Rapid digital transformation has left companies playing catch-up with security and in an era where time is of the essence, there is immense pressure to implement top-notch security as quickly as possible.
However, small medium businesses (SMB) and enterprises oftentimes lack the resources or bandwidth to hire and train expert in-house staff. And for those with the means, a substantial cybersecurity skills gap can further complicate matters.
Enter: the managed service provider (MSP), an outsourced cybersecurity expert hired to help with your immediate and long-term security needs. MSPs are becoming more common—38% of companies are leveraging MSPs to manage more than half their IT needs, a notable 25% increase from the prior year.
But before following the trend, companies need to carefully assess and plan for adding an MSP to their arsenal to minimise associated cyber risk. This article provides a comprehensive overview of the purpose of an MSP and key considerations when evaluating a potential partner.
What is an MSP?
An MSP is an outsourced IT service that provides support for a company’s IT infrastructure and end-user systems. Typically, MSPs handle management services daily so customers can focus on their core business functions without worrying about system interruptions or downtimes.
MSPs typically classify their services into one of three categories:
- Pure play: Focuses on one management service, technology, or vendor
- Stagging legacy: Broadens their service to include installations
- High-level: Offer all of the IT solutions
Benefits of an MSP
MSPs have evolved beyond helping manage traditional break-fix cycles. According to the Channel Futures MSP 501 2021 Report, the top revenue-generating solutions for MSPs included help desk, managed security, backup and disaster recovery (BDR), and remote monitoring and management (RMM).
As MSPs expanded their offerings, expectations rose as well. A study from Apps Associates found that IT decision makers expected an MSP partnership to help IT departments secure the enterprise, allow them to focus on critical corporate initiatives, aid in a successful cloud migration, and improve internal team morale and retention.
Let’s review some of the ways an MSP can help:
Cyberattacks like ransomware targeting SMBs continue to increase in part because malicious actors realise these organisations don’t have the means or manpower for security teams. But even enterprises with fully staffed teams may struggle with deploying complex endpoint detection and response solutions, leaving security capabilities unoptimised. And then there’s the issue of false positives, which waste valuable time for already overstretched in-house teams.
MSPs can augment and alleviate security staff due to their robust cybersecurity experience, certifications, and knowledge on existing and emerging technologies. And since an MSP is not just a single person, organisations get to reap the benefits of multiple IT experts. Furthermore, MSPs are contractually obliged to a Service Level Agreement (SLA), which ensures they utilise industry best practices to quickly detect, respond, and remediate threats.
Many organisations must demonstrate through audits and reports that their business processes and security controls meet the minimum standard set forth by the specific regulation. They also have a small window of time to notify affected individuals of a data breach or face stiff fines.
While seemingly a straightforward process, complex language and location specific regulations can make achieving continuous compliance a challenging task. Plus, compliance isn’t often considered a core business function, which can lead to disorganised processes and heightened risk.
MSPs are dedicated, expert personnel that can collect the relevant data, monitor systems and processes, and conduct internal and external reporting needed to demonstrate compliance. They can also assist with keeping software patched and replacing outdated equipment, as required by most compliance frameworks. This allows internal staff to focus on other core business functions and innovation.
Attack surface management
As organisations moved to the cloud to save capital expense, support agile demands, and remote workers, the attack surface rapidly expanded, opening new doors to cybercriminals. With more users and devices connecting remotely, it’s no surprise that 82% of cybersecurity breaches occur due to human error. Evidently, knowledgeable security staff is a must to minimise cyber risk. Instead of dedicating time and money to training overburdened in-house teams, an MSP comes in with the expertise and knowledge necessary to address risk across the attack surface.
MSPs can also perform regular testing of backups and disaster recovery plans to ensure that the most effective processes, procedures, and policies are in place when an attack strikes. Lastly, they can provide ongoing cyber awareness training to address user-specific paths like phishing and poor security hygiene, if contractually obliged.
