Managed Service Providers (MSPs) have become an integral part of many organisation’s IT operations, supporting their IT staff by taking charge of complex or repetitive digital processes. But they are not without risk, and there have been multiple breaches this year in the UK alone. As MSPs provide such a vital service and have become an integral part to companies across the country, there is no question of removing or replacing them, so what can be done to keep users cyber secure now and into the future?
What are Managed Service Providers?
Managed Service Providers (MSPs) are digital, cloud managed services provided by a third party to organisations to remotely manage their IT databases and end-user systems. Their seamless integration and background application allow IT staff to prioritise their work without concern for faults in the system or interrupted services.
Put simply MSPs can handle the complex, consuming or repetitive work involved in the management of IT infrastructure or end-user systems. Some of their most common uses include handling the management of IT infrastructure, managing user access accounts, and providing payroll services. Consequently, they handle large quantities of personal data.
How organisations choose to use and implement their MSPs is dependent on their requirements. Some MSPs are offered to deliver a service, such as cybersecurity, whereas others are designed specifically to a particular industry, such as healthcare, or public sector services.
Managed services bring many benefits to an organisation’s IT operations, including, but not limited to, improved cost efficiency, network monitoring, and business continuity. However, as with all IT applications, they face an increasing risk of hacking and data breaches, which can have serious consequences owing to the large volumes of personal data that they store. A recent example in public health shows how disruptive this can be.
The threat to MSPs
An example of a serious breach here in the UK is that which affected the NHS’s 111 helpline. In August their MSP, Advance (which is used by 85% of 111 services) was targeted by cyber criminals who were able the infiltrate the network. Although the incident was discovered early and contained by Advance, limiting the disruption to only 2% of their health and care infrastructure, there was still major disruption to the 111 network, with services down for an extended period of time.
Although during the outage there were few details provided about the breach, according to the BleepingComputer the language used to describe the attack indicates that it is likely to have been a ransomware or data extortion attack.
So, what can MSP providers do moving forward to keep organisations and the data they hold cyber safe?
Can MSP providers stay cyber safe?
According to an article published by ComputerWeekly, which brings together the views of several cyber and IT experts, they key is for MSP suppliers to streamline their cybersecurity offerings. They report that currently 49% of SMEs are considering moving MSP provider because of their dissatisfaction with their current service, and 94% would consider moving if an MSP provider could guarantee improved cyber security.
Partly, this lack of trust and increased number of cyber-attacks is a result of SMEs lacking understanding about how to keep their businesses cyber secure. To quote the article, “there is lack of people, processes and technologies to defend against cyber adversaries”. But MSPs and MSSPs (Managed Security Service Providers) can’t provide this gap in the market because, according to Richard Staynings, chief strategist at Cyler, they tend to oversell, offering SMEs more products than asked for without personalisation to their specific requirements.
Many of the experts in the article claim that this personalisation is the missing element preventing top MSP providers from delivering the whole package.
Mark Oakton, security director and consulting CISO at Infosec Partners, also argues that, for MSPs to be successful, they too need to hire data experts and continue to offer cyber support after product deployment, not just at the point of service.
So in summary, MSPs have the potential to offer a fantastic service to SMEs and organisations, but require further fine-tuning.
Managed IT Services are still a relatively new product, and despite first being developed in the 1990s it’s only recently that they are being used at multiple levels. In order to continue this success and ensure that the companies they work with and the data they hold stays secure, they need to work closer with their clients and develop and invest in their own cybersecurity offerings.
What is your opinion of MSPs? Do you think they are a valuable asset for SMEs or are they fundamentally flawed? Get in touch to let us know your thoughts!