I am constantly amazed by the number of small-midsize business (SMB) owners who believe their IT Managed Service Providers (MSPs) have them covered when it comes to cybersecurity and compliance responsibilities.
I get it. Most business owners would assume that by outsourcing the management of their IT assets, the service provider should take on the liability of ensuring that the infrastructure is secure and compliant. Right? There is some truth to this, but on a very limited basis.
Before we decide to hand over the “keys to the kingdom” of managing our company’s infrastructure to an MSP, we’ll want to evaluate its qualifications and overall security posture. The challenge we find with many of our SMB clients is they’re not entirely sure what type of questions to ask when evaluating an MSP. So, for this month, we will provide you with a list of questions you should be asking in order to ensure your infrastructure (and the sensitive data within it) is being managed in a secure and compliant manner.
Questions You Should Ask When Evaluating an MSP
- Do you perform annual third-party audits to demonstrate you are delivering services in a secure and compliant manner? Most MSPs will hire a certified third-party auditor to perform an annual security audit called an SOC 2 Type II. This annual audit provides evidence that the MSP is operating a highly secure, process-driven and dependable organization.
- Do you monitor your network for intrusion detection? For example, file-integrity monitoring tools in place to alert personnel to unauthorized changes of critical system files.
- Do you perform routine penetration tests on your Infrastructure? These tests validate the effectiveness of segmentation controls and should be performed every six months or after any major changes to controls..
- Do you outsource any of your services to a third-party provider (such as help desk support, monitoring, etc.)? If so, have you evaluated these third parties to ensure they are delivering services in a secure and compliant manner? As cybersecurity advisors, we are extremely wary of working with MSPs that outsource key functions of what they should be managing in house. This can be a huge red flag.
- How do you monitor our IT infrastructure to ensure that it has not been compromised and is running efficiently? A good MSP will have a Network Operations Center team responsible for the configuration, monitoring and management of your IT infrastructure.
- Do you have an Incident Response and what is your response time? Not having an incident response plan for their own business security should be a major red flag.
- Do you have a Disaster Recovery/Business Continuity Plan in place and how often is it tested?
- Can we schedule a site visit to see how you operate? We encourage all our clients to visit the MSP offices they are considering to manage their IT infrastructure.
Having worked and partnered with several MSPs over the past several years, I can attest that not all MSPs operate at the same level when it comes to security and compliance. As the Third Party Security Vetting Trend continues to evolve, many of our SMB clients are being required to provide evidence of having answers to these questions or they risk losing clients they have enjoyed conducting business with for years and remain competitive in today’s Digital Age.
In closing, it cannot be assumed that an MSP will fill the role of a trained security specialist. Being conscious of the differences between IT and security is critical to having business processes that are both functional and secure. We challenge you to consider asking your MSP these pointed questions as we move into 2020! If you are not comfortable conducting interviews with MSPs, consider hiring a security consultant that can speak on your behalf. A third-party security consultant can work with you and potential service providers to ensure your IT infrastructure is designed with your company’s best interests in mind.