Rapid digital transformation has left companies playing catch-up with security and in an era where time is of the essence, there is immense pressure to implement top-notch security programs as quickly as possible.
Organisations of any size may lack the resources or bandwidth to establish a security operations centre (SOC). And for those with the means to hire and train expert staff, a substantial cybersecurity skills gap can further complicate matters.
Enter: cyber security managed services. The managed service provider (MSP) or managed security service provider (MSSP), an outsourced cybersecurity expert hired to help with your immediate and long-term security needs. MSPs are becoming more common—38% of companies are leveraging MSPs to manage more than half their IT needs, a notable 25% increase from the prior year.
But before following the trend, companies need to carefully assess and plan for adding an MSP to their arsenal to minimise associated cyber risk. This article provides a comprehensive overview of the purpose of an MSP and key considerations when evaluating a potential partner.
What is an MSP?
MSPs have evolved beyond helping manage traditional break-fix cycles. An MSP is an outsourced IT service that provides support for a company’s IT infrastructure and end-user systems. Typically, MSPs handle real-time threat detection and other cybersecurity operations so customers can focus on their core business functions without worrying about system interruptions or downtimes.
MSPs typically classify their services into one of three categories:
- Pure play: Focuses on one management service, technology, or vendor
- Stagging legacy: Broadens their service to include installations
- High-level: Offer all of the IT solutions
Benefits of an MSP
Cyber threats and cyberattacks like ransomware targeting SMBs continue to increase in part because malicious actors realise these organisations don’t have the means or manpower for security teams. But even enterprises with fully staffed security operation centres may struggle with deploying complex endpoint detection and response solutions, leaving security capabilities unoptimised. And then there’s the issue of false positives, which waste valuable time for already overstretched in-house teams.
MSPs can augment and alleviate security staff due to their robust cybersecurity experience, certifications, and knowledge on existing and emerging technologies. And since an MSP is not just a single person, organisations get to reap the benefits of multiple IT experts. Furthermore, MSPs are contractually obliged to a Service Level Agreement (SLA), which ensures they utilise industry best practices for quick threat detection, response, and remediation.
Many organisations must demonstrate through audits and reports that their business processes and security controls meet the minimum standard set forth by the specific regulation. They also have a small window of time to notify affected individuals of a security breach or face stiff fines.
While seemingly a straightforward process, complex language and location specific regulations can make achieving continuous compliance a challenging task. Plus, compliance isn’t often considered a core business function, which can lead to disorganised processes and heightened risk.
MSPs are dedicated, expert personnel that can collect the relevant data, monitor systems and processes, and conduct internal and external reporting needed to demonstrate compliance. They can also assist with keeping software patched and replacing outdated equipment, as required by most compliance frameworks. This allows internal staff to focus on other core business functions and innovation.
As organisations moved to the cloud to save capital expense, support agile demands, and remote workers, the attack surface rapidly expanded, opening new doors to cybercriminals.
With more users and devices connecting remotely, it’s no surprise that 82% of cybersecurity breaches occur due to human error. Evidently, knowledgeable security staff is a must to minimise cyber risk. Instead of dedicating time and money to training overburdened in-house teams, an MSP comes in with the expertise and knowledge necessary to address risk across the attack surface.
MSPs can also provide incident response services and perform regular testing of backups and disaster recovery plans to ensure that the most effective processes, procedures, and policies are in place when an attack strikes. Lastly, if contractually obliged, they can provide ongoing cyber awareness training to address user-specific paths like phishing and poor security hygiene.
No longer a nice-to-have, cyber insurance is an absolute must for organisations of any size. Unfortunately, an uptick in ransomware attacks and costly extortion demands has caused cyber insurance carriers to tighten requirements and even introduce new mandates. The swift changes to the cyber insurance market have left some businesses confused on what they need to obtain or renew coverage. And since you only have one attempt at applying for cyber insurance with certain carriers, you need to have your ducks in a row.
Some MSPs are quite familiar with the cyber insurance procurement process and can help businesses vet potential carriers. They can also assist in ensuring you’re leveraging the correct technology and best practices to meet minimum requirements.
A truly savvy MSP could provide guidance on how go above and beyond with innovative technologies and solutions, which could potentially impact the cyber insurance quote.
Think of shopping for an MSP like choosing a car; usually you’d have a rough idea on what model you need (compact, SUV, minivan), features you want (heated seats, sunroof), and price range all based on your needs and budget.
Similarly, you need to evaluate your budget, existing resources, and security needs so you can make an informed decision when shopping around for an MSP. The more you understand your current state including weaknesses and future goals, the better-positioned you will be to craft a satisfactory contract with your MSP. One size does not fit all.
The Cybersecurity and Infrastructure Security Agency (CISA) created the Risk Considerations for Managed Service Providers report to help businesses strategically select the right partner. The framework is composed of the following three components:
CISOs and security leaders need to balance cost with effectiveness when considering MSPs. Establish specific security roles and responsibilities for internal teams, the MSP, and both parties, to ensure maximum efficiency without disrupting workflows.
Next, evaluate your existing security tech stack and organisational capabilities. What security gaps and risks do you need to be fully managed?
Similarly, if you want the MSP to enhance detection and response, do you have a unified cybersecurity platform in place with extended detection and response (XDR) capabilities, or are you still using siloed point products? Or does the MSP need to integrate their own tech into your existing ecosystem?
Lastly, whatever gaps and risks are surfaced during this process need to be fully addressed to improve your security posture, whether you go with an MSP or not. These adjustments will come with a price tag, which can further assist you in establishing a budget and avoiding “hidden costs” that may be blamed on the MSP. When estimating fees, make sure you consider the upfront and ongoing costs of implementing new technology.
A disorganised approach to procurement and cybersecurity operations will increase cost and supply chain cybersecurity risks. To avoid this, clearly articulate requirements in a contract and ensure your thoroughly vet the MSP by requiring the following prior to entering an agreement:
- Performance related service level agreements
- Detailed guidelines for incident management
- Software Bill of Materials (SBOM)
- Log and records maintenance as well as direct access to systems
- Documents to thoroughly vet employees to minimise risks of IP theft, manipulations, or operational disruptions
- Transition plan to support a smooth integration
- Notification of any sub-contractors and independent consultants that would potentially expose the org’s data to another external party
- Protocol for planned network outages
- Documentation of MSPs financial health, performance record for other clients, and disclosure of any previous legal issues
Internal security practices should extend to MSPs’ networks to minimise associated risks like a security breach. This includes access controls such as leveraging a zero-trust strategy where access is only provided to the necessary resources.
If the MSP is bringing in their own tools and solutions, make sure you have supply chain security controls in place and implement the appropriate monitoring and logging of fully managed systems.
Establish a strong risk assessment procedure that leverages automation, AI, and machine learning to monitor and log the provider’s presence, activities, and connections to your network. By implementing a policy that dictates the risk threshold, connections will be automatically terminated to minimise the scope of a potential attack.
In today’s evolving threat landscape, effective and efficient cybersecurity is critical to business success. As I said, getting the most out of your MSP starts with evaluating weak areas and your current security stack. To learn more about evaluating cyber risk check out the Trend Micro Security Assessment Service and Public Cloud Risk Assessment.