15 Questions to ask your IT Service Provider right now

If you’re a small or medium-sized organisation, it’s likely that you’ve out-sourced your IT services to a Managed Service Provider (MSP). They, in turn, are using third-party vendors to host your infrastructure, such as websites, emails, and applications – further abstracting the underlying software, hardware, and technology powering your business.

Engaging an MSP is a no-brainer for most customers – even many of the largest enterprises out-source at least a portion of their IT operations to third-parties as it’s always more cost-effective than bringing these functions in house. However, it’s important to recognise that your MSP is also servicing hundreds of other customers, all competing for their attention to resolve issues, reset passwords, and procure more hardware. As previously discussed, your MSP’s business model is more aligned with ensuring your systems are operational (available) than ensuring they’re secure.

And what about the MSP themselves? MSP’s have their own infrastructure to secure, as well as the many platforms used to support their customers, including ticketing systems, password managers, remote access tools, and knowledge bases. These tools may contain the keys to your entire organisation, as well sensitive information about your business, employees, and customers, making them a prime target for threat actors.

This article isn’t meant to spread fear, uncertainty, and doubt, but it is important to recognise that, supply chain attacks against MSP’s are a growing trend:

• New Zealand businesses ransomed by LockBit 3.0 after Mercury IT cyberattack – Tech Monitor
• Experts warn of hacker claiming access to 50 U.S. companies through breached MSP – The Record
• Kansas MSP shuts down cloud services to fend off cyberattack – Bleeping Computer
• MSP hacks are growing and here’s what to do about them – Cyber Talk

In addition, in order to streamline operations, MSP’s have been known to cut corners when it comes to security, such as sharing passwords between employees, using the same passwords across customers, and won’t change passwords when employees leave.

Finally, MSP’s pride themselves on providing end-to-end IT services and support of your entire technology stack: software, hardware, networking, email, infrastructure, and cloud. Many are also offering cyber security services, and may claim to have adequately secured themselves and their customers – however unless they’ve engaged a third-party to assess their security, such as a penetration test, red team engagement, or audit against a standard or framework, such claims may present a conflict of interest.

Question time

That’s why it’s time to have a frank conversation with your MSP or IT Services provider about security – how they protect your company, and how they protect themselves. I’ve listed 15 questions to ask your MSP to the discussion going. Feel free to copy this list as is and forward it to your provider:

• What is the biggest cyber security breach you’ve responded to and what was the outcome?
• Are you aligned with and security frameworks or standards such as ISO27001, NIST CSF, or the ACSC Essential Eight? Have you been independently assessed against any of these standards and have to achieved accreditation or certification?
• Do you have a cyber insurance policy?
• What is your employee termination procedure?
• How are our assets segmented from your other customer’s assets?
• When was your last external penetration test or red team engagement?
• When was your last audit from an independent third party and what were the results?
• Where does our data reside? Who has access to it?
• How is our data backed up? When was the last time the backups were tested (Disaster Recovery test)?
• How are you monitoring for cyber attacks? Do you have an incident response plan?
• What is your internal approach to cyber security?
• Who is responsible for the vulnerability and patch management of our assets?
• How do you keep informed of emerging cyber threats?
• Who on your team is experienced in cyber security? Do they have any industry certifications?
• What is your security evaluation process for third parties?

While your MSP may not want to provide you all of the details for the above questions, they should at least be able to confidently provide a satisfactory answer that makes you confident that they’re taking security seriously. Be wary of any providers who refuse to answer these questions for “security reasons” – none of these questions are unreasonable to ask, and all of the answers are important for you to know.

See also: The Australian Cyber Security Centre (ACSC) has also provided some guidance on questions to ask your Managed Service Provider.