Are MSPs Being Targeted By Cyber Criminals?
Are MSPs Being Targeted by Cyber Criminals? Not that I'm aware of.
This idea came from an article I read about a group of Australian CSOs who discussed this idea that MSPs may be the targets of cybercriminals as a means of getting at the end-user customer. While the idea cannot be ruled out, let us examine whether this practice is really happening and what the concerns really are.
Inherent in the article I read is the notion that it may be riskier to engage a MSP than not to. I reject this notion. The "aggregation" of customers by an MSP is simply a red herring and does not represent an increased risk to any particular customer.
By virtue of what they do, MSPs touch a lot of different customers but this does not mean they pose a risk unique and unlike any other outsourced relationship with a customer.
Why Customer Outsourced in the First Place
If customers could more effectively secure and manage their IT resources they would do so! Let's not forget that this is one of the central reasons why customers outsource to MSPs. Furthermore, this reasoning has existed for more than 20 years!
Are Customers Safer by Not Using a MSP?
I suppose you can imagine some ultra secret military or intelligence network where the use of 3rd party vendors (like MSPs) would be viewed as additional risk. However, governments all over the world outsource as a regular business practice. The smart ones simply assign their outsourced vendors with an appropriate risk factor, directly relevant to the function they provide the customer.
Case in point, Lockheed Martin had very sensitive US military plans for the Joint Strike Fighter stolen as a result of a 3rd party security vendor. No one has ever suggested that Lockheed was stupid for trying to secure its network by using multi-factor authentication from an outsourced company.
Nobody Does It Better
Generally speaking, MSPs are experts at what they do and can perform specific IT services functions better, less expensively, and more efficiently. This is the entire value model behind managed services. MSPs generally pay a lot more attention to their internal networks and security than most customers. Talk to any MSP for more than 5 minutes and they will inevitably "complain" about customers who do not abide by even basic security policies and procedures. It is more often customers and not the MSPs who pose the security risks. If it is a MSP then that MSP should be called out for their behavior and made to fix it.
It's All About Vendor Management
Knowing what your risks are and taking measure to mitigate those risks is part of good vendor management. MSPs who are Verified must demonstrate this behavior with their vendors. Quite frankly, so should customers.
Transparency and disclosure is an excellent approach to mitigating risk when dealing with outsourced entities. MSPs are no more unique in this regard than outsourcing your accounting, legal, or other services which also pose risk to your business endeavors.