In the modern computing environment, cybersecurity and compliance are probably on the top of your mind for your business. Successful data breaches against businesses happen daily. You’ve no doubt already deployed great tools and processes to protect your business, manage your compliance, and have engaged with a Managed Services Provider (MSP) to help your business manage all things technology. But what about attacks targeted towards your MSP?
Your MSP is a key part of your business. The MSP provides support for end-users, manages patch management, provides consulting, and some even provide cybersecurity services. Essentially, an MSP keeps your business running. Because of the key role that MSPs play in any business, MSPs tend to have vast access to dozens, hundreds, or even thousands of client environments. With that vast access, MSPs are now a prime target for cybercriminals.
The United States Secret Service issued a notice in June of 2020 warning of increased attacks against MSPs. According to the Secret Service, “MSPs utilize multiple open source and enterprise software applications in the facilitation of remote administration. In the event of an MSP compromise, these applications are often used by bad actors to access their customer’s networks and conduct attacks. Cybercriminals are leveraging compromised MSPs to conduct a variety of attacks including point-of-sale intrusions, business email compromise (BEC), and specifically ransomware attacks.” The Secret Service also provides best practices for MSP clients to ensure the MSPs are secure.
Whether you are currently looking for an MSP, or want to know how your MSP compares, the definitive 10 step evaluation will be a great resource for you. Cybersecurity is a top priority for every business, and your MSP potentially represents the largest gap in your overall information security policy.
MSP Security Checklist
CHIPS has developed a checklist based on industry best practices to help you evaluate your MSP.
1. Information Technology Security Policy
Everything in business starts with a policy, and security is no exception. An Information Technology Security Policy is a set of rules that governs how all users that have access to data must follow to comply with rules that are meant to ensure the confidentiality, integrity, and availability of data.
An information technology security policy should have clearly defined rules and procedures for all individuals accessing and using the MSP’s data. The document should be authored by a qualified professional and updated regularly.
Ask the MSP for a copy of their information technology security policy.
2. Security and Compliance Credentials
In the world of cybersecurity, credentials are important. It’s what separates qualified professionals from the rest.
An MSP should have at least one Certified Information Systems Security Professional (CISSP), or equivalent, on staff that maintains the MSP’s information technology security policy. The CISSP credential is an advanced credential and is viewed in the information security industry as the gold standard.
Without a qualified professional to manage the MSP’s information technology security policy, the policy is likely to be incomplete and might not address all security threats, potentially expose you, as the client, to risk.
Ask the MSP for employee credentials.
3. Security and Compliance Certifications
Similar to employee credentials, company certifications validate that the MSP is qualified to manage a proper information technology security policy. The unfortunate reality is that there is no barrier to entry in the MSP world. Anyone can launch an MSP website tomorrow and start offering services, which is why company certifications are so important.
An MSP should at minimum maintain a current Service Organization Control (SOC) 2 Type II certification. The SOC 2 Type II certification demonstrates that an independent auditing firm has examined and tested MSPs control objectives to safeguard client data. As a client of an MSP, the SOC 2 Type II certification and report can be used to evaluate risks associated with the MSP. Without the SOC 2 Type II certification, there no way to evaluate how the MSP protects your data.
Ask the MSP for certifications performed by a third party.
4. Incident Response Plan
Having an incident response plan is part of an overall, information technology security policy. But it’s important enough to highlight separate because there are two aspects to an incident plan.
First is – does the MSP have an internal incident response plan? The incident response plan is a set of procedures that an MSP must follow in the event of an incident, such as a breach of their network.
Critical aspects of an incident response plan include preparation, detection and analysis, containment, eradication, and recovery, and lastly, post-incident activity. Essentially, all of these aspects determine how prepared the MSP is for an incident if they have a process to remove the risk, and what happens afterward. The “what happens afterward” part is important because you, as the client, should be made aware of any incidents that occurred and what are the action items needed to mitigate risks on your network.
The second aspect is whether the MSP helps you, as the client, manage your incident response plan. is there a documented set of procedures that must be followed if you experience an incident and will the MSP own the entire process, or will it be collaborative?
Ask the MSP for a copy of their incident response plan and ask if they manage client incident response plans.
5. Security Monitoring and Response
Your MSP is responsible for making your technology functional, and they are the eyes and ears of your network and security. But who is watching the watcher?
Security monitoring is a 24/7 operation, for you and the MSP. New security events and threats trigger alarms every second worldwide. Some of these alarms are false, some go away, while some become a major threat. Not only is it critical for an MSP that offers security monitoring and response services to have access to real-time threat intelligence, but they must have the right resources on staff to be able to filter out what is important, and if action is needed, to take action. Security monitoring and response consist of monitoring your endpoints, network, and cloud for threats. Threats are monitored in real-time and responded to. While the MSP might offer this service to you, as a client, you need to make sure that the MSP has this service for their organization. Any breach of the MSP is a breach of your business.
