The 6 steps I should take to protect my financial services business
Business size, culture and the critical technology needs of mid-market financial firms means that using IT Managed Service Providers (MSPs) has always been commonplace. With the accelerated pace of technology change, cloud adoption, the need for remote working and more cyber security services means firms are looking to MSPs more than ever to manage and secure their technology.
This brings many benefits such as enabling the customer to focus on their core business, cost savings, increased efficiency and access to the latest skills and technology. But even though the reason firms use MSPs is to help them with their cyber security, ironically it comes with its own cyber risks, or more specifically, “Supply Chain Cyber Risks”.
What are Supply Chain Cyber Risks?
These threats are where hackers don’t directly target the end victim but instead gain access via one of their key suppliers who often have a trusted level of access. Seeing as MSPs will typically have a very high level of access to multiple customer systems makes them an attractive target and potential way into numerous customers.
This has been demonstrated by some very high-profile attacks, for example in 2021 Microsoft issued an alert in relation to threat actor Nobelium which was responsible for the 2020 SolarWinds supply chain attack targeting MSPs.
In addition regulators such as the FCA and governments have been increasing their focus on these types of risks. In 2021 the UK government held a call for views on supply chain cyber security and the response to which can be read here. It acknowledged the extent of this issue leading to the support for regulating MSPs in this area due to the size of the potential threat to businesses.
So what are the biggest risks, and what steps can you take to address them?
1. Take the time to understand your MSP’s culture.
Does the MSP see themselves as a potential cyber security risk to their clients? Is it something which is formally documented as a risk and understood by senior management? Discussing this with your MSP can provide a quick insight into whether they understand the issues and that it’s on their agenda.
Many MSPs can respond defensively on this subject when questioned and often the reason can simply be that they are being hired for their security skills and don’t think they are part of the problem. MSPs who acknowledge and confront this as a threat and are transparent will be the providers who customers will trust.
2. Recognise security is a shared responsibility
Many customers do not understand when using an MSP, they are in a “shared security model” where the responsibility for security is shared between themselves, the MSP and also cloud providers. If this is unmanaged, it can lead to a number of holes in the collective security posture or “blind spots” which can be targeted by hackers. Financial firms in particular should understand that in the eyes of the regulator (the FCA), the firm is fully accountable for the end-to-end security of their supply chain, even if critical or important functions have been outsourced to a third party.
Our advice is to make sure that you conduct a risk assessment to identify any gaps and build contractual arrangements with your MSP that clearly defines responsibilities for security.
3. Focus on appropriate Administrator Access
MSPs will require administrator access to the customer systems to deliver their services. This may also include the MSP holding the “Root” or “Global Admin” role, which provides the highest possible level of security permissions.
Customers should ensure the MSP is applying the principle of “least privileges”, with their technical staff only using individual, not shared accounts with a minimal amount of rights to perform the authorised task. The global administrator account should be only used in an emergency. Sadly, many MSPs use it to perform even the most basic level of administration. In addition, the MSP should have a clearly documented “access control policy” detailing which staff have the privileges for certain tasks, and use tools such as Azure LightHouse to avoid having to create user accounts for every member of their staff for all clients.
4. Ensure multiple customers are segregated
The reason many customers use an MSP is to benefit from economies of scale and gain access to a helpdesk which is shared by numerous other firms. There is a trade-off however as it could mean by sharing, there could be the risk that data between customers is not appropriately segregated and controlled. It also means that a cyber attack could compromise the MSP and move across their clients easily.
Customers should look to perform over-sight on their MSP and treat them as a cloud provider who is very focused on securing multiple customer environments and using third-party assurance frameworks such as the Cloud Security Alliance.
5. Security Operation Centre (SOC) is a must have
According to the Datto Global State of MSP report, only 8% of MSPs have revenue over $10 Million Dollars, so they are small businesses. This is one of the main reasons most MSPs don’t have a dedicated in-house security operation centre. SOCs are expensive and complex functions to build and maintain, and only MSPs of a certain size or maturity will have this capability in-house. For this reason, many MSPs resell specialist third-party SOCs services also known as “Managed Detection and Response”.
In a world where MSPs are subject to highly sophisticated supply chain cyber risks, this service must exist. It provides a dedicated team of cyber professionals who will monitor the threat landscape 24/7, the output of security controls and be well prepared to respond to and resolve if a cyber attack occurs. Financial services firms can’t afford to be using MSPs who don’t have this capability either in-house (preferable) or via a third party as a minimum.
6. Check the quality accreditations of your MSP
Standards and accreditations are a simple yet essential way to gain confidence that your MSP is adopting the highest level of security practices. The most significant example is ISO 27001, the global standard in information security.
Being ISO 27001 certified is not a minor undertaking for small firms. The UK government has put forward proposals which could require MSPs to meet the current NCSC Cyber Assessment Framework which is a set of 14 cyber security principles designed for organisations that play a vital role in the day-to-day life of the UK.
Customers should not only check that the MSP has a standard such as ISO 27001 but look at the scope to make sure it covers their entire business and also ask for recent audit results to ensure that it is maintained.
While MSPs continue to offer a huge number of benefits to the financial service industry, they also introduce new cyber risks. Financial firms need to be aware of these risks, and take the appropriate steps to mitigate them or otherwise face the impact of cyber-attacks and regulatory fines.
At Lanware, we recognise that as an MSP to the financial services sector, we hold a significant amount of responsibility and welcome the opportunity to work with our clients and the wider industry to ensure we all have the necessary controls in place to minimise the inherent supply chain cybers risks.