Outsourcing professional and technical services is viewed as an effective way for businesses to procure the expertise they need on a pay-as-you-go basis without the complexity and overhead costs of doing it themselves.
Professional services that are commonly outsourced to Managed Service Providers (MSP) include payroll, accounting, billing and legal. Technical services that are commonly outsourced include the management of data centers, IT infrastructure and security, as well as the support of servers, PCs, notebooks, tablets, and mobile devices that connect to the corporate network.
Outsourcing to MSPs provides the additional advantages of having available a larger, more experienced pool of experts and technical resources than a small or medium size business would normally be able to afford on its own.
MSPs Are Prime Attack Targets
With the growing threat of ransomware, however, exercising careful due diligence when evaluating and selecting an MSP is absolutely essential. The reason: cyber criminals are attacking MSPs because it gives them entry into an MSP’s entire customer base, enabling them to lock up all their computers with encryption until the MSP pays a hefty Bitcoin ransom for the decryption key.
A while ago, this scenario played out with a ransomware attack on Milwaukee, Wisconsin based Virtual Care Provider Inc. The company performed data management and records hosting, security and access management services to 110 nursing homes and critical-care facilities across the country. VCPI could not afford to pay the $14 million ransom the attackers demanded.
Without access to electronic health records, the lives and health of seniors and others who reside in critical-care facilities are at stake. Billing to Medicaid has also been disrupted.
The ransomware may have resided inside VCPI’s networks for some time as the intruders mapped out the topology, and compromised resources and data backup systems in preparation for the ultimate attack, which spread until it affected VCPI’s entire customer base. Since VCPI did not have ransomware insurance, it has no choice but to try and fix the contaminated systems, which could take time, introduce more problems, and cause staff to relearn new ways of doing things.
Due Diligence Questions
Whether outsourcing professional or technical services, it pays to understand the security posture of the MSP. Here are some points to discuss with any MSP:
- Have them describe the security mechanisms deployed on their network.
- Has the MSP ever experienced a malware attack and, if so, how fast was it resolved?
- Find out how often they backup client data and the procedures for collecting, storing and archiving.
- If a disaster occurs, what are the procedures for online and offline data retrieval? In other words, how fast can your business resume operations?
- If the MSP requires admin access rights to your systems, have them justify it and find out if a lower access privilege could be used instead.
- Find out what precautions the MSP has in place to guard against its employees / former employees, contractors and vendors from leaking sensitive information.
- Does the MSP adhere to regulatory mandates governing the handling of patient and consumer data? Has the MSP undergone a compliance review, and what were the results?
- Do employees of the MSP undergo periodic security training, especially with regard to recognizing malicious emails?
- Does the MSP have ransomware insurance? If so, what does the policy cover and not cover?
- Find out the experience and skill levels of the IT staff responsible for using security tools, monitoring systems, interpreting anomalies and responding to threats.
It’s Your Business
If an MSP is reluctant to discuss these aspects of its internal operations, it should be dropped from further consideration. When handing over key processes of your business to an MSP you have the right to explore how they approach security – theirs and yours. Your business may depend on it.
Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.