Ask the MSP if they are subscribed to a 24/7 security monitoring and response service.
6. Cyber Liability Insurance
Your business needs cyber liability insurance. In the event of a successful cyber-attack, your business will be insured for costs related to the data breach, business interruption, cyber extortion, forensic and legal support. If you do have it, now is a good time to review as policies and coverages are changing as quickly as the cybersecurity landscape.
Your MSP is a business, just like yours. So, they will need to have cyber liability insurance. A big difference is that if an MSP is attacked, their clients will be affected also. The costs associated with any damage resulting from a cyber-attack will be multiple times more than the typical business because the MSP’s clients will also be affected and will seek damages. The MSP will need to have the appropriate amount of coverage to remediate the attack for themselves and their clients.
Ask the MSP for their cyber liability coverage details.
7. Risk Assessments
Risk assessments are a service that is used to identify risks within your business, your technology, and your processes, and that there are controls in place to safeguard your network and resources. A risk assessment is not only great practice but also mandatory for compliance requirements.
Your MSP, like you, operates as a business. Just as it is important for you to perform periodic risk assessments, it’s just as important for your MSP, if not more, since they are the gatekeepers for access to their client networks.
Within a risk assessment, every aspect of your business is reviewed, including the infrastructure, network, systems, applications, information security, and policies. The outcome of a risk assessment should clearly outline all potential risks within a business and provide an approach to remediation.
Penetration testing, vulnerability scanning, and social engineering testing are three critical components that are typically included in a risk assessment.
Penetration testing is a simulated attack on your computing environment. A qualified, ethical hacker typically plays the role of the attacker, and this person is usually a third-party provider or consultant. The attacker will use the same methods, tools, and information that a real cybercriminal will use to exploit your network. The goal of a penetration test is to find weaknesses in security so that they can be remediated before a real attacker finds them.
Vulnerability scanning is similar to a penetration test in that the goal is to find weaknesses in security. However, a vulnerability scan is usually performed inside the network, meaning there is no attack. Someone, typically an employee of the business or your MSP, with the right knowledge of technology assets and the right tools, can conduct a vulnerability scan. The security weaknesses from the vulnerability scan should be managed in a vulnerability management lifecycle plan.
For example, there are businesses that are running Windows 7, an operating system that is no longer supported. This is a known vulnerability, but the business might not be able to address this immediately. So this vulnerability will be added to a management plan to be addressed at a later date.
Social engineering testing has become one of the most critical aspects of penetration testing and risk assessments because most attacks start with an attack on an employee. Social engineering testing focuses on the people and the processes in your business and is typically performed by a third party such as your MSP. While there are many types of social engineering attacks, we will focus on phishing.
Phishing is an attempt by an attacker to trick the email recipient into believing the message they are receiving is legitimate and will ask them to take some type of action, such as entering their credentials into a malicious website. Once the attacker has the information, they can then attack the business.
Phishing tests are simulated attacks against employees of your business without their knowledge. The employee will receive an email similar to one that they will get from an attacker. How the employee handles the email will dictate the type of training they receive, and all results can be reported. It is recommended that phishing tests be done regularly so employees can benefit from training reinforcement.
Ask the MSP if they perform risk assessments regularly.
8. Security Awareness Training
Security awareness training provides your employees with structured cybersecurity education to prevent attacks, specifically social engineering attacks.
The structure is typically provided via an online portal, with courses assigned to employees, and their progress is tracked and reported.
Just like in your business, security awareness training is important for the MSP.
However, with an MSP, it’s even more critical because a social engineering attack can be used to gain access to your network. For example, let’s say an attacker attempts to call into the MSP and pretend to be an employee of your business, and requests to have a user password reset. That’s all it takes for your network to be compromised.
Ask the MSP for details on their security awareness training.
9. Security Tools
There are many tools, software, services available to protect businesses. In addition to the services identified in this post, some of the other most impactful tools include multi-factor authentication, next-gen anti-virus, and mobile device management. While your MSP may provide these services to you, are they enforcing their employees to use the same tools to protect their network? For example, is every tool that they use protected by multi-factor authentication?
Ask the MSP for details on the security tools they use to protect their business.
This one is obvious and should be on any vendor selection checklist. When evaluating cybersecurity, make sure to ask the MSP for client references that are subscribed to the MSP’s security and compliance offerings.
When speaking with the reference, get a sense of how long the MSP has been providing security and compliance services, and also the MSP’s involvement. For example, is the MSP helping its clients create and execute a security and compliance strategy?
Ask the MSP for references related to security and compliance.
We hope that you can incorporate this guide into your MSP evaluation process. The next step in using this guide will be to incorporate this into a periodic review. It can also be used for any third-party suppliers that are not MSPs, for example, software, voice, and copier providers.