By Karen Sprenger   /   Jul 19th, 2022

10 Questions to Ask a Potential Managed IT Service Provider - MSP & MSSP

10 Questions to Ask Potential Managed IT Service ProvidersDepending on the size of your organization, its philosophy, and the resources available to it, you may rely on the services of a managed service provider (MSP) and / or managed security service provider (MSSP) to support your internal technical infrastructure. Both are great solutions, whether they are augmenting your existing information technology (IT) or information security (IS) team or acting as your only IT/IS team. The important thing to remember is, regardless of who is managing your network, cloud services, workstations, servers, and so on, you as the organization are still responsible for the security of the information you hold. In addition, just two months ago US intelligence agencies released an alert that they are seeing a worldwide increase in attacks on MSPs, and they expect this to continue as criminals look to leverage the MSP’s access to compromise all customer organizations. It’s crucial to do your homework when choosing and using a service provider, but many organizations are not sure what questions to ask a potential managed IT service provider.

Based on an idea that I blatantly stole from our Chief Strategy Officer, Madison Iler (thanks, Madison!), I asked a handful of team members at LMG Security to share with me the questions that they ask when they are interviewing an MSP or MSSP who manages one of our client’s environments. They came up with a great list of questions to ask a potential managed IT service provider. So many, in fact, that we’re going to turn this into a two-part blog series, so stay tuned for part two!

 10 Questions to Ask a Potential Managed IT Service Provider About People and Access

Here in Part One of questions to ask a potential managed IT service provider, we’re going to focus on people and access. In Part Two, we’ll look at their environment and the tools they use. Below, I’ve shared our team’s questions, along with the ideal answers you should hope the MSP provider supplies. For simplicity, I will use the acronym “MSP” for all questions, however all the questions apply to both an MSP and an MSSP and will help you select the best provider for your organization. Let’s begin:

Q: Do your employees undergo background checks?

A: Anyone with access to your organization’s most sensitive data should, at a minimum, be undergoing a criminal background check. If they will have access to financial transactions, a credit check is recommended as well.

Q: Do you use contractors or are all staff regular employees?

A: It’s somewhat common for IT companies to use contractors, so that alone is not a red flag. However, if they do use contractors, ensure that the contractors are required to undergo the same background check and sign and follow the same policies (like Information Security, Acceptable Use, and Non-Disclosure policies) as regular employees.

Q: Do you provide security training for your own staff and if so, how frequently?

A: Security training is important for ALL employees, even those working in security on a daily basis. Monthly training is ideal, but at a bare minimum there should be annual training. This is one of the most important questions to ask a potential managed IT service provider. It’s crucial that everyone at your MSP, from the receptionist to the CEO, is trained to be the first line of defense against cyberattacks. If they’re breached, you’re at a very high risk of being breached as well. In addition to general cybersecurity awareness training for everyone, don’t forget to ask about specialized training for cybersecurity responders. Read this training blog for more information on the importance of cybersecurity training.

Q: Do you use shared accounts and passwords for management accounts?

A: While it’s still fairly common for MSPs’ employees to share the same username and password to access and manage your systems, it’s a HUGE security concern. Without individualized accounts, it’s impossible to track access and configuration changes or nefarious actions back to one person. It’s also difficult to limit access to the account, and it’s next to impossible to use multifactor authentication (more on that shortly). If shared accounts are used, some follow up questions are necessary:

Q: Are the credentials the same for all of your clients?

A: Credentials should not be shared, but especially should not be shared across different clients and organizations. If cybercriminals gain access by guessing, phishing, or cracking the password to the shared account at one client, they now have access to every client managed by that MSP. Since you don’t control the security policies and training for the rest of your MSP’s clients, you don’t want to share a password with those clients.

Q: When an employee leaves, do you change the password?

A: If it’s absolutely necessary to use a shared account, the password should be changed any time an employee leaves the MSP. If it’s not changed, the former employee would retain access beyond the termination of their employment.

