Managed service providers (MSPs) are at the leading edge of providing cybersecurity services. They provide and procure vital perimeter protections to most of their client as part of their service packages.
However, MSPs are vulnerable to hacks, and if a breach occurs, that can expose their clients and all their valuable information and trade secrets. That is why MSPs are tempting targets for hackers. There have been some headline-grabbing incidents that have breached MSP security from larger to smaller MSPs, showing both are equally at risk.
How can MSPs safeguard their own perimeters?
Adam Ennamli is the Chief Risk and Security Officer at General Bank of Canada. He oversees the evolution and management of all enterprise-wide risk programs. He had offered his thoughts to SmarterMSP.com on how MSPs can keep themselves safe.
“MSPs are critical to their clients’ cybersecurity, but they’re also prime targets for attackers, Ennamli states, adding that part of the cyber risk is actually transferred to them, so protecting themselves also includes protecting their clients. “Therefore, they must adopt a robust security posture.” He notes that a robust MSP security program for itself should include:
- Implementing zero trust principles- meaning, limiting access to only what’s necessary and constantly monitoring for anything unusual.
- Establishing pragmatic, tested controls for remote access tools.
- Keeping the pace for audits.
- Dialing up on practical education.
Ennamli explains that essential security controls that are non-negotiable for MSPs include network segmentation, multi-layer backups, and constant monitoring. “MSPs can ensure their defenses are as strong as the services they provide by demonstrating effective implementation, adhering to industry standards with verifiable compliance measures and being ahead of emerging threats. He then adds that MSPs face a choice when it comes to security. They can either handle it in-house or hire another MSP.
“The decision depends on their resources and expertise, and ultimately, market convergence should be a risk that someone needs to monitor- meaning, if all MSPs start delegating to each other, all protection risk will converge towards a handful of actors, leading to strong concentration risk,” Ennamli shares. He notes that while some MSPs have the skills to manage their security internally, others may benefit from outsourcing to a specialized provider for audits, threat hunting, or advanced protection. “ A hybrid approach—combining in-house management with third-party expertise—can offer the best of both worlds.” He notes that, fundamentally, principles like transparency, partnership, and constant improvement will be the key to maintaining the trust of the market and staying secure in the threat landscape.
Additional insights
Bob Leonard is an independent cybersecurity specialist who works with MSPs on their security. He says that the key to success that MSPs need to treat themselves as they would treat one of their clients. “And if they can’t do that, then they should outsource to another MSPs. Some MSPs, whether they are one-person shops or large enterprises – are `too close’, they are too emotionally and economically tied into their own well-being that it impacts their decision making.”
For an MSP to be successful with their own security, they have to take a clinical, non-emotional, non-economic approach. “An MSP can’t factor in anything but `what is the best cybersecurity plan for our business’, anything less than that compromises all your clients,” Leonard says.
Leonard shares that CISA offers good tips and steps for do-it-yourself MSPs who wish to keep the work in-house. “But generally I recommend an MSP outsource their own security. There are good arguments on both sides. While no one has more at stake in their security than the MSP, they are often too close to the situation. They have too much at risk to handle it effectively and without emotion.”
MSPs are prime targets for cyberattacks. To protect themselves, they must adopt strong security measures like zero-trust, remote access controls, and regular audits.
Photo: Mongta Studio / Shutterstock
This post originally appeared on Smarter MSP.