Compromised managed services providers create a threat to their customers.
Managed services providers (MSPs) help protect their customers from cyberthreats with advanced security solutions such as remote monitoring, endpoint protection, risk assessments, patch management and more. In some instances, however, MSPs can actually introduce security vulnerabilities.
Law enforcement officials warn that cybercriminals are stepping up their attacks on MSPs in an effort to create gateways into their clients’ systems. They say malicious actors can use a compromised MSP monitoring platform as a springboard for launching phishing, ransomware and botnet attacks.
“IT service providers generally have direct and unfettered access to their customers’ networks and may store customer data on their own internal infrastructure,” the Department of Homeland Security noted in an alert. “A compromise in one part of an IT service provider’s network can have globally cascading effects, impacting other customers and introducing significant risk.”
That’s why it’s critically important to evaluate the security of an MSP. Best-in-class providers use highly secure technology tools and follow industry best practices rigorously to protect their customers’ environments.
A Matter of Trust
Because a single MSP may have hundreds of customers, a compromised provider gives malicious actors a platform for conducting large-scale attacks that infect multiple companies. That allows criminals to launch so-called “buffalo jump” attacks in which an MSP and all of its customers are simultaneously ransomed. The most notorious example of this type of attack occurred in 2019 when a malicious actor used a compromised MSP to launch concurrent ransomware attacks on 22 different Texas towns, causing a reported $12 million in damages.
In some instances, MSPs have been compromised because they failed to install security patches or other updates to their third-party remote management tools. That’s a shortcoming that can really undermine trust in a partner who has privileged access to the company’s most sensitive resources. It’s difficult to sustain a good relationship with an MSP that doesn’t adhere to industry-standard security practices.
What to Look For
If an MSP is providing security services, it’s fair to ask what steps they are taking to ensure their own security. When evaluating a potential provider partner, here are a few questions companies should ask to determine the provider’s commitment to security:
- How do they secure their environment? Reputable providers will have multiple levels of security. Check to see if they use virus and spam prevention, intrusion detection, encryption, access controls, next-generation firewalls and other measures. Ask to see their disaster recovery plans and their plans for responding to data breaches or other security incidents.
- Do they comply with industry standards? SOC 2 is a set of security standards created specifically for tech companies with online systems that store confidential information. SOC 2 requires that companies establish and follow strict information security policies and procedures. Additionally, MSPs should comply with the SSAE-16 auditing standard for verifying physical and environmental security of systems.
- Are they certified? The MSPAlliance is an international consortium of MSPs that establishes certain standards for providers. Two key certifications — MSP Verify and Cyber Verify — signify that providers meet essential control objectives for IT governance, cybersecurity, physical security, confidentiality, privacy, data management and more.
- Do they evaluate their security measures? Risk assessments and security audits are essential to a solid security environment. Because cyber threats are continually evolving, MSPs can’t understand their risk exposure unless they regularly review their current security posture.
- How do they identify threats? MSPs should continually monitor their own systems to identify any unauthorized activity, and they should also regularly review access logs of remote connections to their clients’ networks to spot anything suspicious.
- Are they self-sufficient? Many smaller MSPs don’t actually have their own network operations center (NOC), so they outsource some elements of their services to local or offshore providers. That doesn’t necessarily mean they unqualified, but it should prompt additional due diligence.
- Are they insured? MSPs should have cybersecurity liability insurance to protect customers. Cyber insurance policies usually cover business losses, ransomware payments, investigation and remediation costs. They also provide protection from any lawsuits stemming from a security incident.
By some estimates, more than two-thirds of all businesses in the U.S. work with an MSP to improve the efficiency, reliability and security of their critical IT operations. Not all providers are of equal ability, however. When evaluating providers, organizations must do their due diligence to find a provider that has invested in the tools, controls and certifications necessary to protect valuable customer resources.
