Insights

Should you rely on your MSP keep you secure?

A recent article from ConnectWise suggested that around 73% of SMBs aren’t fully confident in their Managed Service Provider (MSP) to defend them from a cyber-attack.

Although this is a shockingly high number, perhaps it shouldn’t be a total surprise, given that IT and cyber security require largely different skillsets, tools and operational models.

However, given the critical role cyber security plays within the wider realms of IT, it should be a prerequisite for any MSP to have a strong capability in cyber security.

Should your MSP be providing cyber security as part of your managed IT service?

Yes, your MSP should embed security into everyday IT actions, decisions and strategy, but you shouldn’t expect your MSP to manage your security. It’s important to understand the difference.

For example, you should expect your MSP to make conscious security-related choices based on a Zero Trust model when doing common IT activities such as configuring Microsoft Entra, making changes in Azure, setting up device compliance policies or configuring conditional access etc. Rather than thinking of security as just firewalls and endpoint protection software, consider that security expertise often plays out through the small, everyday IT management choices that add up to a safer and more secure environment.

This doesn’t mean that a managed IT service is a security service that promises to secure every detail by default, but any technical decision should be secure by design.

David Howell, Head of Infrastructure described it this way at Chorus:

This mindset means that, even when we’re not delivering a dedicated security service (which we do also offer), we’re still helping customers make informed decisions that can reduce risk and improve resilience.

Managing your cyber security would require a different type of service, known as a managed security service. This is a separate service, because it requires a different suite of technologies, people and processes. From XDR and SIEM tools, to the different types of expertise and roles such as Security Analysts and Security Automation Engineers, a managed security service would usually be a separate but complementary service to your managed IT service.

MSP vs MSSP: Comparison

Why can’t our MSP manage our cyber security as well as our IT?

Many MSPs struggle to manage both IT and security for customers, which is often a reflection of the high levels of investment (both financial and technical) required to build a Security Operations Centre (SOC) function that’s required to deliver a managed security service.

Despite the challenges, there are still many MSPs in the UK that do offer both managed IT services and managed security services, positioning themselves as both MSP and MSSP (Managed Security Services Provider), as we do here at Chorus.

How does Chorus support customers with cyber security?

At Chorus, we have a deep security knowledge, particularly within Microsoft Security. As a result of our expertise, we are proud to be members of the Microsoft Intelligent Security Association (MISA), which only a few hundred partners globally are part of. On top of this, our managed security services are Microsoft-verified attesting to their quality. Our security expertise often informs the way we approach managed IT services, while we also offer cyber security consulting and managed security services (such as MDR and MXDR) for those who want continuous threat monitoring, detection and response.

What are the security benefits of working with Chorus without a dedicated security service?

For many of our IT customers, their first experience of the additional value our security expertise adds is through the IT support onboarding process.

Our process includes a review of the current environment, a risk register, and recommendations for improvement. As Hanna Drew, IT Operations Manager, puts it:

Lee Shephard, Senior Technical Consultant echoed the improvements that come with onboarding customers who’ve previously been with other IT providers:

As David Howell, Head of Infrastructure also highlighted:

We ensure that any configuration we put into our customers environment is going to be in line with Cyber Essentials – however it doesn’t mean you will achieve this certification automatically. Attaining Cyber Essentials is a process and something we encourage all customers to work towards. We’ve helped many customers achieve Cyber Essentials or Cyber Essentials Plus with our Cyber Essentials expertise. Learn how we helped an international pharmaceutical company achieve Cyber Essentials as well as providing them with with managed IT and Security services.

So, should you rely on your MSP keep you secure?

In summary, your MSP should be able to help contribute to your security, but you shouldn’t rely on them to keep you secure just through a managed IT service. You’d want to add a dedicated managed security service if you’re looking for someone to take accountability for your overall security and to proactively monitor, detect and respond to cyber threats on your behalf.

It’s important to remember that not every IT provider has the same depth of security experience and that MSPs will often claim to have a higher level of security expertise than they might indeed have, due to market demand and their customers’ requirements.

How should you choose a security-focused IT partner?

When choosing an IT partner, look for strong security accreditations that can back up claims of expertise and experience, whether they have a dedicated Security Operations Centre themselves, and consider the technology stack the companies specialise in.

For Chorus, our Microsoft-first approach and security credentials puts us in good stead with organisations who want to protect Microsoft-centric IT environments such as Microsoft 365 and Azure. For organisations running on a non-Microsoft stack, there will be other IT and security providers better suited to manage that organisation’s security.

When choosing an IT partner for your organisation, remember that having security expertise “in the room” means that your MSP will be well-placed to help you navigate the ever-changing landscape of IT risk, making conscious, security-informed decisions that support your business’s ongoing success.