Managed service providers (MSPs), sometimes called managed security services (MSS) or MSSP, play a very important role in protecting data and other digital assets and will continue to do so. Some of the benefits include, but are not limited to:

  • Mostly predictable costs, including less burden on capital expenditure, and pay-as-you-go models
  • Dedicated and informed subject matter experts, especially for compliance requirements and staff augmentation during a response
  • Access to advanced technology and scalable solutions with reduced investment
  • Improved downtime response and restoration
  • Around-the-clock coverage, depending on what level of investment you are willing to make. 

All great stuff to improve your cybersecurity posture and minimize risk. But, like all good things, somewhere there is a cost that needs to be absorbed. That’s where an old business axiom comes in handy: good, fast, cheap – pick any two. Remember this saying as you decide which MSP to use. 

Take a look at some of the larger factors.

Read the Contract, Then Re-Read It

Do not be fooled; using an MSP to manage your security or recovery needs does not absolve you from carrying out certain tasks. You may be hearing more of the phrase ‘shared responsibility’ lately. It matters. Service providers can only take you so far. If you do not carry out specific tasks, you may find yourself on an island wondering what to do after an attack.

One of the simplest examples of shared responsibility comes from cloud service providers (CSPs) and disaster recovery practices. While not an MSP is the truest sense, the example is relevant. Simply being in the cloud does not always give you improved breach readiness. There are steps you need to take, such as configurations, paying for more services and regular upkeep. CSPs are amazing at recovering their services, but that does not mean an automatic recovery of your applications and data.

You may be thinking you are getting something on the cheap, but really, the piper comes for payment during disruption. Blind trust may result in a dark place. CISA gives a quick primer on what responsibilities could fall to the MSP and which to the customer.

What Place In Line Do You Have?

For those of us old enough to remember lining up to get a good seat at a movie theater – four hours for “Batman” in 1989 is my personal best – you are acutely aware of how times have changed. Those were the days of general admission (or first come, first serve). Today, you can buy your tickets online and, often for a premium, pick your exact seats, avoiding the lines. Your MSP may work the same way.

MSPs have multiple customers. It’s no surprise those who pay the premium will probably get better services. This problem may not be as great during an attack limited to just your environment. Rather, the problem comes when there is a widespread attack. The SolarWinds example is a case study of attackers targeting service providers and resellers.  

Who is fixing your house as the service provider is busy fixing theirs?

You need to have a good sense of your risk posture, something achieved through assessments, impact analyses and finding your recovery time and point objectives. If your recovery point objective and recovery time objective are say, four hours, but your service provider can only guarantee you eight hours during a large-scale attack, you may need to adjust your processes and expectations, start shopping or get ready to pay a premium.

An Impressive Target to Attack

Since an attacker is not bound by the rules of a decent society, don’t underestimate their creativity. Look at the cases of SolarWinds, Kaseya and, to some extent, Log4j as watershed moments. These incidents widely exposed the vulnerabilities of the supply chain. MSPs are just another piece of that same supply chain. If an actor feels the best vector to you is through an MSP, that’s the route they will take. 

The Laundry List of Questions 

The first thing a prospective customer should know about picking an MSP is that there is no right way. Rather, there is only the best answer for you and your organization. Therefore, to help you determine which is best, here is a list of questions you should ask before you decide. In no particular order:

  • What are my responsibilities?
  • What can the MSP guarantee? Any information or audits that can show past performance results?
  • What are the service-level agreements?
  • Where does the MSP store data or perform services? Could be an issue if you have jurisdictional requirements.
  • Are my recovery requirements met in a worst-case scenario? Avoid ‘best case’ scenario planning, as you only get a skewed picture of response and recovery.
  • Have I performed a financial analysis? Overpaying for services could mean a drawdown on resources for a more exposed area. Plan accordingly.
  • What do the lawyers think of the contract? Any language in there that causes consternation, such as a force majeure, which could leave you stuck?
  • What are my backup plans if this MSP cannot continue offering services or they go out of business?
  • Am I vendor-locking myself by using this MSP?
  • What levels of access would I need to give the MSP? Do they really need them? Do I create a new set of risks as I try to mitigate this one?
  • Is a threat actor likely to target the MSP and if they are attacked, how does that impact me?
  • What prioritization do I get, if any?

Remember, you inherit the risks of your service provider, which is why there are no clear answers. We have said it multiple times and it is worth repeating: your decisions always come down to your risk tolerance. Choose your dance partner wisely.

More from Security Services

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read