Decoding MSPs: Your Guide to Outsourcing IT Services
December 5, 2023
Navigating today’s fast-paced digital era is no easy feat for business owners. Somehow, you have to adapt to shifting consumer needs, deliver a seamless online experience, and stay on top of tech trends, all without stretching your resources too thin. It’s a fine balance.
Enter managed service providers (MSPs). From network oversight to cloud computing to round-the-clock assistance, MSPs play a vital role in modern businesses by remotely managing IT systems, data, and applications. But despite their invaluable support, third-party providers also come with a whole host of privacy, regulatory, and liability concerns. And when it comes to IT, most business leaders prefer to be hands-off and leave the tech to the experts, leading to misconceptions about who’s responsible for data security—misconceptions that can leave you vulnerable to attack and on the hook for potentially thousands in breach expenses.
So how do you leverage the benefits of an MSP, while still ensuring a secure and efficient IT environment? How do you balance tech triumphs and turbulence? Here are some of the top risks associated with outsourcing IT services and key tips for effectively managing supplier relationships.
Disclaimer: Please note that the information provided herein offers guidelines only. It is not exhaustive and does not constitute legal or cybersecurity advice. For more guidance, please consult a lawyer, a licensed insurance representative, and/or a cybersecurity specialist.
What’s an MSP?
A managed service provider, or MSP, is a third-party party organization responsible for managing and delivering a defined set of processes, tasks, or functions to another organization. Services are typically remote, but can be on-premises as needed; this is outlined in a contract between the MSP and its customer, known as a service level agreement (SLA).
By working with an MSP, companies can offload specific tasks for which they don’t have in-house talent to a pool of experts, allowing them to cut costs, improve efficiencies, and streamline operations. This is particularly attractive for SMBs, who can redirect funds that would otherwise be spent on developing these processes from the ground up, and focus on core competencies.
An organization might use a combination of partners to fulfill any number of business functions on a day-to-day basis, including payroll, HR, recruitment, vendor management, and more. This piece will focus on MSPs that provide any kind of ongoing IT services, including but not limited to: network monitoring, software deployment, data backup and recovery, helpdesk support and troubleshooting, security, end-user assistance, infrastructure management, and more.
What’s the difference between an MSP and a CSP?
“Managed service provider” (MSP) is often used interchangeably with “cloud service provider” (CSP) since both parties offer services through the internet. But while there is some overlap, an MSP and a CSP are distinct entities with specific functions. MSPs offer a range of services to address an organization’s tech needs. They might oversee or optimize a client’s use of cloud resources within their broader IT environment, but don’t always provide cloud services directly.
In contrast, CSPs specialize in cloud-based infrastructure, platforms, and software that enable clients to perform various computing tasks, like Amazon’s AWS, Microsoft Azure, and Google Cloud Platform. Unlike MSPs, which have more of a big picture focus, CSPs are only limited to the cloud products or solutions they offer.
What are the risks?
1. Data Breach
As tech providers, MSPs have access to critical IT systems, process high amounts of sensitive data, and supply software programs for potentially hundreds of businesses. That makes them a prime target for cybercriminals, who are always looking for a gateway to corporate networks.
Additionally, MSPs may engage with third-party vendors or subcontractors themselves, adding more links—and security vulnerabilities—into the supply chain and widening your attack surface. In the event of a ransomware attack, malware that infiltrates third-party providers could rapidly spread through their client network, affecting you, your data, and your clients.
A common misconception? All MSPs automatically provide cybersecurity services as part of their repertoire. But, like any other company, MSPs differ in their specialities, experience levels, and offerings, including security measures. Some may focus on comprehensive cyber solutions, while others only offer standard tools within their broader IT management scope. Some may include additional protections at an extra cost, while others might not provide these services at all.
Simply put, cybersecurity isn’t always a guaranteed part of the package. And misunderstandings about security protocols and expectations can lead to major gaps, especially in industries with distinct requirements. Unless your MSP specializes in your industry, they might not have access to the specific safeguards needed for your business.
Plus, you can’t always rely on service partners to protect themselves as they should. Not all MSPs give the same level of attention to internal security; some might lack robust defences, leaving them vulnerable to cyber threats that could, in turn, impact clients like you.
3. Lack of Control
Relying on an MSP means that any disruption in their servers can directly impact your business operations. Whether it’s due to a cyberattack, network outage, or a software bug, system failures won’t just affect you—they’ll also affect your clients, especially if they rely on you for access to critical business functions and data. The resulting interruption could lead to major financial loss, legal action, and lasting reputational harm.
