The first question should be if you have a written Managed Services Agreement or MSA.  Whether you are the service provider or the customer, this agreement is critical for both sides to have a clear understanding of what is (and what is not) covered.

Many clients have seen messaging from their IT services provider telling them to “focus on their business and leave technology to us”.  Which makes sense, but there is a very common misconception that “technology” includes cybersecurity.  This is not the case, and the worst time to uncover this misunderstanding is after a cyber incident occurs – especially if the incident was preventable!

A high percentage of cyber breaches are caused by human error.  Not understanding common tactics used by hackers to obtain credentials and spread malware leave organizations extremely vulnerable to even the most basic automated attacks.  Is cybersecurity awareness training part of your MSA?  Does it include tracking of each employee to be sure weaker scoring staff have appropriate support to become part of a strong defense?  Does it also include phishing emails to test the effectiveness of the training using the most common attack vector of email?  Our Breach Response Program for 2021 addresses all of those questions.

Are you monitoring the network for potential threats?  Most MSAs include monitoring of the network for offline devices or potential issues with traffic flow, but are correlating the logs from firewalls, servers and endpoints to look for patterns that could indicate a threat.  Adding threat intelligence feeds and customizing business rules specific to the customer with 24/7 monitoring is not part of a standard Network Operations Center (NOC) staff’s role, and frankly they don’t have the training or experience to validate and investigate security threats.

Which brings us to response.  Your MSA may have Service Level Agreements (SLAs) for response to server going down, backup device failure, and employee requests for assistance.  But what response will a typical MSA provide in the event of a true cyber incident?  In most cases, this is not covered at all, and the Managed Services Provider (MSP) is not staffed to provide incident response and is not open 24/7 to provide immediate guidance if an event occurs at 2 a.m., on a weekend or during a holiday.  Hackers know this, and they often strike during these vulnerable times.

MSPs, make sure you have this conversation with your customers before someone else does.  If you are a customer of a Managed Services Provider, request a copy of your Managed Services Agreement and read it carefully.  If it is missing any of the key security components mentioned above, let us know.  We can help your MSP to fill the gaps.