Guy Lloyd at CySure has warned that there has been a noticeable rise in cyber attacks on managed service providers.
In his report entitled “SMEs: Cybersecurity questions to ask your MSP” Lloyd said hackers were infiltrating MSP networks enticed by the chance to victimise multiple companies with just one hack.
Cybercriminals have identified MSPs as a high-value target and are systematically carrying out attacks. Typically, MSPs have access to the systems of multiple customers, enabling hackers to launch malicious attacks on many organisations with just one hack. The research showed that 74 per cent of MSPs have suffered at least one cyber-attack, with 83 per cent reporting that their SME customers have experienced an attack.
“With MSPs now in the spotlight as an entry point, SMEs need to start asking some hard questions to ensure the risks are managed”, Lloyd said.
He said managed service providers should have a security governance framework. For example, any SMEs operating in the EU will require an MSP to comply with the General Data Protection Regulation (GDPR).
“Equally, if HIPAA or PCI DSS are important to your business, your MSP should be able to prove it has the tools and certifications to meet with the legal requirements of the regulation. Any technical controls deployed outside of this framework will be fundamentally undermined, so SMEs should check what framework the MSP is adhering to and that it meets their needs”, he wrote.
Services offered by an MSP need to be designed and developed with security in mind. The services should be able to identify and mitigate security threats. Solution offerings that do not have security built-in may be vulnerable to threats which could compromise an organisation’s data, cause loss of service or enable other malicious activity.
Lloyd said where MSP employees have access to systems and data, it is vital to have a high degree of confidence in their knowledge, expertise and trustworthiness.
“Ask questions about your MSP’s screening process. Check what audit processes they have in place to ensure only authorised personnel have access to your systems. People are the first and best line of defence when security trained, so check what your MSP’s policy is on training their staff. These steps reduce the likelihood of accidental or malicious compromise by internal personnel.”
He said the fundamental cornerstone of good security was good cyber hygiene. Systems that use default passwords, are not patched regularly, or are misconfigured, often become compromised.
“SMEs need to check with their MSP that the service is operated and managed securely in order to impede, detect or prevent attacks. Good cyber hygiene is about getting the basics right and performing them regularly. A good MSP should be able to demonstrate they are carrying out these tasks regularly and keeping your systems secure”, Lloyd said.
Under GDPR, data controllers are responsible for their own compliance as well as that of any third-party processors. The fact that an MSP is handling data does not absolve SMEs from responsibility in the event of a breach. The MSP should be able to evidence that its supply chain satisfactorily supports all of the security principles which the service claims to implement. Mistakes can be costly, SMEs should ensure their MSP has appropriate technical and organizational measures in place or risk falling foul of GDPR and incurring a hefty fine, he said.
Managed services providers can help an SME accelerate its business growth – if there is a good fit and the relationship is handled properly. “However, it is important to understand that outsourcing your IT doesn’t mean handing over the reins to external experts and being absolved of all responsibility. It is the responsibility of the SME to ensure their MSP has data security credentials which stand up to scrutiny in the event of a data breach. When choosing a dependable MSP, you’re investing in the stability of your business, so it’s worth doing the research and asking the right questions.”
To read more download CySure’s latest white paper entitled “SMEs: Cybersecurity questions to ask your MSP” here.