Even worse? Since the services come from an external provider, you’ll have less direct oversight or control over system downtime, limiting your ability to monitor and address security issues. In other words, your hands are tied until your MSP is back up and running. And if they don’t have a robust incident response plan, there could be delays in identifying, containing, and mitigating cyber threats, leading to increased damages.
4. Regulatory Compliance
Security is only part of the equation. Depending on what industry you’re in and where you provide services, any MSP you engage might have to adhere to a variety of privacy regulations surrounding data security, storage, retention, and disposal. And if a third-party provider stores data outside of Canada, you might be subject to additional data privacy and ownership laws, like Europe’s GDPR or the CCPA in the US. Learn more here.
Plus, legal and regulatory frameworks are ever-changing, especially as new technologies, like AI, arise, so your compliance protocols may need tweaking as your business expands into different sectors or locations. Unfortunately, MSPs might not have the in-house resources to advise on different laws or keep up with evolving regulations. If your provider falters on compliance or, worse, you knowingly engage with them despite their non-compliance, you could incur legal repercussions and hefty penalties.
If your MSP is compromised and you’re affected, who’s to blame? And more importantly, who’s liable for the damages? And your clients’ damages? Is it your MSP’s fault for suffering a breach? Or yours for employing their services?
The truth is: using an MSP, CSP, or any other third-party to collect, store, process, or otherwise handle confidential data doesn’t transfer over your security responsibilities or your liability in the event of a breach. In fact, most third-party provider contracts are even structured to hold them harmless in the event of a breach.
Why? Under Canadian privacy laws, both you and your MSP both have roles when it comes to security, but as the data owner, your organization is the one legally responsible for safeguarding client data. It’s up to you to determine if a prospective MSP meets regulatory requirements and if there’s a breach, you can be held accountable for your clients’ data—even if you weren’t technically at fault.
These days, companies have to meet minimum security standards in order to be eligible for Cyber Insurance and to receive a claims payout. That includes your own safeguards, as well as any third-party tools. If you haven’t fully read through your SLA, you might accidentally misrepresent the level of protection provided by your MSP in your application; this can lead to complications during a claim. If your insurer discovers that you haven’t opted-in to additional security services or configured your administrative controls properly, your policy won’t respond and you’ll have to cover the costs out-of-pocket.
PRO Tips: What can you do?
Ultimately, cybersecurity is a joint effort between you and your MSP. While they can enhance your existing defences, you still have a crucial role in defining security policies, overseeing operations, and ensuring compliance. Here are some tips to get started.
1. Vet your prospects.
Minimizing risk starts with picking the right MSP. Be vigilant and create a comprehensive checklist that prospects must meet to be deemed a suitable partner, including:
- Services: Define what services you need as an organization and make sure your provider is aligned with your business and security needs. If you’re looking for a dedicated suite of cybersecurity solutions and expertise, you’ll need to go beyond a regular MSP.
- Background: Evaluate their reputation, track record, and experience levels in your industry. Read client reviews and testimonials.
- Regulatory Compliance: Determine their approach to data storage and ensure they comply with relevant privacy regulations for your industry and jurisdiction. If you’re using an MSP that stores data outside of Canada, review the applicable laws.
- Security Standards: Assess their security practices, including defined policies, network security, access controls, employee training, regular auditing, threat detection and monitoring, incident response plans, and more. Ensure all prospects are proactive about managing threats and have measures at least as good as your own.
- Certifications: Look for MSPs with recognized cyber certifications, including ISO 27001, SOC 2, and CIS (Center for Internet Security) Controls. These certifications are voluntary and demonstrate their commitment to maintaining security standards.
- Approach: A good provider will be transparent and open to communication. If they’re apprehensive or unwilling to speak candidly about security measures, audits, or incidents, they’re not the right partner for you.
2. Get it all in writing.
A well-drafted service-level agreement is the foundation of a solid outsourcing relationship. In addition to pricing, timing, and terms and conditions, clearly define the roles, responsibilities, and liabilities of both parties, including:
- Services: Have clear explanations for all services provided, including cybersecurity. Set out performance and quality metrics and response times.
- Security Provisions: Determine who will be responsible for what aspects of security (e.g., prevention, detection, regular auditing, incident response, data recovery, etc.) and outline protocols for data protection, storage, and disposal. Make sure your provider enforces multi-factor authentication (MFA) and encryption on all services and products you receive; confirm if there’s an extra cost to do so.
- Termination: How will data be returned, destroyed, or disposed of if the partnership ends? How will you ensure a smooth transition to another MSP?
If needed, consult a cybersecurity expert or legal specialist for more guidance.
