Outsourcing IT operations to managed IT services providers (MSP) is a common trend for a business looking to maintain its operational efficiency while cutting down on cost. In addition to assisting with IT infrastructure management, 38 percent of businesses that hire an MSP do so with the expectation that their business will have enhanced security and meet regulatory compliance requirements. However, it is critical to understand that “IT management” and “IT security” are not synonymous. Failing to understand the difference between the two can result in dangerous and expensive outcomes for your business.
IT shortcomings affect security.
“There’s nothing you can do. Just pay it,” a business owner was told by his MSP after his firm was hit with a $50,000 ransomware attack. It’s not an answer any company wants to hear after falling victim to hackers, and it was not long after this conversation that our incident response team received a call wondering if something could be done besides “just paying it” or losing data.
Further conversations revealed important details about the firm’s post-attack situation. The victim had no data backups or records of security events. Additionally, all files had been deleted from the affected laptop, and the phishing email that initiated the incident was destroyed by the MSP in a misguided attempt to respond to the incident. These combined factors turned what should have been an easily manageable ransomware situation into an unnecessarily complicated and costly incident. Furthermore, all actions taken after the attack were completely reactionary and no measures were taken to prevent the same attack from being successful again in the future.
Unfortunately, this scenario is not unique. Cases of incidents that could have been avoided by simple, low-cost IT configurations and user training are cropping up at our office with increasing frequency. In the past six months alone, we have seen the following issues while responding to security incidents:
- Clients and MSPs with no incident response plan
- Clients with no data backups or clients who did not fully understand how their data was being backed up
- No tools in place to keep records of important, security-related actions that have taken place in the company network or these tools not being properly utilized
- “24/7” IT service providers that were completely unresponsive during weekends
- Corporate and guest WiFi networks that are not properly separated from one another and secured
Each of these shortcomings can make preventing, detecting and responding to security incidents much more difficult or even impossible.
Questions to ask before choosing an MSP
Security issues, like the ones listed above, result from providers underperforming or misrepresenting their capabilities. However, others are due to the customer not understanding or requesting the services and solutions they need.
Most organizations that contract MSPs do so because they do not have the expertise to effectively handle these issues in-house. It is obvious to these businesses they need help to keep their IT resources running, but failing to consider security when choosing an MSP presents risk. With this in mind, business leaders searching for IT help should include the following considerations in their decision-making process:
1. Make sure you understand what security services you need and ask for them by name.
Ask specific questions to ensure that you understand what you are getting. For example, if you are purchasing data backup services, make sure that you know where the data is backed up, how long it is stored, how many versions of your data are kept and how long it takes for data to be restored from backups. If you are satisfied with the answer, make sure to get it in writing.
2. Ask about the MSP’s own incident response plans and how they will help you handle potential security incidents.
What is their response time? Do they perform incident response services? Do they have a partner or recommended firm for these actions? A lack of an incident response plan for their own business security should be a major red flag.
3. Have a “technical translator.”
Asking MSPs security-related questions is only valuable to your firm if you can understand the answers and determine what it means to your business. If your team does not have any security-minded people on staff to conduct interviews with MSPs, consider hiring a security consultant that can speak with service providers with you or on your behalf. Upon engaging an MSP, a third-party security consultant can work with you and potential service providers to ensure your IT infrastructure is designed with your business’s best interests in mind.
4. Make sure your security measures are effectively implemented.
Once the systems and services are in place, have your security consultant perform an audit of their solutions and services to ensure that all security measures and processes are implemented in manner that allows your business to be operational without putting your business’ security on the line.
It cannot be assumed that a MSP will fill the role of a trained security specialist. Being mindful of the differences between IT and security and understanding their roles and implications of your business is critical to having business operations that are both functional and secure. Being upfront with MSP candidates about your security concerns, asking pointed questions about your security needs and being prepared to interpret technical answers is critical for all businesses choosing an MSP.