How to Ensure Your Managed Service Provider is Secure
"How secure is my network?" It's a question most of us in the tech industry hear all the time. But, what we don't hear often enough are business owners asking, "How secure is my managed service provider (MSP)?"
Think about it. Your MSP has access to massive amounts of sensitive data, not just yours, but others like you, too. They're prime targets for would-be hackers. And while you might like to think that they are impervious to attack, that's simply not true. It might be a rare occurrence, but the impact can be devastating.
Last year, it was reported that Kaseya, a firm providing IT management software for MSPs, was hit with ransomware which consequently impacted 1,500 businesses. The attack targeted the company's remote device management software, which was then used to spread ransomware to customers. Thankfully, the company was able to react quickly and shut it down before things got worse.
If there's one lesson you should glean from that story, it's that you should be more careful when choosing the right provider. If an MSP is pressing you to sign on for their cybersecurity, it's vital to be more discerning of what they're offering. That's because if they're offering you advanced cybersecurity solutions, they are most likely to implement those for themselves as well.
But how do you find out if an MSP is offering quality cybersecurity services?
At ITS, hundreds of businesses have partnered with us to manage their technology and ensure their data is secure. We've been doing it for almost 20 years. For this article, we had a chat with Kyle Ramirez, our Technical Sales Engineer from ITS San Francisco so he can share his insights on how to ensure your MSP is secure.
Ways to Ensure An MSP is Secure
Many MSPs offer some form of cybersecurity. Unfortunately, not all MSPs are the same when it comes to security. That's because different businesses have unique security requirements. There's no cookie-cutter solution to defend against cyber attacks. To help you figure out whether a firm is up to the task, take a look at some ways to ensure that an MSP is secure:
Look Beyond Credentials
It's easy to look up a company's credentials. Just bring up their website, and it's bound to be displayed prominently on the first page. While credentials are indeed important, it shouldn't be the end-all, be-all of your search.
According to Ramirez, a company might show you certifications showing that they meet certain qualifications. Unfortunately, "it's very easy to pass a test but not have the experience to apply it properly," he said candidly.
Instead of taking certifications at face value, it would be better to check the firm's track record. If possible, try to find out if they've been involved with any cyber incidents, how they handled it, and what they learned from it. Ask what types of industries they serve, how long they've been providing support for businesses in sectors similar to yours, etc. Discussions like that can give you information that will guide your decision.
That brings us to the next method, which is engaging them in a conversation.
Have a Conversation
Having a meaningful conversation is a useful way of probing a company. "Have a conversation with them," Ramirez answered when asked how to determine the credentials of an MSP. "A conversation is going to be much more powerful than a security document," Ramirez stated.
Setting up a quick chat with an MSP might seem easy enough, but it's not quite so simple. Salespeople will do what they do best, and that's to gain your favor. Ramirez cautions that you should be wary of such conversations. "The right salesperson can tell you what you want to hear, but maybe they're not able to back it up," he warned.
According to Ramirez, you can avoid falling for sales talk and jargon by making sure someone on your side knows about the technical aspect of the conversation. "The best way to discern the credentials of an MSP is to have another person who knows about technology talk about technology," he advised.
"I think tech people who understand both the technical and the risk management portion will very quickly determine whether an MSP knows what they're talking about," the ITS partner explained.
Ask the Right Questions
It's vital to probe an MSP about how they will provide security for your business. For that, you need to ask the right questions.
"You can ask them [if there are] any frameworks or compliance structures that [they] align to. Things like the NIST (National Institute of Standards and Technology) cybersecurity framework or the CIS (Center for Internet Security) critical security controls are good answers. [If they] try to align to those structures, then you know they're not making it up as they go along," Ramirez said.
Another line of questions you should definitely ask is what's their security strategy. "Most MSPs won't tell you what tools they're using, but you can ask them their strategies," Ramirez stated. "And an example of a good security strategy is a layered defense. So if they answer: 'we're going to identify the areas and work to build layers of defense. That's a good answer," he explained.
Tailored Solutions Over Shelfware
According to Ramirez, if an MSP comes to the discussion already prepared with tools and solutions, then that should be a red flag. It could indicate that you're getting a cookie-cutter solution.
"You want an MSP that says: we're going to learn about you and we're going to ask questions, and we're going to get to know each other. And then, we're going to determine together what the right pathway is for your business," he stated. "So try to avoid people who pretend to know all the answers because the answers only come about when you collaborate," he advised.
Ramirez also cautioned against MSPs touting their shelfware. Shelfware was coined as something you buy off the shelf and use without any management or optimization. Unfortunately, you can't use shelfware for cybersecurity and expect it to be effective.
"So if any MSP thinks that just because they have the right tool, they're going to be able to protect your environment; It doesn't work that way," he stated. "Just because you have a hammer, it doesn't mean you're going to build up a good house," added Ramirez.
Ready to Find a Secure MSP?
It might take more effort to find a secure MSP, but that's far better than undertaking the risk. An MSP has control over your network environment. If their network isn't secure, neither is yours. Make sure you take these few extra steps to establish whether a firm is up to the task of keeping your business safe.
At ITS, we've spent almost 20 years helping our clients bolster their cybersecurity efforts. From our experience, the only way we can provide quality security solutions for our clients is by implementing them for ourselves.
Want to learn more about getting cybersecurity solutions for your business? Check out our article on the Cost of Cybersecurity.