Is the MSP a Security Weak Point?

Geek Speak

By: Gary Audin 

You are an MSP. You could be a prime target for a security breach. As a target, you expose multiple customers with one breach. How strong is you internal security? Your customer trusts you to perform functions like their resource management staff.

You believe you have done a good job protecting their resources from security threats. You need to demonstrate your security policies and procedures to attract a customer and to differentiate your MSP offerings from the competition

MSPs are security targets
The MSP can be the launching platform for attacks on your customer’s network resources. You are an important partner to your customer’s. As an MSP you can also be a risk. Since a MSP services several customers, the security threat increases because Securitythe attacker can compromise one MSP and gain access to multiple customers’ resources. While ransomware appears to be one of the preferred methods of attack, you need to consider that other forms of attacks will also occur. One scenario has the attacker compromising the customer’s network then moving into critical systems. Workflows can be learned allowing attackers to steal credit card data or money.

Attacks may not compromise systems. They can cause impact on CX, create downtime, or cause the customers to temporarily shut down operations.

The Trusted MSP
Attacks via trusted partners (MSPs) that have privileged access to customer resources can qualify as insider threats just as threats from the customer’s employees.

Review your MSP agreements. You need concrete statements that can be measured. Offering credits for problems may look good but the credits will probably do little to cover the customer’s costs of the attack making the customer unhappy.

You need to review your security processes and compare them to what the customer does internally without the MSP. You should be better than what the customer implements. Provide data about your experiences as an MSP and how you prevented or mitigated attacks.

MSPs can limit the damages
Using a MSP does not absolve the customer from security responsibilities. Ensure that the customers communicate to their users about what security processes and procedures are their responsibilities. Train the users. Don’t forget the contractors the customers employ. Contractors can be another weakness in the security posture.

Secure your privileged access super users. Don’t assume they do everything right. They can make mistakes or are negligent. When they are overworked, new problems usually occur. MSPs should have privileged access software that can fully audit the functions performed. Is it consistently and frequently employed? Ensure that privileged access policies and procedures are followed. MSP staff turnover, illnesses, and new employees may open security holes.

Keep the service level agreement (SLA) current. Analyze what the SLA does and does not cover so you know your liabilities. You may discover security holes that are not covered. Are the security holes the customer’s or MSPs responsibilities? Every time an SLA is updated, inform the customer of the changed provisions. The customer may have to provide some of the security solutions because the SLA does not cover everything.

The MSP should audit their performance and formally report the results to the customer. The audit should cover the business’s employees, consultants, contractors, vendors, and service providers. The MSP may not be able to enforce security procedures on everyone but they can report where these groups may enable security weaknesses.

The MSP should regularly scan for security vulnerabilities and report the results. When vulnerabilities are discovered, the MSP should provide a report of the actions taken to mitigate the vulnerabilities.

The security landscape is constantly changing. As customers protect themselves, attackers develop new methods of attack. For example, software updates for security advertise the vulnerability. Fixing these vulnerabilities fast will reduce the possibility of attacks. Most security vulnerability resolutions need be deployed immediately. Waiting for a convenient time leaves the business open to attacks.