Dec 21 2018

Who’s watching the watchers?

All organizations must show their IT teammates a great deal of trust.  They hold the ‘Keys to the Kingdom’ within each company, maintaining the administration over all the information resources and importantly, company data.  The secret to ‘Bush’s Baked Beans’ is in the hands of the technologists who run their networks.  When you hire an outsourced MSP, you are entrusting them with similar control.  Choosing the right MSP (Manage Service Provider) partner is critical to the safety and security of your business.

Enter the Chinese.

Layer 8 Security has had the opportunity to partner with many MSPs to bring both technology and security services to our customers.  MSPs provide companies a valuable service by offering outsourced Information Technology (IT) support.  Much of this help is often done remotely, e.g. the MSP has the ability to remotely solve IT issues by accessing their client’s computers or servers from their own office rather than being on-site at the client location.  MSPs leverage various software solutions to enable this connection such as Labtech, Kaseya and others.  These solutions also allow the MSPs to provide maintenance services to their customers, such as monitoring and updating / patching.  These portals are important for the healthy functioning of networks, but also open the possibility of unwanted access.

Not all MSPs are created equal.  Some take security seriously, while others are cavalier about their approach to safeguarding customer networks / data.  IT professionals are often the worst at practicing good security principals, taking too many short cuts to get their job done and having a, “Do as I say, not as I do,” attitude.  Chinese Hackers (as well as others) have noted this with glee.  As highlighted in this story from Wired, Chinese hackers have realized that they don’t need to waste time hacking into your company, if they hack your MSP they gain access to dozens of companies like yours, effectively giving them the keys to the kingdom…

If you are using an outsourced MSP, please ask them if they’ve ever had their own networks validated by a 3rd party audit.  Having them say they do this internally is simply not enough, as there is an inherent conflict of interest in self audit.  Your MSP should be able to show you a letter of attestation from a cyber security firm showing you they take their own (and therefore your security) seriously.  You are risking your company’s future if you don’t take this step.  As the title of this blog states, “Who is watching the watchers?”

Several of our MSP partners ask us to provide security services to them so they can assure their customers that they are serious about security.  Unfortunately, most MSPs are far too cavalier, smug in their complacency, to take this step.  Chinese Hackers rejoice…