The news is rife lately with security breaches and ransomware attacks. The U.S. company Colonial Pipeline was among one of the high profile cases given the impact on business and consumers across the country. There have been several others such as JBS USA food processor, Ireland’s HSE (Health Service Executive) which manages health care system, Acer and many, many more. As an NBC news item recently put it, Cyber Security staff are barely hanging on and not able to keep up with the barrage of attacks. Its clear that for the short term, the opportunities for criminals to make vast sums of money are simply too good to resist and will likely continue for the foreseeable future. In addition to the actual business impact of the attack, consumers and businesses are now starting to litigate each other to try and recoup losses. So how can a company whose resources are scarce and knowledge base shallow, punch above their weight in protecting themselves from these threats?
The usual answer for companies requiring expert services they may not have in-house, is to engage the professional services of an MSP or MSSP (Managed Services Security Provider). But as an attack on July 3rd of this year proves, even MSPs have been a target of attacks, impacting customers downstream. So rather than one company getting impacted, several hundred can be negatively hit with one attack.
Our analysis shows that for many companies that are light on resources, an MSP is still the best path to protecting your corporate data. But there are steps you can take to further protect yourself inside your MSP agreements and relationships.
Below we outline five ways you can punch above your weight when working with MSP’s to protect your data.
One: Executing DPA with MSP
Executing a Data Processor Agreement ensures that your 3rd party has taken care to ensure all the standards are met and are ready and able to protect you and your customers. That said, not all DPA’s are created equal. Take care to ensure the 3rd party has all the measures in place to minimize risk and impact of any breaches. There are standards that should be included for how the 3rd party will handle data and this should be reviewed carefully to ensure all elements are added that can be.
Two: Cyber Risk Insurance
This is a must for companies that think they may be at risk. Like any insurance, the types of coverage are key to understand. The First Party coverage, and 3rd Party Coverage terms are imperative to review and ensure that they cover your risks. Every company has different needs and requirements, but the list of liabilities and potential costs incurred (and potential coverages) can list in the hundreds. Don’t leave it to the insurer to tell you what you need, make sure to get their recommendations, and add your own terms and conditions to be covered.
Three: Due Diligence
Creating SLA’s and other terms and conditions with MSP are also critical. There are the standard SLA’s of course around response times, availability, reporting, etc. However, there are many other custom SLA’s that can and should be considered. When statements of work are crafted, it should be noted and added contractually all the promised actions of the MSP.
Four: Coordinating Security Products and Platforms
There are many technologies, standards and commercial products that make up a well-formed security architecture, but without understanding your threat landscape (i.e., threat surface or where your points of vulnerability are) and addressing your vulnerabilities, technology alone will not meet the security challenge. The products that make up the portfolio of security architecture are many, including end-point protection (e.g., EDR, anti-malware, anti-virus), anti-phishing, firewalls, SIEM (security information event management), identity management, access control and secure web gateways to name a few. But these products must work in concert and be wrapped with solid cybersecurity processes and policies (e.g., ISO/IEC 27001) and under the watch of highly skilled security technologists. It is a complex challenge and even the (supposed) most well-versed and prepared enterprises can be at risk of security breaches.
This is where the MSSP (managed security services provider) comes in. Any provider worth their salt should have the mature people, process, and technology to manage your assets and be prepared to address any possible security incidents in an expert and expedient manner to avoid or limit that damage; always proactive with the latest threat intelligence to manage all possible vulnerabilities.
If embarking on the journey of finding an MSP or a managed security services provider, this is a good time to put the time and effort into a formal RFP. Yes, the RFP process can be involved and time-consuming, but for the uninitiated it can be just the detailed due diligence you need to find the right supplier. It is also your opportunity to articulate all your security requirements and do a detailed vetting of participating suppliers. Of course, it is also an ideal approach to creating leverage in your negotiation on the commercial offer and contract terms and conditions. NET(net) can take the load in identifying candidate suppliers that are a good fit for your enterprise and managing the RFP process from start to finish, including negotiating a highly market optimized agreement.
Five: Resist Bargain Shopping
While NET(net)’s business is predicated on helping Clients not overspend on their technology supply chain, we would encourage value over price in this case. Like any crisis, this spike in cyber-attacks will also spawn hundreds of start-ups and consultancies that will purport to mitigate your security risks. However, shopping for a deal in this space can end up costing you far more later. It may be wise to look for cuts in other areas if budget is an issue and allocate it to your MSP spend. Of course, NET(net) can help you find those extra dollars from other areas.
The risk vectors and cyber-attack surfaces are increasing and will for the foreseeable future. But even if you are a small to medium sized business, you can take steps to ensure you have the best possible terms with any MSP to ensure risks are mitigated. This is no longer an option as the attacks are getting indiscriminate and more random every week. If you need an assessment and or just some guidance, please don’t hesitate to reach out to me for a conversation.
Founded in 2002, NET(net) is the world’s leading IT Investment Optimization firm, helping clients find, get and keep more economic and strategic value. With over 2,500 clients around the world in nearly all industries and geographies, and with the experience of over 25,000 field engagements with over 250 technology suppliers in XaaS, Cloud, Hardware, Software, Services, Healthcare, Outsourcing, Infrastructure, Telecommunications, and other areas of IT spend, resulting in incremental client captured value in excess of $250 billion since 2002. NET(net) has the expertise you need, the experience you want, and the performance you demand. Contact us today at email@example.com, visit us online at www.netnetweb.com, or call us at +1-866-2-NET-net to see if we can help you capture more value in your IT investments, agreements, and relationships.
NET(net)’s Website/Blogs/Articles and other content is subject to NET(net)’s legal terms offered for general information purposes only, and while NET(net) may offer views and opinions regarding the subject matter, such views and opinions are not intended to malign or disparage any other company or other individual or group.