Managed Service Providers: How Secure Are Your Services?
The increasing use of cloud vendors and third-party providers has made advanced IT infrastructure and expertise available even to smaller organizations. It has also created an interconnected ecosystem of businesses, government agencies, utility firms and managed service providers (MSPs) that can potentially compromise security across multiple systems.
If you’re a managed service provider, it’s your responsibility to ensure that your systems are secure, that your partnerships are equally secure, and that you maintain continuing risk management and monitoring against all services.
What Are Your Responsibilities as an MSP?
We’re not going to make a specific claim about your business–managed service providers are currently offering products and services across almost every industry globally. Instead, we will focus on what it means to be an MSP in the 21st century.
First and foremost, you must understand how security breaches can impact you and your customers. Consider the following recent events:
- Audi: In 2019, the Volkswagen Group of America was notified by a technology vendor that a breach of data affecting 3.3 million Audi customers exposed their data to hackers. Exposed data include financial information related to loans and Social Security Numbers.
- Kaseya: A breach of the Kaseya monitoring and management software platform allowed for the launch of malware and ransomware against as many as 1,500 customers. The group responsible demanded $70M in Bitcoin to decrypt affected systems, and at least one business was forced to close entirely.
- Okta: In February 2022, identity and security firm Okta reported that it had suffered a breach related to a third-party customer support provider during the previous month. While the company has been tight-lipped about the full impact of the attack, they have raised customer ire by delaying the announcement of the breach for an entire month.
These breaches either represent third-party vendors exposing customer data due to security issues or becoming victims due to these issues.
The truth is that, due to the complex and interconnected nature of modern business technology, a security breach in one area can cause major issues with another company. Loss of data, phishing attacks or other hazards, even when they occur in seemingly innocuous places, can cause a domino effect that leads to a significant breach.
So, why is an MSP supposed to care about this more than any other business? A few reasons come immediately to mind:
- Ethics and Accountability: First and foremost, you have a duty to your clients or customers to protect their data and provide reasonable security, compliance and response measures. Organizations that hire MSPs to count on those providers to support whatever business function they need without compromising their entire operation.
- Reputation: MSPs that can’t protect customer data will quickly lose their customers’ faith. A provider with a reputation of data loss isn’t going to find much work in an industry where handling data is part and parcel of the job description–and a managed service provider who has faced significant security issues has most likely also faced equally significant blow back. Such damage to your reputation could lead to lost business, a forced rebranding, or massive lawsuits and bankruptcy in extreme cases.
- Compliance and Penalties: Even if your MSP survives the customer blow back, it may not survive when regulators come investigating. MSPs in highly regulated industries like financial services, healthcare, payment processing or government service face strict and non-negotiable regulations, and breaches of those regulations can lead to thousands or even millions of dollars in fines, or not complete disbarment from service, depending on the severity of the security issue.
How Are You Monitoring Partner Relationships?
While it may seem like we are lecturing MSPs, the reality is that MSPs, like any other business, may also outsource critical business functions and face the same challenges that their customers face. By framing your best practices for vendor relationships self-reflectively, you can put yourself in your customers’ shoes to better supply secure infrastructure.
For example, have you considered the following best practices for dealing with third-party vendor security?
- Compliance: many regulations and frameworks have clear requirements in place regarding vendor relationships. For example, HIPAA requires that all third-party vendors adhere to HIPAA in the same way their customers do and have a Business Associate Agreement to codify this requirement. Do you understand how industry regulations impact your vendor relationships, including your obligation to monitor those relationships and, in some places, the vendors themselves?
- Vendor Management: The discipline of vendor management has seen a huge upswing in the past few decades, due in no small part to the exploding network of MSPs and customers we discussed earlier. Vendor management suggests that your organization put basic controls in place to manage vendor partnerships, including regular contract reviews, ongoing monitoring and required reporting.
- Continuous Monitoring: According to several security models, most notably zero-trust architecture, no system is considered inherently secure. This is especially true for third-party systems outside your control. Continuous monitoring can be a powerful tool to manage security incidents and potential security gaps in real-time. Furthermore, continuous monitoring is often a requirement for industry regulations.
- Third-Party Risk Management: Working with third parties invites risk, which needs to be included in your overall security profile. Aligning security and business goals with potential risk allows you to better monitor vendors, align security and infrastructure, and more accurately assess those relationships.
Working With Dedicated Security Firms as an MSP
One of the best steps that your MSP organization can take is working with a trust security partner. More so than other businesses, having a security firm dedicated to audit, assessments and consulting can help you offload extensive security operations without sacrificing accuracy or effectiveness.
Continuum GRC is a cloud-based SaaS platform that powers advanced security assessments and audits across several frameworks and regulations. Continuum GRC ITAM is the only FedRAMP Authorized assessment solution globally, and we support consulting and audits across several prominent regulations.
Are You a Managed Service Provider Ready to Invest in Security?
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.