In light of the recent Kaseya supply-chain attack, the relationship between IT/manged services providers and small to mid-sized businesses has come to the forefront.
Responsibility and expectations are the the major discussion points. For purposes of this discussion, an SMB is a small to mid-sized business that either has a small IT department or completely outsources IT to an external provider. An MSP (managed services provider) is an IT services provider that may have a variety of services offerings and capabilities. A typical MSP handles: help desk, new workstation setup, user account setup, server management, email migration, remote access solution deployment, operating system patches, firewall configuration, and others.
Note that the typical MSP does not include development and management of a comprehensive cybersecurity program.
A few considerations are highlighted below:
- The SMB must understand that cybersecurity is a business consideration that sits at the highest level of management. IT staff and MSPs are not suitable for enforcing policy or making decisions on handling risk.
- Outsourcing IT does not mean that every aspect of IT and cybersecurity is covered. This might be the most common misconception and should receive particular consideration.
- SMBs must understand the role of the MSP and/or IT. With particular regard to MSPs, there is a great deal of variety in capabilities and offerings around cybersecurity. The SMB should be highly interested in understanding the capabilities of the MSP and explicitly verify the capabilities of the MSP. The MSP should provide an honest statement regarding cybersecurity practice capabilities and expectations. There are dual responsibilities with regard to this relationship.
- MSP capabilities and understanding vary: MSPs with minimal cybersecurity focus, MSPs with some cybersecurity focus, and MSPs with comprehensive cybersecurity practices. The variety does not mean any MSP or business model is wrong, it just enforces the need for an advisor focused on cybersecurity when gaps exist.
CISA provides additional guidance: https://www.cisa.gov/sites/default/files/publications/CISA%20Insights_Guidance-for-MSPs-and-Small-and-Mid-sized-Businesses_S508C.pdf