By some estimates, more than two-thirds of all businesses in the U.S. work with a managed services provider (MSP) to improve the efficiency, reliability and security of their critical IT operations. As technology environments become more complex, the demand for these services continues to build — analysts are predicting the market will grow by nearly 75 percent over the next five years.
Not all providers are of equal ability, however.
The industry arose in the 1990s primarily to fill a need for on-demand break/fix services, and scores of MSPs haven’t progressed much beyond that over the years. Many others have attempted to expand their reach without adequately investing in the training, processes and technologies required to manage today’s complex environments. Those shortcomings are beginning to show.
At Verteks, we’ve seen an increase in clients who became frustrated with their previous provider. Most became unhappy with the service delivery, eventually concluding that the provider didn’t have the skills or resources to meet their requirements. Some, however, have expressed concerns about MSP security, particularly in light of recent reports that hackers are infiltrating MSP networks in order to launch ransomware attacks against their customers.
It’s difficult to imagine how you could sustain a good relationship with an MSP that doesn’t adhere to industry-standard security practices. Trust is an essential part of any managed services arrangement. You need a partner who understands your business, is qualified to meet your needs and can demonstrate a well-defined cybersecurity environment.
Here are a few questions you should ask about any potential service provider to help you determine their commitment to security:
How do they secure their environment? Reputable MSPs have multiple levels of security to protect your systems and data. Check to see if they use virus and spam prevention, intrusion detection, encryption, access controls, next-generation firewalls and other measures. Ask to see their disaster recovery plans and their plans for responding to data breaches or other security incidents.
Do they comply with industry standards? SOC 2 defines “trust principles” for tech companies and service providers that store confidential information. The standard requires that provides establish and follow strict information security policies and procedures. Additionally, MSPs should comply with the SSAE-16 auditing standard, which stipulates that data centers, colocation facilities and MSPs are responsible for ensuring the security of customer systems.
Do they evaluate their security measures? Risk assessments and security audits are essential to a solid security environment. Because cyber threats are continually evolving, MSPs should regularly review their current security posture. Ask for details about how and when they conduct such assessments.
How do they identify threats? MSPs should continually monitor their own systems to identify any unauthorized activity, and they should regularly review access logs of remote connections to their clients’ networks to spot anything suspicious.
Are they self-sufficient? Many smaller MSPs don’t have their own network operations center (NOC), so they outsource some elements of their services to local or offshore providers. That doesn’t necessarily mean they aren’t qualified, but it should prompt additional due diligence on your part. Ask them to detail exactly what services will be outsourced, to whom and where their partners are located. You also need to know what service level agreements and other contractual arrangements are in place to ensure the security of your data.
Managed services arrangements deliver substantial benefits for organizations, but providers must maintain a strong security focus to protect their clients’ data, apps and systems. Verteks has invested in the internal tools, controls and certifications to provide the most secure environment possible. Give us a call to learn more.