If you have a managed service provider (MSP) you are already doing the right thing. We have written in the past that in business, it is a good idea to stick with what you are good at and pay someone else for specialties work. You pay for lawyers. you pay for accountants. Pay for IT in the same way. But just as with all of those professions, it pays to periodically check on your MSP to make sure they are doing the job that you are paying them to do.
What am I paying for?
Many MSPs will help set your office up with technology and network access. They will come in and implement your domain controllers, email servers, and network switches. They will sell you computers for your employees and software for those machines. On an uncomfortable number of occasions, though, we are finding that if you do not ask for a network security device or implementation, you will not get one. A good MSP will also make sure that the network security devices you currently have in place are still recommended for your size and needs, since both will change as your business grows.
A good MSP will regularly check in with you to make sure everything is still performing correctly. Recently, we have seen some MSPs not working with their customers to maintain their network and hardware. While they provide break/fix support, they do nothing to proactively look at the health and longevity of the hardware and software environments. Regular check-ins should be mandatory to prevent hardware from going past end of life, software and operating systems continue to run within their licenses, and all other operational tasks are performed. Your MSP should be like a CIO – focusing on both strategy and tactical capability.
But remember – even the best CIOs’ environments are held in check by a committed CISO. And a managed environment requires the same checks and balances. Is your MSP checking themselves?
How do I protect myself?
As I said earlier, it isn’t up to you to know what you need to do to keep your network safe, only that it needs protection. Hiring a 3rd party to verify network implementations, check for security vulnerabilities, and provide suggestions on how to better secure your infrastructure on a periodic basis is just as important, if not more important, than the IT MSP itself. Here are come things that a 3rd party cyber security company can perform:
- Vulnerability Assessment. This usually includes a scan of all of the computers on your network (servers, desktops, etc.) to provide a list of currently known vulnerabilities your environment is susceptible to. The final report should list the vulnerabilities, their severities, and a mitigation plan on how they can be fixed.
- Penetration testing. A security contractor will obtain written permission from the client to perform an attack on the client’s network. This simulates an attack by a malicious presence so that the client can understand how their security systems will perform under a real attack scenario.
- Social Engineering test. Using emails, phone calls, and other forms of communications, the security professional will attempt to gain knowledge, access, or both, from employees of the client’s company. The goal of this exercise is to determine how well-versed employees are in handling social attacks which will allow the client to perform focused training in the aftermath.
Verification of your network/hardware implementation is extremely important. You need to be sure that your network is as secure as it can be. If your MSP is not doing this, or if you’re unsure if they’re doing it well, engage with a cyber security assessment company to give a peek. Even the best MSPs can use some checking to ensure they continue on the right path to keeping your crown jewels secure.