MSP Security Considerations for Healthcare Organizations
Many businesses use managed service providers as an extension of their information technology (IT) department for providing additional services that they cannot easily perform in-house, with MSP security services one of the biggest areas of growth.
MSPs are typically used for the day-to-day management of IT systems, such as monitoring servers, routers, firewalls, applications, and end points. MSPs often run the IT helpdesk and take proactive steps to prevent costly downtime from IT system failures. MSPs used to be focused on remote monitoring and managing networks and servers – time-consuming tasks that are not practical or possible to handle in-house but as the digital needs of businesses have grown, so have the services offered by MSPs. The core IT management and maintenance services have now been augmented with cloud infrastructure management services, and an extensive range of MSP security services.
There are many advantages to outsourcing certain IT functions to MSPs. In-house IT teams are often overwhelmed and MSPs can ease the burden, allowing in-house teams to focus on important projects rather than having to deal with day-to-day maintenance and IT support issues. MSPs can help businesses improve productivity by ensuring there is a secure and stable network. That equates to fewer IT issues, less downtime, and faster response times to support tickets. One of the main areas where businesses are now seeking help with security. Managing the security of the network can be time-consuming, and busy IT departments often cannot perform all the security functions rapidly due to already heavy workloads. If security issues are not addressed promptly, the consequences can be severe.
Further, to manage IT security functions in-house, businesses need to recruit IT professionals with the right skillsets and that can be costly. There is also a global shortage of skilled cybersecurity staff. In 2021, an estimated 3.5 million cybersecurity jobs globally went unfilled. Taking advantage of MSP security services is often the only option available to businesses.
MSP Security Services
It is now common for MSP security services to be offered to some extent, such as software and firmware updates, patching services, antivirus, email security, web security, data backups, and disaster recovery. MSPs often specialize and provide expertise in certain areas, so it may not be possible for an MSP to handle all security requirements.
For a more comprehensive range of MSP security services, businesses will need to find a managed security service provider (MSSP). An MSSP can assist with developing and deploying complex security infrastructure, and provide continuous monitoring, incident response, and disaster recovery services.
The cyber threat landscape changes rapidly, with new threats continuously emerging and hackers constantly developing new tactics, techniques, and procedures (TTPs) to bypass security defenses. While security was once relatively straightforward, requiring little more than a firewall, antivirus, and anti-spam solution, cyberattacks are now occurring at an incredible rate, the number of threat actors conducting attacks has grown enormously, and the sophistication of attacks has increased.
Cybercriminal gangs are highly professional with many operating like regular businesses, outsourcing aspects of the business to specialists the same way that businesses utilize MSPs. To protect against threats today, businesses need to adopt a defense-in-depth strategy and have multiple layers of protection, which is why so many businesses now seek MSP security services. The cost of investing in hardware, software, and people skilled enough to manage security functions can be prohibitively expensive.
MSP security services can include:
- Network and Application Firewalls
- Email Security
- Web Security
- Threat Intelligence
- Password Management
- Endpoint Security
- Antivirus Software
- Security Information and Event Management
- Multi-factor Authentication
- Data Loss Prevention (DLP)
- Vulnerability Scanning and Patch Management
- Identity Access Management (IAM)
- Privileged Access Management (PAM)
- Intrusion Prevention Systems (IPS)
- Security Awareness Training and Phishing Simulations
- Data Backups
- Disaster Recovery
- Virtual Private Networks (VPNs)
- Risk Assessments and Gap Analyses
Five Eyes Security Agencies Issue Warning to MSPs and their Customers
MSPs require privileged access to the networks of their customers in order to provide their services. An MSP may have anywhere from a dozen clients to several thousand, and that makes MSPs an attractive target for cybercriminals and nation-state threat actors. If the systems of an MSP can be compromised, a threat actor will have privileged access to the networks of all MSP clients.
Cyber threat actors are increasingly targeting vulnerable MSPs, and the increase in attacks has prompted the Five Eyes Security agencies in the US, UK, Canada, Australia, and New Zealand to issue a warning to MSPs and their customers and urge them to take immediate action to improve their security posture and resilience to cyberattacks.
Recommended MSP Security Requirements
If you use an MSP for any IT services, it is important to be aware that providing privileged access to internal systems introduces risks, and those risks need to be managed and reduced to a low and acceptable level. It is the responsibility of customers of MSPs to ensure that any managed service provider they use has implemented safeguards and is following IT security best practices, and for those requirements to be written into service contracts.
The Five Eyes agencies strongly recommend that MSPs and their customers take steps to prevent the initial compromise by threat actors. Those measures should include improving the security of vulnerable devices, such as selecting and hardening the security of remote access VPN solutions and using vulnerability scanning tools and services and addressing vulnerabilities promptly.
Internet-facing services must be protected, strategies should be adopted for protecting web applications against credential stuffing attacks, and measures implemented to defend against brute force and password spraying attacks. Phishing is still the main way that threat actors gain access to networks. MSPs and their customers should improve defenses against phishing attacks and adopt a defense-in-depth strategy. Anti-phishing measures include a robust email security solution for blocking inbound phishing emails, with outbound scanning to identify compromised mailboxes. Measures should be implemented to block the web-based component of phishing attacks, such as a web filtering solution, and regular security awareness training should be provided to the workforce to help employees recognize and avoid phishing and other email attacks. An incident response plan should also be developed and rehearsed for responding to threats.
The Five Eyes agencies also recommend customers of MSPs:
- Improve monitoring and logging processes with comprehensive security information and event management
- Implement multifactor authentication on MSP accounts used to access customer environments and for all MSP products and services
- Disable MSP accounts that are no longer managing infrastructure
- Ensure MSP security services include backup services that meet resilience and disaster recovery requirements
- Ensure contractual arrangements include incident response and recovery plans
- Ensure MSP accounts are not assigned to internal administrator groups
- Adopt the principle of least privilege and only provide access to systems managed by MSPs
- Understand and proactively manage supply chain risk
- Ensure there is transparency – customers should have a thorough understanding of the MSP security services that are being provided and what aspects of security fall outside of the contractual arrangement