momius - Fotolia

Tip

How to find an MSP to protect you from outsourcing IT risks

Check out what questions to ask MSPs to make sure they have the right security systems in place to protect your organization against outsourcing IT risks.

Kevin McDonald
By
Published: 28 May 2019

Businesses of all sizes struggle with budget, access to qualified and affordable talent and the around-the-clock support needed in today's rapidly changing and competitive environment. An overworked staff and inadequately managed and secured information systems can lead to tragic systems failure and security events, dissatisfied clients and employees. If a major security breach occurs or systems issues are even mildly inconsistent, a company's brand, client loyalty and profits can be devastated.

Managed service providers (MSPs) help fill the gaps, support strategic initiatives and lighten the load an organization's internal IT staff carries to make sure it protects customers from outsourcing IT risks.

But due to recent high-profile attacks on local and global IT managed service providers, enterprise leadership may be concerned about the safety of working with an MSP. IT leaders that already trust an MSP to provide outsourced IT services may want to review that relationship for applicability, security and reliability. Other organizations are deciding whether they should hire an MSP, and if so, how should they decide which MSP to trust?

Choosing an MSP makes sense despite the recent attacks, if organizations find the right partner. To help you do just that, check out the list of questions below to ask MSPs -- whether potential partners or existing ones.

"IT often can't do it all. MSPs and MSSPs (managed security service providers) certainly have their place in helping offload work, adding skills and redundancy.  We do, however, need to slow down and think before we just hand over the keys to our kingdoms," according to Chris Roberts, chief security strategist of Attivo Networks, a leading expert on counter threat intelligence.

Choosing an MSP can't be just about price, slick packaging or some arbitrary ranking based on revenues that include loosely defined and unrelated services. Selecting an MSP should be about finding the partner that offers a good value and evidence of its privacy and security chops. The MSP must be able to demonstrate it understands what it takes to deliver a secure managed IT or security service, which protects the client and the MSP alike.

How MSPs protect customers against outsourcing IT risks

For many organizations, delays in hardware upgrades, software patching and other maintenance tasks that can compromise security are often the first to suffer in environments where IT services are provided solely by overworked internal staff. From a lack of time to the lack of overnight staff, doing many tasks that require downtime is simply better suited to managed service providers.

MSPs are great for the tasks that are critical but often left undone due to a lack of staffing, fear of the process or simply too busy to complete. "Software patching for example is a key MSP service, and the people delivering it are really important," Roberts said. "Nobody relishes patching, but if I am an attacker and I find an unpatched system, I am certainly not going to burn a zero day or one of my personal exploit methods or tools in a penetration test."The technology market is highly competitive, with record unemployment as low as 1.9%. In such a competitive market, finding and retaining in-house professionals can be a daunting and time-consuming process. 

MSPs can really make a difference in the lives of enterprise IT and security staff, according to MarkEssayian, CEO of KME Systems, an MSP based in Lake Forest, Calif. MSPs offer the opportunity for enterprise IT staff to be strategic instead of always in the trenches. They allow for enterprise employees to take that break for the holidays, sleep at night and take real vacations when the time comes because the MSP is on duty.

"Besides the obvious, having strategic MSP professionals that have the backs of internal IT really matters," said Roberts.  "Burnout leads to missing the signs being presented by our platforms or just not caring. Having help makes that easier."

"People are critical when choosing an MSP. A client must know that an MSP's staff is qualified, capable and trained," Essayian said.  "Among the questions potential clients need to ask is, do they train on new and emerging threats as well as on reemerging old threats?"

Whether talking about internal IT staff or MSP professionals, having well-trained people with high job satisfaction is key to having well-managed IT systems. Relieving stress and improving results are key values of using secure MSPs to guard against outsourcing IT risks.

Questions to ask MSPs about security

If you're looking for an MSP or making sure the one you already work with can protect you, make sure it has the necessary security plans and systems in place.

"In the process of offloading work and making our lives easier, we are trusting what and who is behind the scenes of an MSP," Roberts said. "We need to be bloody asking if the MSP has policies, procedures and of course controls to protect our information."

MSPs bring a diverse and broad set of talents and capabilities to the market. They are not all the same, and while no IT department or MSP is perfect, some are certainly better positioned to deliver. Organizations that partner with MSPs must be able to trust the MSP they choose has their best interests in mind.

When talking to potential MSPs, find out whether candidates do the following to guard against outsourcing IT risks:

  1. Have a formal security program that is proven and tested.
  2. Incorporate security into the culture through training, policies, procedures and controls.
  3. Monitor the network using state-of-the-art tools and techniques.
  4. Have independent network monitoring as an additional layer of security.
  5. Leverage AI and machine learning to help quickly identify anomalous behavior.
  6. Conduct regular vulnerability testing and remediation to verify system state.
  7. Use trusted methods and tools to secure the systems used to access or store systems information.
  8. Properly vet and test employees for background and qualifications.
  9. Monitor and log employee access to client systems.
  10. Have tested security incident and disaster response plans.
  11. Leverage independent vetting from outside auditors using a solid security framework.
  12. Isolate internal access and information to appropriate levels.
  13. Segment systems to limit attackers' ability to escalate.
  14. Understand the regulatory environment and how it impacts them and their clients.
  15. Have a domestically based presence.
  16. Use multifactor authentication
  17. Carry cyber insurance that covers breach events.
  18. Have 24x7 staff in front of screens and always paying attention.
  19. Have a failsafe and proven backup and continuity system in place.

As businesses continue to leverage outsourced IT services, they need to be assured that they are making the right choices. The benefits of careful selection greatly increase the likelihood of a successful and long-term relationship.

Dig Deeper on Threats and vulnerabilities

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close