What are the Risks of Using Third-Party Service Providers?

clock-iconReading time about 7 min

As your business grows, so does its complexity. Every new hire requires a user profile, a computer, and training. With every new employee, your information environment expands more than you might think. So, you start looking for personnel to manage that information environment and all the technology that comprises it. Business owners might choose to hire an on-site IT staff, an outsourced, managed service provider, or they may choose to combine the services of both teams. It is typically more efficient and more cost-effective for a small to medium sized business to outsource their IT function to an MSP or their cybersecurity function to an MSSP, but we’d be remiss to say outsourcing doesn’t come with any risks.

MSPs can be a gateway for intrusions via an attack method called “Buffalo Jumping.” Internal issues in MSPs might delay solving issues in your business. And breaking up with an MSP can lead to loss of access to certain data or systems, or loss of data itself. That said, all MSPs are not created equal. In this article, we address common risks of using third-party IT service & security providers, and how NTG strives to mitigate those risks in our service offerings.

Compromised customer and company data resulting from cyberattacks

In the last few years, we’ve seen a significant increase in “indirect cyberattacks,” otherwise known as “Buffalo Jumps.” According to a report from Beazley, ransomware attacks via vendors or MSPs account for 24% of cases. In other words, if an MSP falls victim to malware, it can quickly spread to that MSPs customers.

It stands to reason that any MSP (and especially any MSSP) worth its salt has a healthy cybersecurity infrastructure. In fact, MSPs and MSSPs need to be held to a higher standard of security than their customers due to these factors:

  • MSPs and MSSPs proportionately handle more IT processes and systems than general organizations, putting them at more risk.
  • MSPs and MSSPs deal with a wide range of systems, so their processes and procedures may be more standardized. This may lead to a loss of flexibility from the customer’s point of view.
  • Security and helpdesk staff may be stretched thin and lose sight of the finer details required to protect and secure an organization’s network.
  • MSPs and MSSPs often outsource certain services themselves.
  • Usually, a Buffalo Jump attack occurs when a threat actor obtains credentials from someone at an MSP with escalation privileges. It is extremely important for
  • MSPs and MSSPs to have complete control of access management rights and account provisioning. Here at NTG, we take that a step further.

We use a proprietary technology known as a “jump box,” ensuring that our customer’s networks are physically separate from our own. Even if NTG is compromised, it would be nearly impossible for an adversary to jump from our network to yours. NTG is also CMMC certified, which means we have over 100 security controls in place. Our partnerships with federal entities require our organization to be ironclad, far above the compliance requirements for most MSPs and MSSPs.

Financial risk from incident costs or lost business

Cybersecurity insurance has been a particularly volatile offering lately. Some providers have stated they will not cover any loss resulting from a state-sponsored cyberattack. Most providers will not cover losses if they deem their customer’s security lackluster. (All cyber liability carriers list several security controls that must be in place for them to cover financial fallout from an attack). Unfortunately, insurance providers and third-party IT providers don’t consult each other on a regular basis to ensure their goals align. A business may have a great policy in place, but their service provider might not know the requirements to keep that policy in place. And even if they are aware of those underwriting requirements, it might not be a priority for the MSP or MSSP to monitor them.

Nobody wants to deal with the financial fallout of a denied claim in addition to a compromise via ransomware or some other malware, so who does one turn to? Who can say, “even if you are attacked, we’ll help you get back online in a few hours, and don’t you worry about that insurance claim – we made sure all those requirements are in place.” As it turns out, we’re experts in meeting compliance and regulatory requirements. Like I said in the previous section, our longstanding work with the government necessitates that we’re able to navigate and meet stringent guidelines for organizations in all industries – whether those guidelines be in NIST, CMMC, HIPAA, or ITAR.

Geographic separation

Proximity is far less important than it was a decade ago. In our post-COVID world, thousands of companies are driven by fully remote workforces. Many of these companies have employees all over the world who remain connected thanks to advents and developments in information technology. Depending on the nature of a business, all work can be done from a computer in any space that has wi-fi. Of course, this only works efficiently if an organization has a handle on their IT infrastructure.

Even then, most IT troubleshooting can be done remotely. So, if you’re operating an office in Minnesota and your MSP is in Florida, they can still fix your issues from hundreds of miles away. But what happens if your on-prem systems undergo a failure that can’t be fixed from a remote desktop? Do you enlist the help of a local MSP? They might not be familiar with the specifics of how the Florida MSP operates. They might make an issue worse.

Most of our customers are in the state of Florida, but we have customers in several other states. While many issues can be fixed from hundreds of miles away, we’ll send in the engineers if the issue necessitates a more hands-on approach. It might take us a little longer to get to say, California vs. Orlando, but we’re more than willing to make the trip to support our customers.

Lack of transparency in the MSP partnership

Some MSPs and MSSPs may not be a good fit for your business if they don’t have experience in your industry or sector. The first month or two of working with a new MSP is often referred to as a transition period. It is especially important for an MSP to learn your business needs, daily functions, ongoing projects, and challenges during this period. A great MSP will foster open communication and information exchange throughout the course of a partnership.

However, this isn’t always what happens. Certain MSPs are “set in their ways” (the same can be said for businesses in any industry). Those “ways” might be effective for one type of customer, but catastrophic for another. Be wary of MSPs that aren’t transparent during the initial transition period, especially if the information exchange is one-sided.

If you’re trusting an MSP to manage your business’ IT, you should be able to see into their operations. At the very least, the MSP should meet with their customers’ stakeholders and key personnel once a quarter. And they should be able to show you logs, basic metrics, and quantifiable results.

At NTG, we pride ourselves on being a dynamic, flexible MSP & MSSP. We share information with our customers so that they can make informed decisions for the betterment of their business. We don’t push our customers towards a single vendor or type of IT environment – we are, after all, vendor agnostic.

back-to-newsBack to News