CISA, the US Cybersecurity and Infrastructure agency, has recently released a report on Managed Service Providers (MSPs). The agency recognizes that MSPs play a critical role for businesses, providing IT services that would otherwise be too costly or too time-consuming and resource-intensive.
However, it also warns that they expand the attack surface and can be the entry vector for supply chain cyberattacks: a growing number of cybercriminals are focusing on them as a primary target, as demonstrated by the ransomware incident against the company Kaseya, which we covered before in this blog. In fact, CISA also reminds us that the most advanced APT groups are employing "Living Off The Land" techniques that take advantage of MSP tools to extract data or control their customers' systems. Therefore, the aim of the published document is to provide a framework for public and private organizations to mitigate the potential risks of outsourcing their IT services.
Strategic, Operational and Tactical Decisions
The report presents considerations and best practices for the three groups within organizations that have a role to play in reducing cybersecurity risks: senior executives (strategic decision-making), procurement professionals (operational decision-making), and IT technicians and cybersecurity staff. Their main recommendations under these categories are:
- Strategic decisions
Organizations should consider whether it is cost effective to outsource IT services, bearing in mind cybersecurity requirements and risk thresholds.
It is recommended that senior executives provide adequate information if they decide to outsource services.
It is important to establish who is responsible for security and operations when outsourcing.
A specific plan should be developed to protect organizations’ most critical assets covering all potential risks with MSPs
The requirements established by different departments and executives (CIOs, CISOs, COOs, etc.) must be considered when selecting a vendor.
In the contract and Service Level Agreement (SLA) the vendor must clearly provide all the elements related to the associated risks and cybersecurity for the services delivered.
Consideration should be given to which permissions and level of access MSPs will have on organizations’ networks and systems, taking into account factors such as access to sensitive assets.
In this tactical sense, CISA also recommends a number of specific cybersecurity measures related to MSPs, and WatchGuard provides solutions for several of these concerns:
Using backup solutions to restore service in the event of an incident as quickly as possible and with the least possible impact on the company's operations.
Constant updates of the organization's software.
Continuous network monitoring, especially in networks where MSPs have full access.
Comprehensive protection, detection and response tools at endpoints
Using a dedicated VPN to connect to the MSP infrastructure.
Requiring Multifactor Authentication when MSPs connect to the organization's networks and systems.
Ultimately, these recommendations lead to the conclusion that when choosing an MSP, it is crucial that cybersecurity is a pillar of their strategy and customer relations and not simply a feature or service. At WatchGuard, we offer a specific program for partners who adopt that approach. This way, partners and customers grow together and with the peace of mind that comes from having comprehensive cybersecurity that is very easy to manage.