Let’s say you partner with a managed services provider (MSP) to help improve the performance of your risk management. Things are going well, and together you’re taking steps to better understand and manage your enterprise risk model, sketch out your risk appetite, and monitor potential threat indicators in real-time—all activities that you would have had limited capacity to accomplish with outside help. To make things easier, your partner has access to some of your web infrastructure, and can make some changes to your system in addition to monitoring.
This may seem like a somewhat dour hypothetical, but this kind of incident is unfortunately far too common. In the past few years, there have been a number of high profile cases of MSPs and MCSPs (managed cyber security providers) getting hit with ransomware and other cyber attacks that ultimately imperil their clients’ systems as well as their own. In fact, it’s increasingly common for attackers targeting a particular company to specifically aim their intrusions at vendors in order to gain access to sensitive systems.
Does this mean that businesses should automatically be wary of MSPs and MCSPs and avoid using them? Absolutely not! On the contrary: the right MCSP can actually be your most valuable asset in managing your IT and applications in a safe way that mitigates risk from vendors.
How is that possible? Read on to find out...
First things first, you need to understand your managed service provider within the context of your existing threat mode. Right now, depending on your industry, there might be a handful of ways in which hackers could target your company. There might be vulnerabilities on your website or web applications that allow for intrusions into databases that contain sensitive information about your company or your customers. Conversely, attackers might use email phishing as a way to steal the your employees’ credentials and either leak data or wreak havoc in other ways. Or, they might use email as an attack vector to install malware (e.g. ransomware, keyloggers, etc.) onto your system.
Defending against these sorts of attacks is a multi-faceted process. It requires you to examine both access and privileges within your system as well as the internal development processes that potentially produce web application vulnerabilities in the first place. To build a more secure enterprise environment, you’ll need a few things:
These kinds of assessments and plans help to protect you from risk, but they can be daunting—especially when you throw MSPs into the mix. If you’re already in a position where you’re reaching out to managed cyber security services providers to help manage security, it’s possible that you won’t actually have the in-house capacity or capability to check off every box on the list above effectively.
The importance of robust access controls should be more than a little suggestive of how exactly a managed services provider could become an unnecessary risk to your systems. In the same way that an employee account that gets comprised poses a threat to everything that employee has permission to touch, an MSP that gets compromised can impact everything that its permissions grant access to. Thus, if your marketing partner has access to your financial information because of a misconfiguration in how your CRM integrates with the rest of your ecosystems, a security flaw or vulnerability in their IT essentially a flaw in yours as well.
Again, this isn’t meant to be taken as a discouragement from using MSPs or MCSPs—quite the opposite! For shops looking to gain flexibility and make the most of their existing capacity—especially when it comes to something like cyber security that requires a high baseline of skill and industry knowledge—they can be a great way to improve your operational efficiency and branch out into new competencies. It’s just a matter of understanding the cyber security implications and working with your MSP to address them proactively.
At a relatively high level, there are a handful of strategies that help to shrink the surface area of this particular vulnerability.
By taking these proactive steps, you can create an environment where a vendor that gets hit with a ransomware attack doesn’t have wide enough access to your IT to actually put your data in danger. If an attacker is actively trying to use the vendor to access your systems, these best practices can make that much more difficult.
This is all well and good—but, especially cases where you’re working with a managed cyber security services provider, there’s also a decent chance that these best practices are going to be hard to follow. After all, they require a strong cyber security posture a lot of ongoing effort, which is exactly what you’re paying your MCSP for in the first place. In other words, you’re potentially using up capacity and resources on cyber security nitty-gritty—the very same resources you’re trying to preserve by outsourcing in the first place.
The situation described above presents something of a conundrum for CIOs, CISOs, and other decisionmakers: How do you operationalize best practices that you don’t have the in-house resources or knowledge to handle? Ultimately, you have to fall back on the vendor selection process to choose a cyber security services provider who displays competencies in these areas and can help you to defend your applications from any potential vendor-related vectors.
This might sound paradoxical, but in reality it’s not that strange. To entrust your security to an outside vendor to begin with, you need to have a high degree of trust both in their business and in their expertise. In other words, you need to find an MCSP who already knows how to perform micro-segmentation, set up firewalls, and keep applications properly configured and up-to-date. If you’re considering working with someone, these capabilities should already be at the top of your wish list—indeed, the ability to manage the more mundane side of things (e.g. software updates and best practices, managing permissions, staying current on new guidelines and attack vectors) is just as important as sexier activities like conducting pen tests and doing incident response.
To put it bluntly, if you’re working with an MSP or MCSP, you already know that it’s not always in your best interest to go it alone. When it comes to something as complex as managing the cyber threats that arise as a result of vendor integration, this is especially true.
Okay, let’s say you decide that the right MCSP is the best way to address digital threats like the ones that come from partner organizations—are you only paying for protection and nothing else? Not necessarily. In some sense, a partnership like the one we’ve been describing above stands to help integrate a more holistic view of security into your larger operations. An MSCP that can cover web application vulnerabilities with an application shield, for instance, can help you avoid the ongoing cycle of panicked code remediation and rushed software releases to take a more proactive and less reactive stance when it comes to security. This is, of course, a topic that we’ve expanded on at length elsewhere—but it bears mentioning that the very same tactics that enable to you keep your MSPs from becoming a threat can help you to evolve your development life cycles.
Intertec provides cutting-edge managed cyber security services based on sophisticated application shielding technology—helping global businesses to cut down on code remediation costs while preventing data breaches. Click here to learn more. Prefer a personal consultation? Go ahead and schedule a meeting with us here!