We’ve all heard about major breaches and the cascading impact they can have across a variety of services. As an MSP, these upstream breaches are clearly out of your control, but you can and should be questioning whether the services from your vendors are following cybersecurity best practices.
Some clients will demand a minimum level of compliance with a set of security standards before using a given service. Typically, MSPs will send out a security questionnaire to query their vendors about things like security practices, approach to patching and the apparatus it has in place to make sure they operate in a safe manner.
This approach is necessary, but tedious for everyone involved. The vendor has to answer the questions and the MSP has to review answers to make sure the company is in compliance with the best practices you’ve defined. It’s sometimes hard to prove if vendors are being truthful. It’s also hard to know if they will remain compliant.
Making it easier to measure risk
One way to ensure compliance is to provide an automated approach to security questionnaires. There are a number of companies offering automated ways to help you make more informed decisions about the compliance of a particular vendor.
One is SecurityScorecard, which uses publicly available information to help measure if a vendor is running the service in a generally secure way. The company has records on over 2 million organizations. It uses all of this information to give each company a grade based on how secure it is.
If your vendor has an A or B, chances are you can trust them to be secure, whereas a C or lower raises a red flag, indicating that it has work to do. Every vendor can see its own report card for free along with advice on how to improve that letter grade.
Kintent, another early-stage startup, checks a company’s systems for compliance with a given set of security policies. It then issues a report outlining where it complies, where it doesn’t and how to improve the position. As an MSP, you can request the company run a report against your set of policies. If you have them run the test on a regular basis, you can help ensure the vendor remains in compliance over time.
These are just a couple of examples. Other security scorecard kind of companies include BitSight Security Ratings Platform and FortifyData Cyber Risk Scoring Platform. Do your homework and find the system that works best for you. Having an automated way to check security can help protect you and your clients from unnecessary risk that you could otherwise control.
Photo: Pasuwan / Shutterstock