How Secure Is Your Managed Service Provider

How Secure Is Your Managed Service Provider?

When it comes to security, not all Managed Service Providers (MSPs) are created alike. Why you should care and what you should know.

In the shady world of cybercrime, highprofile corporate breaches often make headlines, but what about attacks on Managed Service Providers (MSPs)? As the gateway to large vaults of data, MSPs are targets. The most cunning hackers will attack MSPs, because they can access multiple networks across industries with just one point of entry.

MSPs, which often remotely manage their customers’ IT and user systems, have the “keys to the kingdom.” In addition to direct, privileged access to client networks, they may also house a large amount of customer data, sometimes sensitive or confidential, on their own internal infrastructure.


This can be tantalizing to attackers. Why cast a dark net for a single company when you can reel in an MSP that manages multiple clients?


If you are looking for an MSP or want to know how your MSP stacks up, don’t be complacent about security. Here are some essential questions you should ask every MSP about their security practices.
  1. Do you have a trained security officer? What certifications does the security officer have?
  2. Trained security officers manage and maintain an MSP’s security program. An MSP should have a security officer who is, at a minimum, a Certified Information Systems Security Professional (CISSP). Outsourcing is absolutely acceptable.  
  3. Does your staff have security certifications? Please identify specific security certifications.
  4. Training and education is critical. Look for an MSP with at least one CISSP certified officer on staff or a Virtual Security Officer who provides a similar level of guidance.  
  5. Is your staff trained in compliance, phishing education and general best practice? Please indicate how frequently training takes place.
  6. This indicates that an MSP is keeping up with compliance and security standards.  
  7. Do you keep current on security trends? Do you have an internal security committee? How often do they meet? Can we see your last two agendas?
  8. This reveals whether the MSP takes a proactive, security-first approach to staying current.  
  9. Is your MSP in compliance? Please identify specific compliance certifications.
  10. In addition, an MSP should have certifications that meet the compliance requirements of their customer. Look for the following certifications if your company must meet certain compliance standards (this is a growing trend):
    • PIPEDA
    • CASL
    • PHIPA
  11. Do you perform a risk assessment and how often? Does a third party conduct the audit? If so, who?
  12. An annual third-party risk assessment should occur to identify weaknesses and allow an MSP to improve. This is required by many businesses in order to comply with PIPEDA.  
  13. Does a third party perform regular internal and external vulnerability scans on your network?
  14. The answer should be yes — for both the MSP’s network and its data center (if applicable). At a minimum, vulnerability scans should be done quarterly. Monthly or realtime scans are preferable. Ideally, the work should be outsourced. Want proof that an MSP has completed vulnerability scans? Request a copy of their last two scans. They should be willing to share these to show (1) proof of frequency and repeated process and (2) whether vulnerabilities are being remediated.  
  15. Do you use a 24/7 Security Op Center (SOC) monitoring service to ensure traffic coming and going is trusted and valid? What is the name of your SOC monitoring service?
  16. An MSP must have SOC monitoring, ideally through an outside service. No SOC monitoring means nobody is paying attention. A breach may have already occurred, but a business won’t know until customer data hits the dark web or somebody stumbles onto the breach.  
  17. Do you use multifactor authentication (MFA) for your critical systems? If so, what solution?
  18. The answer should be yes. Passwords are dead. MFA is critical for protection of any system holding customer access codes. Keys to the kingdom give MFAs critical system access to:
    • Professional Services Automation (PSA) (e.g. ConnectWise)
    • Remote monitoring and management (RMM) (e.g. Kaseya)
    • Password vault
    • Documentation (e.g. IT Glue)
    • Backup management (e.g. Datto)
    • Email / cloud storage (e.g. 365)
  19. Do you have anti-social engineering practices in place? If you get a call from my business to reset a password, how do you validate that the caller is one of my staff?
  20. An MSP should have some form of call back or validation system to prevent hackers from using the MSP to get access to your systems. For example, the MSP can verify identity through the callback number in their database.  
  21. Do you perform regular Professional Penetration Tests or Pen Tests? How often are they conducted and what were the results?
  22. An MSP should use a Pen Test to actively manage their security and specifically understand if the network can be penetrated with technology tools. If a pen tester hacks in past existing security, this gives the MSP a chance to fix gaps before an attack occurs.  
  23. Do you perform phishing campaigns on your company? How often? By whom? What were the results?
  24. This measures how well the staff is paying attention, whether their training works and whether more education is required.  
  25. Do you have cyber liability insurance? How much coverage do you have? May I request a copy from the insurance company?
  26. Despite all the effort in the world, a security breach can still occur. An MSP should be insured, for their benefit and survival as well as yours, and at a minimum, for $1,000,000. Businesses should be able to request a copy from the MSP’s insurance company.

You can also use the free worksheet below to track how prospective MSPs stack up against the criteria outlined above. 

Download the Worksheet hbspt.cta.load(7873398, 'a3d5683e-3a24-4d3a-87fc-fcb943f96cca', {});
How Secure Is Your MSP Worksheet

Want to know more? Contact Us to see how we can help secure your business data the right way.