Cyber Security Managed Services 101
MSPs can also perform regular testing of backups and disaster recovery plans to ensure that the most effective processes, procedures, and policies are in place when an attack strikes. Lastly, they can provide ongoing cyber awareness training to address user-specific paths like phishing and poor security hygiene, if contractually obliged.
Cyber insurance
No longer a nice-to-have, cyber insurance is an absolute must for organizations of any size. Unfortunately, an uptick in ransomware attacks and costly extortion demands has caused cyber insurance carriers to tighten requirements and even introduce new mandates. The swift changes to the cyber insurance market have left some businesses confused on what they need to obtain or renew coverage. And since you only have one attempt at applying for cyber insurance with certain carriers, you need to have your ducks in a row.
Some MSPs are quite familiar with the cyber insurance procurement process and can help businesses vet potential carriers. They can also assist in ensuring you’re leveraging the correct technology and best practices to meet minimum requirements. to A truly savvy MSP could provide guidance on how go above and beyond with innovative technologies and solutions, which could potentially impact the cyber insurance quote.
Considerations when evaluating MSPs
Think of shopping for an MSP like choosing a car; usually you’d have a rough idea on what model you need (compact, SUV, minivan), features you want (heated seats, sunroof), and price range all based on your needs and budget.
Similarly, you need to evaluate your budget, existing resources, and security needs so you can make an informed decision when shopping around for an MSP. The more you understand your current state including weaknesses and future goals, the better-positioned you will be to craft a satisfactory contract with your MSP. One size does not fit all.
The Cybersecurity and Infrastructure Security Agency (CISA) created the Risk Considerations for Managed Service Providers report to help businesses strategically select the right partner. The framework is composed of the following three components:
Strategic decision making
CISOs and security leaders need to balance cost with effectiveness when considering MSPs. For example, if you’re hiring a cook, do you have the budget for them to bring their own farm-to-table, organic ingredients, or will you provide what they need at a cheaper cost.
Furthermore, will the chef be responsible for cleaning the kitchen afterward, or will you be? Establish specific security roles and responsibilities for internal teams, the MSP, and both parties, to ensure maximum efficiency without disrupting workflows.
Next, evaluate your existing security tech stack and organizational capabilities. What security gaps and risks do you need the MSP to help address? If you want a chef to make brick oven pizza at home, do you have the right appliance, or will they need to bring their own?
Similarly, if you want the MSP to enhance detection and response, do you have a unified cybersecurity platform in place with XDR capabilities, or are you still using siloed point products? Or does the MSP need to integrate their own tech into your existing ecosystem?
Lastly, whatever gaps and risks are surfaced during this process need to be fully addressed to improve your security posture, whether you go with an MSP or not. These adjustments will come with a price tag, which can further assist you in establishing a budget and avoiding “hidden costs” that may be blamed on the MSP. When estimating fees, make sure you consider the upfront and ongoing costs of implementing new technology.
Operational decision making
A disorganized approach to procurement and security operations will increase cost and supply chain cybersecurity risks. To avoid this, clearly articulate requirements in a contract and ensure your thoroughly vet the MSP by requiring the following prior to entering an agreement:
- Performance related service level agreements
- Detailed guidelines for incident management
- Software Bill of Materials (SBOM)
- Log and records maintenance as well as direct access to systems
- Documents to thoroughly vet employees to minimize risks of IP theft, manipulations, or operational disruptions
- Transition plan to support a smooth integration
- Notification of any sub-contractors and independent consultants that would potentially expose the org’s data to another external party
- Protocol for planned network outages
- Documentation of MSPs financial health, performance record for other clients, and disclosure of any previous legal issues
Tactical decision making
Internal security practices should extend to MSPs’ networks to minimize associated risks. This includes access controls such as leveraging a zero-trust strategy where access is only provided to the necessary resources.
If the MSP is bringing in their own tools and solutions, make sure you have supply chain security controls in place and implement the appropriate monitoring and logging of MSP managed systems.
Establish a strong risk assessment procedure that leverages automation, AI, and machine learning to monitor and log the provider’s presence, activities, and connections to your network. By implementing a policy that dictates the risk threshold, connections will be automatically terminated to minimize the scope of a potential attack.
Next Steps
In today’s evolving threat landscape, effective and efficient cybersecurity is critical to business success. As I said, getting the most out of your MSP starts with evaluating weak areas and your current security stack. To learn more about evaluating cyber risk check out the Trend Micro Security Assessment Service and Public Cloud Risk Assessment.