What Your MSP Doesn’t Know, Can Hurt You

Published on 18th November 2021 Author: Rob Black

Last month, I flew down to Florida with my parents, brother, and our respective wives, to attend my cousin’s wedding. The trip down was uneventful and the wedding was terrific.

But as the weekend was coming to a close, it occurred to me that I had not come up with any good stories for my monthly newsletter!

Fortunately, all that changed on the flight back to Boston. That’s because some of my fellow passengers were “mask resistant.”

The guy in the middle seat next to me removed his mask as soon as we were in the air and proceeded to eat his sandwich V E R Y S L O W L Y. We are talking one bite about every 10 minutes. An hour later, sandwich half-eaten, he put the mask back on.

And that’s where it stayed … until, that is, the flight attendant gave him a bag of goldfish. These swam from the package to his mouth at a pace only slightly faster than would a school of dead goldfish. Another hour passed.

Frankly, I was super-impressed; he 100% followed the rules while remaining maskless for 80% of the flight.

Traveler #2, one row back, took things a step further. He just never wore a mask, preferring, instead, to spend his time coughing throughout the flight. (I was a lot less impressed with this guy.)

These Are Your Managed Service Providers

Unfortunately, when it comes to protecting your data and network from the bad guys, these same two approaches are what most Managed Service Providers (MSPs) rely on.

Approach #1 is to follow the letter of the law (i.e., “masks may only be removed while eating”), while circumventing the spirit of it entirely. Many MSPs are “compliant with security,” while doing little of practical value to safeguard your assets.

Approach #2 is to just ignore good security practice entirely and not worry about it.

Either way, sooner or later, your data may be compromised.

Cybersecurity and IT Are Not the Same Thing

The truth is, we engage with many of our clients’ MSPs and there are several that take security seriously.

But even under the best of circumstances, the MSP’s risk-based decisions – which must apply across the board to all of its clients – may not align with where your company, in particular, has undertaken risk.

Plus, your MSP needs to establish practices and make decisions in the interest of scale; that’s their business model! They want to make it as easy and cost-effective as possible for their employees to serve a wide range of customers, platforms, and technologies. Again, that doesn’t usually align with making security Job One.

For example, one MSP that provides service to several of our clients (and that does in fact have good cybersecurity controls in place) gives administrative access to my clients’ infrastructure to many of its employees. Why? Because they have a large help desk staff, any one of whom may need access at any time to privileged accounts.

Their CISO assures me that they are “working on a solution.” But he and I both know that their business model (scale and efficiency) is out of sync with my clients’ risk model (security).

Lastly, when thinking about risk, we want to consider the size of an MSP’s customer base. An attacker is going to find a small MSP, with a handful of clients, a lot less attractive than a gigantic MSP with hundreds. Yes, the larger provider is likely to have more standardization of processes and security, but from the attacker’s point of view, there is also more to be gained.

Recommendations

#1. Vet your MSP.

Ask them to describe their security program.

Do they segment their customers? Are additional passwords required for access? Do they have dedicated account teams? How many employees have administrative access to your accounts? How do they handle “credential cycling” when one of their employees leaves? How is remote access to your network/computers handled?

There is always risk. By having the MSP explain its approach, you can at least understand where and to what degree you may be vulnerable.

#2. Determine how your MSP will be managed.

Whether it’s a dedicated IT person or someone for whom this is just part of their responsibilities, it’s essential that an individual inside your company be assigned to act as the primary point of contact with your MSP.

Further, if it’s someone who is not an IT person (e.g., VP of Ops, COO), and therefore does not have IT front and center in their daily life, they need to allocate time to playing an active role.

#3. Meet with your MSP.

The more frequently and explicitly you share the specifics of your IT needs, the more focused and customized will be the solutions your MSP can provide. Make sure that security is on the agenda and that the MSP is making incremental improvements every week, month, and quarter.

Your MSP has a lot of bases to cover. Let them know which pieces of your particular puzzle matter the most and meet with them regularly to ensure your needs stay top of mind, especially as it relates to security.

Conclusion

I have nothing against MSPs and for many companies, bringing all of IT in-house is not a viable option. But cybersecurity is not their bread and butter.

Just as you wouldn’t go to a dermatologist for heart surgery – regardless of how capable a doctor he or she was – you need a higher level of attention and specialization when it comes to keeping your business secure.

P.S. If you find yourself without a mask, make sure to at least have a bag of goldfish on hand!

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).