Q: What is your password policy?

A: Your MSP should require any password that is used to access and manage your network to be a minimum of 25 characters, since they will have elevated privileges (check out our blog on password length and hacking – it’s an interesting read). The passwords should be reset at least annually and contain some complexity such as uppercase and lowercase letters, as well as numbers. The passwords should not contain common words like ‘password’, the year, or the seasons, and should never include your organization’s name or other identifying information like a client number.

Q: Do you use multifactor authentication (MFA) on all of the administrator or management accounts that you use to connect to our network?

A: MFA should be in use. It is the quickest and easiest way to add a layer of security against unauthorized access. A cybercriminal with the username and password for an account secured with MFA would be unable to access the account without first gaining access to the token. On a side note, your organization should also be using MFA. You can get started with free MFA services in Microsoft 365 and G-Suite. If you need SSO and advanced management capabilities, try Duo’s MFA solution. Our team can help set these up for you, or you can watch our free MFA implementation videos that provide step-by-step instructions for deploying popular MFA services from Microsoft 365, G-Suite, and Duo. You can also read our best practice tips and advice on what solution is best for your organization in our MFA tip sheet.

Q: Do your staff members use separate accounts for regular duties (e.g., checking email) and administering our network?

A: For security purposes, user-level accounts should be used for regular duties; administrator-level accounts should be reserved for specific management tasks that require that level of access. If, for example, an email with a malicious attachment got through to an account holder with administrator access and it was opened, the malware is more likely to successfully install itself and spread because the privileged access allows both to happen.

Q: How often do you perform account reviews (of both your accounts and ours)?

A: User and service accounts should be reviewed monthly or quarterly. The review should look for unrecognized accounts as well as accounts that are no longer in use or have privileges escalated beyond what is necessary for the role.

Conclusion

I hope these questions to ask a potential managed IT service provider help you choose a great organization. Remember, even if you already have an MSP or MSSP, these questions can be used annually as a conversation to update your understanding of their security processes and posture.

Stay tuned for part two of our questions to ask potential managed IT service providers series in which we’ll look at the MSP’s environment and the services they provide. I’d like to thank Madison Iler, who provided the idea, along with Parker Lee, Tom Pohl, and Jake Unruh who shared their knowledge and insights.

The main takeaway of this blog is – you are responsible for the security of the information you use and hold. Don’t be afraid to ask questions of those you have hired to help you to ensure that they are meeting or exceeding the standards you require.

If you need additional cybersecurity or compliance advice, solutions, training, or technical testing solutions, contact us. Our experienced team is ready to help!

About the Author

Karen Sprenger

Karen Sprenger is the COO and chief ransomware negotiator at LMG Security. She is a noted cybersecurity industry expert, speaker, trainer, and course developer, in addition to managing LMG Security’s operations. Karen has over 25 years of experience in cybersecurity and information technology. She is a GIAC Certified Forensics Examiner (CGFE) and Certified Information Systems Security Professional (CISSP).  Karen is a hands-on executive; she built a Fiber optic network to 34 schools, supported 18,000 users, 50 miles of network, and one very temperamental vending machine, led many of LMG Security’s large incident response cases, and negotiated and paid ransoms. She is a long-standing teacher of a technical leadership advancement course for a large state agency, and speaks at many events, including the Institute of Internal Auditors, the Internal Legal Tech Association, and the Volunteer Leadership Council. Karen also implemented and constantly enhances LMG’s Security’s incident response and project management systems, as well as automating financial procedures to ensure consistency and client satisfaction. In her spare time, Karen considers “Digital Forensics” a perfectly acceptable answer to the question, “But what do you do for fun?” She is also part of the exclusive group of “techie geeks with strong communications skills,” and her superpower is providing understandable explanations of technical topics. Karen is proud to have played a substantial role in building the team at LMG Security with a focus on hiring top technical talent who can also communicate well with clients.