5 questions to ask your managed service provider
Checklist to ensure strong controls on how your environment is accessed
MSP ransomware attacks last year exposed unique incident response challenges. For small businesses who completely rely on outsourced IT, a massive ransomware attack across clients draws on the MSP’s resources and inevitably leaves many businesses in the dark. Small business owners without a technical background struggle to understand and assist external legal and forensics vendors hired to help them respond to the attack. The response is further complicated when the MSP itself is also infected with ransomware. Where an attack group knows they have hit an MSP, and also infected downstream clients, they may refuse to negotiate with the end clients and instead only respond to the MSP in order to increase their ransom demands. This tactic can also leave clients with little to no control over their data software recovery.
If your organization uses an MSP as its IT solution, Lodestone Security recommends strong controls around the central server that the MSP uses to access your environment. In vetting a potential MSP, consider asking the following:
- Is there a security program in place, including periodic risk assessments to identify areas for improvement?
- Is there ongoing security awareness training across the organization?
- Is there a SSAE 18 SOC 2 Type II report or similar type of report available to customers, attesting to security control environment?
- If access to personally identifiable information or protected health information is necessary, how is this protected at the vendor (e.g. encryption, secure remote connections, restricted access, logging and monitoring)?
- Are security and availability requirements enforced in master service agreement contracts (e.g. sensitive data protection, uptime guarantee / service level agreements, security incident reporting / coordination, regulatory compliance requirements)?
Lodestone Security is a wholly-owned subsidiary of Beazley plc that was created to provide cybersecurity consulting services tailored to the small and mid-sized business market.