No longer a nice-to-have, cyber insurance is an absolute must for organisations of any size. Unfortunately, an uptick in ransomware attacks and costly extortion demands has caused cyber insurance carriers to tighten requirements and even introduce new mandates. The swift changes to the cyber insurance market have left some businesses confused on what they need to obtain or renew coverage. And since you only have one attempt at applying for cyber insurance with certain carriers, you need to have your ducks in a row.
Some MSPs are quite familiar with the cyber insurance procurement process and can help businesses vet potential carriers. They can also assist in ensuring you’re leveraging the correct technology and best practices to meet minimum requirements. to A truly savvy MSP could provide guidance on how go above and beyond with innovative technologies and solutions, which could potentially impact the cyber insurance quote.
Considerations when evaluating MSPs
Think of shopping for an MSP like choosing a car; usually you’d have a rough idea on what model you need (compact, SUV, minivan), features you want (heated seats, sunroof), and price range all based on your needs and budget.
Similarly, you need to evaluate your budget, existing resources, and security needs so you can make an informed decision when shopping around for an MSP. The more you understand your current state including weaknesses and future goals, the better-positioned you will be to craft a satisfactory contract with your MSP. One size does not fit all.
The Cybersecurity and Infrastructure Security Agency (CISA) created the Risk Considerations for Managed Service Providers report to help businesses strategically select the right partner. The framework is composed of the following three components:
Strategic decision making
CISOs and security leaders need to balance cost with effectiveness when considering MSPs. For example, if you’re hiring a cook, do you have the budget for them to bring their own farm-to-table, organic ingredients, or will you provide what they need at a cheaper cost.
Furthermore, will the chef be responsible for cleaning the kitchen afterwards, or will you be? Establish specific security roles and responsibilities for internal teams, the MSP, and both parties, to ensure maximum efficiency without disrupting workflows.
Next, evaluate your existing security tech stack and organisational capabilities. What security gaps and risks do you need the MSP to help address? If you want a chef to make brick oven pizza at home, do you have the right appliance, or will they need to bring their own?
Similarly, if you want the MSP to enhance detection and response, do you have a unified cybersecurity platform in place with XDR capabilities, or are you still using siloed point products? Or does the MSP need to integrate their own tech into your existing ecosystem?
Lastly, whatever gaps and risks are surfaced during this process need to be fully addressed to improve your security posture, whether you go with an MSP or not. These adjustments will come with a price tag, which can further assist you in establishing a budget and avoiding “hidden costs” that may be blamed on the MSP. When estimating fees, make sure you consider the upfront and ongoing costs of implementing new technology.
Operational decision making
A disorganised approach to procurement and security operations will increase cost and supply chain cybersecurity risks. To avoid this, clearly articulate requirements in a contract and ensure your thoroughly vet the MSP by requiring the following prior to entering an agreement:
- Performance related service level agreements
- Detailed guidelines for incident management
- Software Bill of Materials (SBOM)
- Log and records maintenance as well as direct access to systems
- Documents to thoroughly vet employees to minimise risks of IP theft, manipulations, or operational disruptions
- Transition plan to support a smooth integration
- Notification of any sub-contractors and independent consultants that would potentially expose the org’s data to another external party
- Protocol for planned network outages
- Documentation of MSPs financial health, performance record for other clients, and disclosure of any previous legal issues
Tactical decision making
Internal security practices should extend to MSPs’ networks to minimise associated risks. This includes access controls such as leveraging a zero-trust strategy where access is only provided to the necessary resources.
If the MSP is bringing in their own tools and solutions, make sure you have supply chain security controls in place and implement the appropriate monitoring and logging of MSP managed systems.
Establish a strong risk assessment procedure that leverages automation, AI, and machine learning to monitor and log the provider’s presence, activities, and connections to your network. By implementing a policy that dictates the risk threshold, connections will be automatically terminated to minimise the scope of a potential attack.
In today’s evolving threat landscape, effective and efficient cybersecurity is critical to business success. As I said, getting the most out of your MSP starts with evaluating weak areas and your current security stack. To learn more about evaluating cyber risk check out the Trend Micro Security Assessment Service and Public Cloud Risk Assessment.