Enterprises of all sizes hire managed IT service providers to secure their platforms. They do this to ensure their technology infrastructures are performing optimally to support growth and profitability.
But not all managed service providers (MSPs) have the knowledge and training to keep pace with today’s rising tide of cybercrime. If you choose one without adequate security expertise, and you may be risking a crippling data breach or devastating ransomware attack.
More and more businesses today are outsourcing some of their technology management, maintenance, and support needs.
On a global scale, the managed IT services marketplace is growing at a rapid pace, from approximately $156 billion in 2017 to a projected $296 billion in 2023, for an expected compound annual growth rate (CAGR) of 11.3 percent.
It’s understandable: Opting to hire an MSP affords access to an outside expert with technical expertise, specialized training, and hard-to-find skills. This can relieve your internal team of burdensome duties and reduce the business’ labor costs.
Unfortunately, however, outsourcing can come with hidden risks. Any third-party provider tasked with administering your IT systems will naturally have access to your data, including information that you may not have considered valuable or vulnerable, like intellectual property or employees’ social security numbers.
How well your MSP secures its own infrastructure naturally impacts how secure yours will be if you’re using any type of remote management or monitoring services.
How carefully—and intelligently—your provider advises you on technology updates, software patches, and cybersecurity policies and procedures can have an enormous impact on the security of your business.
How Outsourced IT Services Can Impact Your Business’ Cybersecurity Risk Profile
- Mitigate danger of obsolete technologies and an outdated mindset
- Keeps up with modern cybersecurity demands
- Answers 5 main questions about cybersecurity providers
Mitigate Danger of Obsolete Technologies and an Outdated Mindset
Today’s cybercriminals are more professional and sophisticated than ever before. Nation-state level threat actors are using technologies such as machine learning to find vulnerabilities in systems, and ever-more effective tactics to compromise systems and exfiltrate data without being noticed.
Ransomware is growing more prevalent, with experts estimating that attacks are now occurring, on average, every 14 seconds.
According to the FBI, the collective impact of cybercrime costs businesses about $3 billion per year.
Software developers and hardware manufacturers alike have long taken a reactive approach to securing IT infrastructures. Probably the best-known example of this approach can be seen in the premise behind antivirus software, a reactive approach that is compromised if a single user’s security does not have the very latest version of the antivirus software.
Antivirus software is among the oldest of the implements in the cybersecurity professional’s toolkit, and criminals figured out ways of getting around it some time ago. Criminals have figured out ways to work around antivirus software. For example, creating polymorphic, or shape-shifting, malware that changes the parts of its code that signature-based algorithms look for each time it executes).
But the premise behind it—that technologies must be updated to counter or protect against every new threat as soon as it is detected—remains foundational in the cybersecurity industry today.
This means that the latest version of a software application, containing the most recent updates, will almost always be the most secure. It means that the newest hardware devices—ranging from servers and firewalls to new “smart” sensors with built-in on-chip protections—will have superior protections. Sounds cost-prohibitive, right?
In reality, of course, every organization’s budget is limited. Helping you decide which technology investments make the most sense, and where you’ll get the biggest security “bang for your buck,” is an area where an experienced IT service provider can add tremendous value.
Your provider will have spent many years working with technologies from different vendors, so they’ll know which offerings live up to their sellers’ promises, which ones may be challenging to integrate into your environment, and which aren’t worth their cost.
They’ll also be able to advise you on adopting business processes and encouraging employee habits that can greatly enhance your security — even though they cost little or nothing to put in place. Plus, they’ll be able to explain why antivirus software no longer offers adequate protection for even the simplest of business IT environments.
Buyer Beware: Not All MSPs Keep Up with Modern Cybersecurity Demands
Most service provider contracts stipulate how long their help desk will take to answer questions, how quickly technical staff will respond to problems, and which other services they provide. Many offer guarantees of system uptime or performance, but few if any are willing to guarantee that your data will remain safe while under their care.
Even though increasing numbers of MSPs are purchasing liability insurance, it’s you—not the provider—who will be responsible for any financial penalties you incur if you’re the victim of a breach.
If, for example, you were found to have failed to comply with regulations like the Health Insurance Portability and Accountability Act (HIPPAA), you’ll face fines. If you’re sued by customers or irate ex-employees, you’ll have to pay attorney charges, court fees, and whatever settlement costs awarded. And your provider will not cover the costs of lost revenue—or customers who turn to your competitors—if your business shuts down temporarily in the wake of an attack.
Furthermore, despite the rapid recent growth it has experienced, the market for managed services remains fiercely competitive. Some MSPs try to win customers away from rival companies by undercutting their prices.
Because they’re unlikely to be held liable for the security of your data in case of a catastrophic breach, and because their internal security policies and technologies may be invisible to you, cybersecurity is often an area in which providers are tempted to cut corners.
Prevailing attitudes among business decision-makers compound the problem. Even though recent research shows that 43 percent of cyberattacks deliberately target small businesses, many small business leaders believe that their organizations’ risks are lower than those of major enterprises.
In fact, smaller businesses may not be as likely to have budgeted for the latest—and most secure—technologies, developed and tested a disaster recovery plan, or established 24/7/365 network monitoring capabilities. Cybercriminals know this. Make sure your MSP does, too.
5 Questions to Ask When Looking for an IT Service Provider
The quality of the cybersecurity services that an MSP offers should be a core differentiator when you are evaluating providers. Of course, “quality” is a subjective term, and it’s notoriously difficult to develop accurate and concrete metrics for risk reduction.
Nonetheless, your business’s resilience—and future survival—could well depend upon your ability to assess the quality of a cybersecurity service offering.
Here are five essential questions you must ask any potential MSP:
- Do you know what is connected to our systems?
- Do you know what is running on our network?
- Are you certain we have the right controls in place?
- Are we protected by continuous processes?
- Can you prove it?
By asking these questions, you’ll have more confidence in your choice of MSP, leading to more security for your business.
Transparency, Authenticity, & Trustworthiness: The Top Three Qualities in an MSP
Ultimately, you’re looking for an MSP who will rely on the latest technologies to gain visibility into what’s happening in your IT environment, and who will monitor that environment at all times.
What sets truly outstanding providers apart is a commitment to operational transparency—allowing you to see exactly what they’re doing on your behalf and being patient enough to explain why they’re doing it.
When you’re evaluating managed service providers, security should never be an afterthought.