MSPs as a Cyber Security Risk

Is your MSP a security risk? If your an MSP, do you have cyber security vulnerabilities that put your clients at risk?

It seems like a strange question, right?   We think of the Managed Service Provider (MSP) as part of our cyber security solution, not part of the problem.  And, indeed MSPs are part of your security solution.  But that doesn’t mean we can ignore the cyber security risks of these service providers.  In fact, your MSP may be among the most important suppliers to analyze risk and ensure they are not a vulnerability.  They manage your network.  They have unique IT privileges and access.  If they have a cyber security incident, how does that translate into your cyber security?  

This is increasingly important, as bad actors know that breaching an MSP may be a path into dozens of their clients. Strike once, ransom many. To keep you and your data safe, MSPs need to employ the same or more cyber security plans as you.

A key part of a cyber security plan is the vendor risk management program.  In this program, we assess the vulnerability of our key suppliers to minimize the risk of them being the source of a cyber security breach.  Just as we increasingly see security questionnaires as part of our RFPs, it’s time we apply the same rigor to our MSP.  

Here’s an interesting article that advances 21 questions you should be asking your MSP. Below is the summary questions, though the full article goes into more detail on each.

  1. Is the security program based on a publicly vetted framework?

2. Is an internal Information Security Officer designated?

3. Request a copy of the information security plan (under NDA).

4. How are clients’ compliance requirements supported?

5. Is work subcontracted?  How are contractors bound?

6. What background checks are conducted?

7. If you have export control requirements, are all staff US Persons?

8. Do employees have cybersecurity credentials such as CISSP or CISM?

9. What security technologies are employed on internal systems and infrastructure?

10. How is risk assessed and managed?

11. Where is client data stored – examine network diagrams, configurations, and knowledge base articles.

12. Are regular vulnerability scans of its environment done?

13. How are configuration changes managed?

14. How do they manage access to your environment?

Review infrastructure, location, responsibilities, vendor relationships, access controls and data segmentation among clients.

15. What are practices for managing privileged account credentials, private keys, and other secrets?

16. Are access logs of remote connections to their clients’ networks retained?

17. Is a security operations center (SOC) maintained or sub-contracted?

18. What are the backup and recovery strategies, not just for your business, but for THIERs?

19. Are security controls routinely tested (e.g., penetration testing, red teaming, security controls validation)?

20. Are they prepared to respond to security incidents with a deliberate, written and tested plan? Request details of the incident response plan.

21. Are third-party services retained to respond to a breach of its own systems or client systems?