It is one of the most concerning trends in cyber security today: instead of attacking your business directly, hackers break into your IT provider.
A Managed Service Provider (MSP) often has unrestricted administrative access to the networks of dozens, if not hundreds, of local businesses. If a threat actor breaches the MSP, they can push ransomware out to every single one of those businesses simultaneously.
Your security is only as strong as the vendors you trust. It is time to audit your IT provider.
Why IT Providers are Targets
Hackers love efficiency. Why attack one business when you can compromise an IT provider and get access to fifty? This "supply chain" approach is becoming the preferred method for sophisticated ransomware groups.
Asking the Right Questions
You do not need to be a tech expert to hold your IT team accountable. Send your account manager an email today and ask for written answers to these five critical security questions.
1. Internal MFA Enforcement
Ask: "Do you enforce Multi-Factor Authentication (MFA) on all your internal remote access tools?" If the software they use to remotely control your computers (RMM tools) does not have MFA strictly enforced for every single technician, your network is at severe risk.
2. Credential Segmentation
Ask: "How do you segment our network credentials from your other clients?" If an IT technician's laptop gets compromised, the hacker should not instantly have access to the administrator passwords for your specific business.
3. Independent Security Audits
Ask: "Are you independently audited against a security framework?" IT companies are notoriously bad at eating their own cooking. Ask if they have achieved ISO 27001 certification or have been independently audited against the ACSC Essential Eight. Self-assessment does not count.
4. Zero Trust and Incident Response
Ask about their internal architecture and their plan for when things go wrong. They should use "Zero Trust" internally, and they must have a documented, tested Incident Response plan that includes how they will notify you if they are breached.
Trust, but Verify
If your IT provider gets defensive or avoids answering these questions clearly, that is a massive red flag. A mature tech partner will respect your focus on security and will be proud to share their internal defences with you.
If you want an independent, objective review of your supply chain risk and overall IT environment, book a Cubit cyber security assessment. We act as a fresh set of eyes to find the gaps your standard IT provider might have missed.
To understand where your business stands, we offer a free initial consultation - get in touch.