3. Review your own cybersecurity.
Fortify your defences to ensure you’re in the best possible position to prevent compromise, whether it comes from your MSP, a cybercriminal, or your own staff. Establish a comprehensive cybersecurity policy and if you haven’t already, consider the solutions below:
- Multi-Factor Authentication (MFA): Incorporate MFA across your enterprise wherever critical or sensitive data is stored or transmitted, including corporate email accounts, VPNs, financial accounts, and on all MSP accounts used to access your systems.
- Virtual Private Network (VPN): If possible, use a dedicated VPN or similar alternative to connect to MSP infrastructure. Limit all network traffic to and from the MSP to that dedicated secure connection.
- Access Control: Apply the principle of least privilege and limit controls across your network to the minimum necessary for MSPs and employees to perform their duties. Make sure that MSPs don’t have default administrative privileges when accessing your accounts and that they don’t reuse admin credentials across multiple clients.
- Security Patches: Ensure operating systems, software, VPNs, firewall configurations, and third-party apps are promptly and frequently patched with the newest updates when available. Verify your MSP’s policy on software updates and ensure timely updates are included as part of their ongoing service.
- Encryption: Ensure that sensitive data is encrypted during transmission and storage.
- Security Awareness Training: Address cyber risks with your staff head-on and routinely train and re-train them on the proper and safe usage of third-party tools. Everyone should know how to safely handle data, recognize threats, and report a breach.
- Data Recovery: Set up an offline backup system that isn’t connected to the Internet or any of your local networks to prevent hackers from accessing network backups and increase the chances of data recovery.
- Security Audits: Routinely re-assess your MSP’s security measures and scan for vulnerabilities in your network and all provider networks. Address weaknesses as needed. Actively participate in security discussions and if possible, request regular reports from the MSP on cyber incidents.
For more robust controls, please consult the following resources:
- Canadian Centre for Cyber Security: Cyber security considerations for consumers of managed services
- Cybersecurity Infrastructure and Security Agency (CISA): Protecting Against Cyber Threats to Managed Service Providers and their Customers
4. Have a backup plan.
Develop an internal incident response plan to address potential breaches, outages, or system downtime, including key roles and procedures for prompt resolution. Evaluate the risk associated with data theft versus data unavailability due to system failure; this will help guide your response strategy.
Confirm that your MSP has reliable incident response, backup, and disaster recovery systems; make sure this is included in your contract, as well as procedures for handling and reporting cybersecurity incidents. Regularly test these plans, including backup procedures, to ensure efficient data recovery.
5. Explore Cyber Insurance.
Cyber Insurance is a vital tool in mitigating the risks tied to MSPs. With a comprehensive policy, you’ll have the resources and support you need to respond quickly and effectively following a security incident, get your business back online, and regain your clients’ trust. Here are some tips to help you make the most of your coverage:
- Coverage: Ensure your policy covers risks associated with outsourcing IT services, like data loss, privacy breaches, and business interruptions. Additionally, your policy should include Third-Party Liability Coverage to pay damages and defence costs if you’re sued by a third-party, like a client or another supplier, who was affected by a breach on your network.
- Security: Verify the minimum security controls and ensure both you and your MSP meet the conditions set out by your insurance company.
- Limits: Some MSPs might require you to purchase Cyber Insurance or even insist on specific limits as a condition of doing business. Discuss this with your provider and try to understand why they want you to carry a certain limit. Amend your policy as needed.
- Emerging Threats: Your Cyber Insurance should evolve as your risk environment evolves. Be sure to regularly assess and update your coverage to stay ahead of emerging threats and trends. Consult a lawyer or a licensed broker to help you make sense of the fine print, negotiate favourable terms, and ensure your policy is geared towards your needs.
6. Work with a risk advisor.
The right MSP is paramount to safeguard your business. But it’s just as important to have the right risk advisor by your side—a guiding force to help you navigate the complex terrain of cybersecurity risks. Someone to stay on top of emerging threats that could affect you. Someone to read through the fine print, advocate for your needs, and ensure that your insurance coverage continues to protect your interests. Someone like PROLINK.
As a licensed broker with over 40 years of experience and a specialized knowledge of cyber markets, we’re ahead of industry trends. We’ll help you plan, protect, and seamlessly integrate MSP solutions into your organization. Our dedicated team of advisors will:
- Identify cyber perils, attack scenarios, and potential losses based on your operations and unique needs;
- Share what steps others in your industry are taking and advise you accordingly;
- Provide you with comprehensive insurance and proactive risk management solutions that align with your business goals and budget;
- Regularly reassess your exposures and readjust your strategy to scale with your leadership, people, and processes.
To learn about your exposures—and how you can protect yourself—visit our Cyber Security & Privacy Breach Toolkit and connect with PROLINK today!
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.