If your company is considering using a managed service provider (MSP) or managed security service provider (MSSP), you aren’t alone. Eighty-six percent of SMBs say that cybersecurity is a top five priority for their business, and 50 percent say that all or the majority of their cybersecurity will be outsourced in the next five years. For SMBs, managed security services offer the cybersecurity protections they don’t have in-house.
The COVID-19 pandemic showed the value of working with an MSSP. As the workforce moved suddenly to remote offices, SMBs needed to be able to secure connections, networks, and data with little warning, a process that even large enterprises with sophisticated security systems and experienced teams struggled to do.
Now, as SMBs weigh the option of continuing with a fully remote workforce or moving to a hybrid solution, there is a need to have safeguards against potential threats on a more permanent basis.
Remote work has added to an already expansive threat landscape that many SMBs don’t have the capabilities to handle. Because cybersecurity should be a top priority for any business regardless of size, working with an MSSP is the best option to protect company assets. However, there are a lot of managed security service providers out there, and like cybersecurity solutions, there is no one-size-fits-all option. To find the best MSSP fit, SMBs need to know what they are protecting in order to cut through all the cybersecurity noise.
Asking the right questions
Just as you have a list of questions to use for conversations with prospective employees, SMBs must develop a list of questions for MSSPs. These questions should be tailored for your company’s specific needs but should include the following:
- What does your managed security service cover? Will you provide protection for every endpoint, across the entire network, including cloud? Does it include monitoring logs and access?
- What is your approach to threat response? How much time does it normally take to detect and mitigate a threat?
- Do you have experience with my operating systems, hardware, and software? (Companies that deal with critical infrastructure need MSSPs who have experience in operational technology support, as well as more traditional IT systems, for example.)
- What types of certifications and training do your security staff have?
- Do you provide a dedicated staff for my company who can respond to my needs quickly?
- What happens if there is an outage on your end? How do you protect data and networks during downtime? How do you prevent downtime?
- What are your most popular services? What is included in a standard agreement and what is extra? How do you handle needs that come up outside of the contract?
- Do you have a help desk that is available 24/7? Where is your help desk located?
- Do you use any third-party providers that could add security risks?
- How do you monitor our IT infrastructure, and how quickly are you alerted to an incident?
- What are our company’s responsibilities to ensure the highest levels of security?
- Do you offer on-site support as well as remote management?
Tips for hiring the right MSSP
You know the questions to ask, and you should have several good providers to choose from. Now it comes down to evaluating each one and deciding which is the right fit for your company. Here are a few tips to help guide you through that final decision.
- Know your current security posture: Take stock of the security tools are you already have and assess whether the MSSP can seamlessly work with and augment your current system.
- Know what you want to protect: A company that relies heavily on IoT devices will have different security needs than one that uses primarily traditional network architecture.
- Look closely at the Service Level Agreement (SLA): The terms should have well-defined objectives, services offerings, and levels of support. Is the SLA a generic agreement or one designed specifically for your company?
- Ask for references: Request references from other companies within your industry and with similar needs, and then check those references. Areas to check with current customers include concerns with the SLA, ease of deployment, help desk experiences, and any serious security issues that occurred while working with the MSSP.
With ransomware becoming a regular feature on the evening news and people become more aware of cyber threats, contracting with a managed security service provider offers peace of mind to SMBs that otherwise wouldn’t have an effective security system in place. The goal for the SMB is to make sure that MSSP is the right fit, and that means knowing exactly what you need and what to look for.