How to find a security-savvy MSP

The US Cybersecurity and Infrastructure Security Agency (CISA) released a document called Risk Considerations for Managed Service Provider Customers. CISA acknowledges the role of network administrators, among others, in selecting an MSP. While the document includes good overall guidance to small- to medium-sized businesses (SMBs) that use consultants, I find some of the recommendations to be inconsistent with what I know in the SMB space.

In particular, CISA recommends that “SMBs should catalog which assets are the most critical to operations and characterize the risk to those assets. This allows organizations to prioritize which assets should be included in or excluded from vendor agreements and to develop specific contingency plans for incidents affecting those assets.” Many small businesses aren’t always aware of the risk technology assets present. The business need often powers the purchasing of the technology asset; as long as that need is met, the risk of the asset is not analyzed. It’s often the consultant that comes in and recommends changes to the technology assets.

CISA recommends that the hiring organization obtain specific contracts and service level agreements from the MSP. It also recommends the MSP provide:

• Guidelines for incident management
• Steps that the MSP will take to mitigate known risks
• A statement on how data from different clients will be segmented or separated on the MSP’s network
• Guidelines for logs and records maintenance as handled by the MSP
• Documentation of vetting of employees to minimize risks of intellectual property theft
• The ability for the customer to examine systems that directly or indirectly support the contracted service
• A transition plan to support smooth integration of services
• Protocols for planned network outages
• Documentation of an MSP’s financial health and disclosure of any previous legal issues

While these items might be obtainable, the reality is that these items just don’t come up in the contractual negotiations between SMBs and MSPs, or they are items that aren’t well documented.

CISA recommends applying the zero trust security model, including the principle of least privilege to any contractor or managed service provider that has access to your network. Many SMBs are a long way from truly having zero trust in their networks. Instead, they need to rely on additional processes that ensure that some additional verification process is in place to gain access to their networks.

Tips to find a security-focused MSP

Network admins or security management can identify an excellent MSP or consultant by how they respond to your questions about security. Ask how they feel about multi-factor authentication (MFA) especially on resources that are accessed from outside of the organization. Ask them what they think your risks are. If they push back or minimize the risks, then that’s not the MSP to hire.

The MSP should not only recommend that updates are regularly applied, they should ensure that the MSP firm does likewise—especially in regard to any remote access tool that is used. Discuss with your consultant what tools and what updating processes they use regarding that remote access tool. Ensure that they have MFA enabled on the remote access tool and mandate that each consultant or technician has a unique access token for the network and doesn’t reuse access. Discuss the use of a dedicated VPN for access to your network and ensure that the consultants restrict certain applications and tasks to their static IP as needed for their processes.

The MSP should have multiple backup processes so that you aren’t just reliant on one process to back up and restore your critical functions if, or rather when, ransomware impacts your firm. Attackers focus on weak links and entry points and MSPs are a juicy target. Attackers know that if they gain access to an MSP, they can then access multiple customers at the same time.

MSPs often use other shared vendors and tools themselves. Request additional information and confirmation of the security practices of the vendors and portals that your MSP uses to ensure the MSP is reasonably protected from attackers exploiting those providers.

Again, question your consultants. If they agree that patching is difficult but don’t urge you to disable patching processes, they understand that software updates must be installed to maintain security in your network. If they agree that MFA restricts access to those who need it and helps keep attackers out, they understand security risk. If they interview you and discuss your business needs and help you reach a balance between business needs and security mandates, they are a firm that you should hire.

The CISA document focuses too much on techniques that only large entities and governments could mandate from their MSPs. For me, hiring an MSP or consultant is about the trust of the relationship and relying on their guidance and expertise. I look to them to advise me. I look to see if they send me educational and advisory materials that help keep me secure. For SMBs, hiring a consultant or MSP ultimately comes down to whether they listen and help the firm protect the network.