Shelly Barnes
Shelly Barnes

As this joint advisory makes clear, malicious cyber actors continue to target managed service providers, which can significantly increase downstream risk to the businesses and organizations they support – why it’s critical that MSPs and their customers take action to protect their networks.

Jen Easterly
Director, CISA

With the rise of malicious cyber activities targeting IT managed service providers (MSPs), the Cybersecurity and Infrastructure Security Agency (CISA) and FBI have partnered with many other international cyber authorities recently to release a Cybersecurity Advisory and Actions alert. We believe that MSPs and their enterprise clients must take note and take actions to reduce their risk and secure their environments against these growing cyber threats.

MSPs provide services that usually require both trusted network connectivity and privileged access to customer systems. Whether the customer’s network environment is on premise or externally hosted, threat actors can use a vulnerable MSP as an initial access vector into multiple victim networks, with potentially globally cascading effects.

There are a number of key actions and contractual considerations that enterprises can take now, in coordination with their MSP providers, to protect against cybersecurity threats. For example:


Identity and access management (IAM)

Audit and clean up privileged access:

Apply the principle of least privilege

Consider use of time-based privileges

MSP accounts should only have access to services/resources being managed by them

MSP accounts should not be assigned to internal administrator groups


Multi-factor authentication (MFA)

Adopt and enforce MFA across all services, products, and locations where possible to strengthen authentication and prevent password breaches.


Monitoring & logging

Implement a comprehensive security event management system:

Enable monitoring and logging of provider-managed client systems and networks

Client notification of security events and incidents occurring on the provider’s infrastructure and administrative networks

Review logs for unexplained failed authentication attempts

MSP accounts should be properly monitored and audited


Tighten network security

Identify, group, and isolate critical business systems:

Client data sets and services should be segregated from each other, as well as from internal company networks

Confirm the MSP performs reviews to verify all connections between internal systems, client systems, and other networks

Ensure management of identity providers and trusts between the different environments

Use a dedicated virtual private network (VPN) or alternative secure access method to connect to MSP infrastructure

Verify that the networks used for trust relationships with MSPs and any third-party service provider are segregated from the rest of their networks


System & data backups

Isolate backups, and regularly update and test:

Store backups separately and isolate them from network connections that could enable the spread of ransomware

Isolate backups to be able to restore systems/data to their previous state should they be encrypted with ransomware

For critical/sensitive data, maintain offline backups encrypted with separate, offline encryption keys


Incident response management

Implement and regularly exercise incident response and recovery plans:

Include description of roles and responsibilities for all client and MSP stakeholders, executives, technical leads, and procurement officers

Maintain up-to-date hard copies of plans to ensure responders can access them should the network be inaccessible

Ensure these plans are tested at regular intervals


Supply chain management & MSP contract management


Understand the end-to-end supply chain:

Organizations should proactively manage the supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritize the allocation of resources

Understand the supply chain risk associated with your MSP, including risk associated with third-party vendors or subcontractors


Review your MSP contract and address any gaps such as:

Specific performance-related service level agreements

Clarity and delineation of operational IT services and security services

MSP’s incident response responsibilities, warranty information, compensation for service outages, and plan to provide continuous support during a service outage

Complete Software Bill of Materials (SBOM)

Understanding of data segmentation from other clients on MSP’s networks

In summary, customers and their MSPs should examine their overall cybersecurity risk profile (combined and separate) and develop a plan to address areas of vulnerability. MSP customers should especially ensure their contractual arrangements specify that their MSP implements appropriate measures and controls aligned with their business’s security requirements.

Wavestone Cybersecurity and Digital Transformation experts are ready to work with your organization to assess your risk profile and build your program to fortify your defenses against an attack.


Shelly Barnes

Shelly Barnes is a high-performing, entrepreneurial-minded executive with over 20 years of demonstrated success in leading IT sourcing transitions and transformations, M&A integrations, organizational change management, ITIL and ITSM maturity and complex program execution. She possesses deep experience in IT operational improvements, financial governance, MSP & vendor management, and security risk compliance across multiple industries including healthcare, mining, high technology, hospitality and travel, managed services, financial services, management consulting, manufacturing, construction, retail, and utilities.

Laying the Foundations: The 4 Core Competencies of Effective Cloud Solutions Security

Sep 21, 2023

Implementing effective cloud solutions security is complex. Solution security architectures must be initially done with minimal mandated standards, then built progressively, with additional layers of security built on foundational capabilities. In this first of a 3-part series on safeguarding cloud solutions, we examine the 4 foundational capabilities of effective solutions security and best practices to implement them.

Wavestone Named to Forbes World’s Best Management Consulting Firms 2023 List

Sep 19, 2023

Forbes has once again recognized Wavestone in its annual “World’s Best Management Consulting Firms 2023” list. Read our blog for more information about the ranking and Wavestone’s award-winning business and technology consulting services.

Have a Question? Just Ask

Whether you're looking for practical advice or just plain curious, our experienced principals are here to help. Check back weekly as we publish the most interesting questions and answers right here.

Ask Wavestone