It’s time for MSPs to take a more unified approach to security. In September, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a report titled, “”Risk Considerations for Managed Service Provider Customers.”” It highlights that MSPs play an important role in providing IT and security services to businesses, but warns that using an MSP can expand an organization’s attack surface and be an entry vector for supply chain cyberattacks. According to the report (and other research), cybercriminals are increasingly targeting MSPs, with the most advanced persistent threat groups employing “Living Off the Land” techniques that take advantage of MSPs’ tools to extract data or control customer systems.
The goal of the report is to provide a framework for public and private organizations to mitigate the potential risks of outsourcing IT services. Considerations and best practices are broken down into three groups within an organization that play pivotal roles in reducing cybersecurity risks:
Senior executives making strategic decisions. CISA advises them to consider whether it’s cost-effective to outsource IT services, bearing in mind cybersecurity requirements and risk thresholds. It recommends that senior executives provide adequate information if they decide to outsource services, establish who is responsible for security and operations when outsourcing, and create specific plans to protect the organization’s most critical assets covering all potential risks with MSPs.
Procurement professionals with operational decisions. CISA recommends establishing requirements by different departments and executives (CIOs, CISOs, COOs, etc.) when selecting a vendor. It also advises that a vendor’s contract and service-level agreement clearly provide all the elements related to the associated risks and cybersecurity for the services delivered.
IT technicians and cybersecurity staff handling technical decisions. CISA recommends that consideration be given to which permissions and level of access MSPs will have on organizations’ networks and systems, considering factors such as access to sensitive assets.
What MSPs Need to Do
When it comes to cybersecurity measures for MSPs, CISA has some specific recommendations too:
- Backup solutions – Use backup solutions to restore service in the event of an incident as quickly as possible and with the least possible impact on the company’s operations.
- Constant updates – Provide round-the-clock updates of the organization’s software.
- Continuous network monitoring – Provide continuous network monitoring (especially in networks where MSPs have full access).
- Comprehensive protection, detection, and response – Deploy protection, detection, and response tools at endpoints.
- Dedicated VPN – Use a VPN to connect MSP and customer infrastructure.
- Multifactor Authentication – Use MFA to connect to the customer’s networks and systems.
All these recommendations should be driving MSPs toward making cybersecurity a primary pillar of their corporate strategy. Those offering security services to customers should seek solutions that allow them to deliver a unified security platform (including key technologies around network, Wi-Fi, endpoint, and MFA security).
Security needs to be effective at scale for MSPs (and customers). The number of network environments, users, devices, and connections is exploding. As a result, there are five key areas MSPs should focus on when rolling out security solutions:
- Gaining clarity and control of security products
- Having a comprehensive security portfolio
- Sharing knowledge
- Aligning operations
- Implementing automation
More specifically, MSPs need to look for a complete portfolio of security products and services from vendors they work with. They need those technologies to be centralized for better security policy management, threat remediation, visibility, and reporting. This gives them the clarity and control needed to streamline security administration. Layered on top of that, they need solutions with direct API access, out-of-the-box integrations, and support for different payment and consumption models to drive operational alignment. They also need the products to easily share knowledge with each other to help drive zero-trust and identity-based security models. And finally, automation needs to be baked into every element to simplify consumption, delivery, and management.
As MSPs continue to be targeted by threat actors, it will be critical to integrate the normally disparate layers of security to better protect themselves and the customers they serve.
MARK ROMANO is senior director of worldwide channel programs and field engagement at WatchGuard.
