Braden Daniels and originally appeared on 2022-10-14.
2022 RSM US LLP. All rights reserved.
RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/about us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.
Pugh CPAs is a proud member of RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.
Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise and technical resources.
For more information on how Pugh CPAs can assist you, please call 865.769.0660.
Call us at 865.769.0660 or fill out the form below and we'll contact you to discuss your specific situation.