The idea that a managed service provider (MSP) could be the weak link in the supply chain is one that is increasingly understood and the examples of what can go wrong have been sobering for the channel.
But reducing risk is not just down to the partner – vendors also have a role to play. MicroScope caught up with Ryan Weeks, chief information security officer (CISO) at Datto, to get an insight into the role his team is playing in improving life for partners and customers.
Managed service providers play an important role protecting customers’ data, but they are not alone and rely on vendors also taking it seriously.
“With security breaches showing no signs of slowing, MSPs must be constantly vigilant and develop cyber resilience approaches that go beyond purchasing and deploying security solutions,” says Weeks.
“A truly comprehensive cyber security, business continuity and incident response strategy rests on five pillars: the ability to identify risks and threats, and to protect, detect, respond and recover from any actualised risks and threats.
“Many MSPs are already taking steps to strengthen these areas. But an organisation’s security posture is only as strong as its weakest link, and as several recent security breaches have shown, third parties can introduce unforeseen risks,” he says.
Ryan Weeks, Datto
“Vendors have become an integral supply chain supporting MSP business operations. However, it is important to recognise that MSP vendor relationships, while critical, may intentionally or unintentionally pose a cyber security threat to the organisation.
“The realisation that many MSPs have come to is that vendors may not be protecting the confidentiality, integrity and availability of data in a way that supports cyber resilience. In response, MSPs must create the capability to hold their most critical vendors accountable for quality security outcomes and preparedness,” he warns.
Weeks points out that MSPs are all too familiar with the service-level agreements (SLAs) that exist between partners and customers, suggesting a similar process is needed between channel and vendor.
Steps to vendor accountability
According to Weeks, there are four components of keeping vendors accountable, and MSPs need to work through them.
“To start with, understand the security gaps and risks that your vendor relationships could expose you to over time. If you don’t have a quick answer to these questions, then, chances are, you are neglecting an essential component of your organisation’s cyber resilience strategy,” he says.
“As part of a centrally managed vendor inventory, every vendor coming in or going out should be accounted for and properly identified in a system of record based on the type of service and relationship.”
After identifying the gaps, the next step is to prioritise and concentrate on working out which vendors could cause the most damage if they were compromised. Those are the ones to deal with first.
Ryan Weeks, Datto
“Criteria to consider when tiering your vendors include: What type of data does the vendor store, process, or handle on your behalf? How embedded is the vendor into your environment – for example, do they have read/write access? To what extent does this vendor or product interact with your customers?” says Weeks.
The next steps involve evaluating vendors and then building SLAs that cover reaction processes to potential breaches.
“Be sure their business continuity plans are built and tested to withstand the unforeseen, not just to comply with a requirement,” advises Weeks. “If your concerns are primarily around data, then be sure that proper access controls are built into their environment, verify that encryption standards are adopted, and ensure audit trail logs are reviewed.”
Finally, he urges MSPs to remain vigilant about their vendor relationships and to remain on top of risk management.
“Managing vendors is a continuous process, not a one-time event,” says Weeks. “The important thing is not to overlook gaps in the vendor’s processes. Investigate further, ask questions, meet with the right representatives, document their plans to address any issues or concerns – and be sure to follow up and keep your vendor relationships alive and well.
“You should essentially ask the same questions of your vendors that you ask of your own organisation: What are the security processes and technologies in place?” he adds.
“Major deficiencies should be documented on both ends and followed up on based on the set milestones. Additionally, when there are major documented vulnerabilities, you should be asking all of your vendors if they are impacted as that will have a downstream effect on your resilience, too.”