Does Your Managed Service Provider Have the Right Internal Controls in Place?

From outsourced accounting and legal support to IT and human resources, the use of third-party service providers is on the rise as businesses look for ways to increase operational efficiencies and cut costs. This strategy has proven extremely effective for businesses of all sizes and in all industries. But with reward comes risk, and outsourcing IT services can be particularly chancy if your managed service provider (MSP) doesn’t have the right guardrails in place.

An MSP provides various IT services such as help desk, hardware procurement, disaster recovery, cloud storage, systems security, systems management, and more. These providers are able to negotiate service packages individually for each customer based on priorities, budget, and contractual obligations.

You would like to think that outsourcing these services to a subject-matter expert will help reduce your information security risk. Unfortunately, this is not always true. Case in point: the 2020 SolarWinds breach. SolarWinds is a publicly traded American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure. In December 2020, SolarWinds disclosed it was the subject of a cyberattack that spread to its clients and went undetected for months. Hackers were able to compromise a certain tool that SolarWinds sold to customers, which gave the bad actors a digital back door into as many as 18,000 customers as well as its own Microsoft 365 accounts.

While this attack hopefully wasn’t applicable to your business, it could have been applicable to your MSP. The takeaway? Discuss security with those that have privileged access to your systems, which includes your MSP.

It is critical to perform due diligence on your MSP to ensure it can prove it is operating in a manner that does not open up your company to a down-stream security risk. The formal term for this type of diligence is called vendor risk management. There are many ways to approach this. Methods include, but are not limited to:

• Ask your MSP a clear a set of security-related questions on a periodic basis. There are plenty of sample questions available through organizations such as the Center for Internet Security (CIS), National Institute of Standards and Technology (NIST), and Vendor Security Alliance (VSA). These questions can include areas that relate to data protection and access controls, polices and standards, proactive security, reactive security, compliance, among others.
• Request a copy of your MSP’s independent audit of their information security-related controls. This is most commonly done through a System and Organization Controls (SOC) 2 Type II examination. Similar to providing a financial statement audit from an independent Certified Public Accountant to a banker or an investor, a SOC provides an independent auditor’s opinion over the MSP’s security controls over a defined period of time.
• Monitor and review your contract with your MSP on an ongoing basis. Understand the service-level agreements (SLAs) that you’re paying for, and make sure you are monitoring their performance. For example, what are your helpdesk response times? How long are records be kept? How is personal and financial data be protected? Reviewing these contracts and SLAs not only provide accountability, they curb risk.

While it might seem overwhelming to have these conversations with your MSP, it is critical that you do so. MSPs are not immune to security breaches, which means your company isn’t either. For assistance with these conversations, contact your KSM advisor or complete this form.