It’s time for MSPs to take a more unified approach to security. In September, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a report titled, “Risk Considerations for Managed Service Provider Customers.” It highlights that MSPs play an important role in providing IT and security services to businesses, but warns that using an MSP can expand an organization’s attack surface and be an entry vector for supply chain cyberattacks. According to the report (and other research), cybercriminals are increasingly targeting MSPs, with the most advanced persistent threat groups employing "Living Off the Land" techniques that take advantage of MSPs' tools to extract data or control customer systems.
The goal of the report is to provide a framework for public and private organizations to mitigate the potential risks of outsourcing IT services. Considerations and best practices are broken down into three groups within an organization that play pivotal roles in reducing cybersecurity risks:
Senior executives making strategic decisions. CISA advises them to consider whether it’s cost-effective to outsource IT services, bearing in mind cybersecurity requirements and risk thresholds. It recommends that senior executives provide adequate information if they decide to outsource services, establish who is responsible for security and operations when outsourcing, and create specific plans to protect the organization’s most critical assets covering all potential risks with MSPs.
Procurement professionals with operational decisions. CISA recommends establishing requirements by different departments and executives (CIOs, CISOs, COOs, etc.) when selecting a vendor. It also advises that a vendor’s contract and service-level agreement clearly provide all the elements related to the associated risks and cybersecurity for the services delivered.
IT technicians and cybersecurity staff handling technical decisions. CISA recommends that consideration be given to which permissions and level of access MSPs will have on organizations’ networks and systems, considering factors such as access to sensitive assets.
What MSPs Need to Do
When it comes to cybersecurity measures for MSPs, CISA has some specific recommendations too:
- Backup solutions – Use backup solutions to restore service in the event of an incident as quickly as possible and with the least possible impact on the company's operations.
- Constant updates – Provide round-the-clock updates of the organization's software.
- Continuous network monitoring – Provide continuous network monitoring (especially in networks where MSPs have full access).
- Comprehensive protection, detection, and response – Deploy protection, detection, and response tools at endpoints.
- Dedicated VPN – Use a VPN to connect MSP and customer infrastructure.
- Multifactor Authentication – Use MFA to connect to the customer's networks and systems.
