Many businesses outsource the management of IT and network resources to managed service providers (MSPs), and some use managed security service providers (MSSPs), as well. These are important partners, but they can introduce risk, too, since they can serve as the launching platform for attacks into customer systems.
Attackers often target MSPs/MSSPs since compromising their networks can potentially net them access to multiple businesses. If an attacker can compromise a business network, it can then move into critical systems, learn workflows, and, ultimately, steal money or valuable information such as credit card data.
Ransomware is another preferred method of attack. And attackers can negatively impact customer experience, create system downtime, or cause the business to shut down operations temporarily.
Building Trust
Attacks via trusted partners that have privileged access to your resources can qualify as insider threats, the same as threats from employees. To build trust, first look at your MSP/MSSP agreements. If they contain goals, be aware: They’re not enforceable. What you need are concrete, measurable statements.
That said, credits for problems may look good on paper, but they’ll probably do little to cover the costs of an attack. In some cases, I’ve found that the customer’s work to report and verify the attack costs more than the credits, discouraging the reporting process entirely.
You need to review the security processes of the MSP/MSSP and compare them to what you would do internally on your own. The MSP/MSSP’s processes should be better than what you would implement. Look into the experiences of an MSP/MSSP and how it has prevented or mitigated attacks for other customers. If an MSP/MSSP will not share this information with you, ask why. You don’t need to know the identity of the customer attacked, but you should know what happened and how the MSP/MSSP responded.
Limiting Damages
Using an MSP/MSSP doesn’t absolve your organization from security responsibilities. Ensure that your users are familiar with security processes and procedures and that they understand that security is their responsibility. Provide training — and don’t forget contract workers. Contractors can be another weakness in your security posture.
As I
mentioned previously, make sure you’ve properly secured your privileged access super users. Don’t assume they do everything right; they can make mistakes or be negligent — especially when they’re overworked. Ensure that your MSP/MSSP is following your privileged access policies and procedures, and that you can get a full audit of the provider’s actions. Staff turnover, illnesses, and new employees may open security holes.
Keep your service-level agreement current. Analyze what the SLA does and doesn’t cover — you may discover that some security holes don’t fall under the SLA’s purview. Every time your provider updates the SLA, look at the changed provisions. They may not favor your business. This means that you’ll probably have to provide some of your own security solutions because the SLA doesn’t cover everything you want.
The MSP/MSSP should audit its performance and formally report the results. The audit should cover the business’s employees, consultants, contractors, vendors, and service providers. The MSP/MSSP may not be able to enforce security procedures on everyone, but it should be able to report on weaknesses discovered. In addition, the MSP/MSSP should regularly scan for security vulnerabilities and report the results, as I’ve written in the post, “
Network Analytics: Checklist for Failure.” When vulnerabilities are discovered, the MSP/MSSP should provide a report of the actions taken to mitigate the vulnerabilities.
The security landscape is constantly changing. As customers protect themselves, attackers develop new methods of attack. Fixing identified vulnerabilities fast will reduce the possibility of attacks, whereas waiting for a convenient time will leave your business open to attack.