The Dangers of Managed IT Service Providers (MSPs) for SEC-registered Firms.
(And Knowing When to RUN away from them)
There is a conflict of interest between every MSP and their clients which makes MSPs an insider threat to every SEC or FINRA registered firm’s processes and systems. They have unrestricted access to a client’s network and systems, which gives them the ability to do serious damage if they are not properly supervised.
In this blog post, I will explore the dangers of MSPs, how to audit their work, and how to protect your firm from them. While I am not saying every MSP is like this, I will say that the vast majority I have encountered within my 200+ cyber audits are.
So what is the big problem?
The goals of the MSP and their clients never align.
In the cybersecurity world, there is a very real balance between “security” and “convenience”. The more secure a system is, the less convenient its usage. And Vice-Versa.
The goal of every MSP is to deliver templated technology solutions (or a package of solutions) to as many clients as possible. The MSP is generally going to err on the side of convenience when deploying these packages because that decreases the MSPs workload both in implementation and support. When they err on the side of convenience they neglect security and leave vulnerabilities open across the client’s network.
The goal of the client (the SEC or FINRA registered firm) is Security and having the MSP provide that security is often in direct conflict with the MSP’s ability to conveniently deliver their solutions.
Thus, their goals in the service never align.
Here are some of the problems I think need to be discussed in the industry right now as the SEC continues to roll out the new cybersecurity regulations known as 206(4)-9.
To start, every firm should understand that solutions also come with problems. While hiring an MSP may help your IT department’s workload, it adds significant complexity to the Compliance department’s workload.
Here are the issues:
MSPs Have Unrestricted Access to Your Network and are frequent targets of attack:
MSPs have full access to your network and systems. This includes all of your data, applications, and devices. They also can make changes to your system configurations. This level of access makes MSPs a prime target for cyber criminals. If an MSP employee is compromised, the attacker can gain full access to your network and systems. This could allow them to steal sensitive data, install malicious software, or even shut down your entire network. Do you trust your MSP to report this breach to you? Don’t. They won’t. An MSP reporting a breach to you would cause reputation risk, revenue loss, as well as potential litigation.
MSP Employees Are Not Properly Supervised
MSP employees are not always properly supervised. This means that they may not be following proper security procedures when working on your network and systems. Additionally, MSP employees may not be properly trained in cybersecurity best practices. This could lead to them making mistakes that could put your firm at risk. For example, an MSP employee could accidentally delete critical files or fail to apply security patches in a timely manner.
How to Protect Your Firm from MSP Insider Threats
There are several steps that you can take to protect your firm from MSP insider threats:
1. Vet Your MSP: Be sure to thoroughly vet your MSP before giving them access to your network and systems. Make sure that they have a good reputation and that their employees are properly trained in cybersecurity best practices. Ask to see third-party audit reports. If they don’t have them this firm is not your friend. Your MSP should already have these reports and be proud to share these reports with you. If they aren’t, something is very wrong and the MSP is not working in your best interest.
2. Monitor Your Network: Be sure to self-monitor your network for any suspicious activity. This includes monitoring for unauthorized changes to system configurations and unusual patterns of data usage. During an examination, the SEC will want to see where you are verifying the MSPs security duties.
3. Restrict Access: Be sure only to give MSP employees the minimum amount of access necessary to perform their job duties. Do not give them any unnecessary privileges that could potentially be abused. When they request access to a system, ask the MSP to submit the request in writing to explain why they need access to those systems. Also ask the MSP to submit reports of which employees have access to your systems and what level of access they have. This all needs to be documented for the SEC and FINRA.
4. Educate Your Employees: Be sure to educate your employees about the dangers of working with unsecured networks and systems. Make sure that they know how to spot suspicious activity and what steps to take if they believe that their account has been compromised. If you have less than 11 employees, you can implement the FieldCraft cybersecurity awareness training program for free. [ https://www.fieldcraft.training ]
5 . Implement Multi-Factor Authentication: Be sure the MSP implements multi-factor authentication for all user accounts, including accounts used by MSP employees. This will help reduce the risk of attackers gaining access to your network if an employee’s credentials are compromised. Oftentimes, MSPs do not use MFA because it adds to the time and complexity of their workload. Having MFA solves 99% of cybersecurity problems. If your MSP does not implement MFA by default….RUN.
By taking these steps, you can help protect your firm from the dangers of MSP insider threats.
In conclusion, many firms think hiring an MSP solves all their IT problems. While it does solve IT problems, it adds significant work to the Compliance department and to the CISO. It is important to be aware of the dangers of MSP insider threats and take steps to protect your firm from them.
By thoroughly vetting your MSP, monitoring your network, restricting employee access, educating your employees, and implementing multi-factor authentication, you can help reduce the risk of an attack on your firm.
Of course, if you need help with any of this work, MTradecraft would love to assist.
(To be clear, we don’t sell MSP services. We just do the audits.)