Cyber-attacks through outsourced IT

26 March 2020

We are responding to a large number of urgent requests for clients who have been victims of cyber-attacks and the common fault can be attributed to trusted third party service providers. As we quickly change our working environments and rely on IT service providers, we need to be vigilant.

Outsourcing an IT function to a Managed Service Provider (MSP) may offer many benefits to an organisation including, relying on their knowledge, experience, technical capability and providing a support model which is suitable to the organisations requirements and budget. Our experience is that outsourcing your IT function does not outsource your risk of cyber-attacks.

The recent cyber-attack investigations confirm that many businesses misunderstand the services being provided by their MSP. In a number of cases, the client assumed that security was not their responsibly and believed it was covered under the service agreement or contract (even when the agreement clearly stated that it was not).

Main issues identified

Through our investigations of recent cyber-attacks, more than half have been a direct result of poor practices of MSP’s that have included:

  • Failure to implement Multi-Factor Authentication (MFA) on Office 365 accounts;

  • Enabling remote connection to a server, with an Administrator account using unsafe passwords, for example ‘Password1”;

  • Ignoring security alerts of a user logging in from remote locations, such as Nigeria and Bulgaria on the same day; and

  • The same password being used across more than 20 accounts.

As we respond to an increase demand on IT resources in responding to the impact of COVID-19, where an organisation outsources their IT function, considerable thought needs to be given to the following:

  • Does the MSP offer your organisation ‘security’ as part of their service offering and what do they do to detect and protect you from internal or external threats?

  • Has the MSP built enough resilience into your IT environment if you become the target, or worse, a victim of a cyber-attack?

  • Is your MSP delivering on their contract terms and are they compliant as per their Service Level Agreement?

Being proactive and addressing the risk

All organisations should be pro-active in regularly assessing and reviewing their Managed Service Providers. Key matters to consider in this time of unprecedented change to our work and home environments include:

  • Scrutinising your supplier agreement, ensuring you ask questions if you are unsure of the services they are providing;

  • Asking your supplier what they are doing to prevent a cyber-incident;

  • Providing clarity around what IT security you expect your supplier to provide; and

  • Ensuring the contract allows a ‘right to audit’ clause and some form of response capability.

Critically, should you suspect that you have been subjected to a cyber-attack, you should contact specialists who will advise of the immediate steps to take to minimise the potential impact.