Securing Your Infrastructure with MSP Vendor Risk Management

April 20, 2023


Key Takeaways

The recent 3CX breach awoke many managed service providers (MSPs) to the harsh reality that they’re only as secure as their most vulnerable vendor. In what seems to have been a targeted attack against crypto companies, hackers hid their code in the installer for 3CX’s VoIP application as a trojan horse for distributing information-stealing software to the company’s customers. 

MSPs increasingly rely on third-party vendors for various tasks, such as cloud services, data storage, payment processing, and telecommunications, but this dependence on third-party vendors comes with its own risks that MSPs much manage. 

Apptega’s chief executive officer, Armistead Whitney, recently spoke with Andrew Morgan of Cyber Nation about how to best approach vendor risk management. You can listen to the full conversation here

1. Critical Vendor Identification

The first step toward proper vendor risk management is for MSPs to identify their critical vendors and prioritize them based on their importance to business operations. A comprehensive identification process is vital to ensure that all critical vendors are accounted for. Whitney emphasizes the importance of this step by saying, “You need to identify those hardware and software vendors that have any type of access to your data. Create a list, even if you're not sure really where their touch points are, and then you'll create an assessment.” 

2. Executive Buy-In

Once the critical vendors have been identified, MSPs must secure executive sponsorship for their vendors. This encourages buy-in from all stakeholders, helps confirm that the vendors are adequately resourced, builds trust internally, and shows customers that vendor risk management is taken seriously. 

3. Categorization

The next step is to identify and categorize third-party vendors. Determining which vendors have access to which data helps to prioritize them accordingly; and with the increasing use of third-party software and apps, this identification process is critical to ensure that all vendors are accounted for. 

4. Risk Assessment

The risk assessment stage is arguably the most important because it identifies potential vulnerabilities. MSPs must develop a vendor questionnaire and start with basic questions regarding the vendor's software development process, security training, vulnerability management, and incident response plan. This information will help MSPs assess the vendor's cyber maturity level and prioritize risks accordingly. 

In the risk assessment stage, MSPs should also investigate their vendor's approach to and culture around security. This includes looking at how they approach vulnerability management and patching, their approach to penetration testing, and their incident response plan. The vendor's response to these questions speaks volumes about their maturity and prioritization of security. If the vendor is slow or hesitant to respond, that is a huge red flag. 

5. Longterm Monitoring

Finally, MSPs must develop an ongoing monitoring process to ensure that risks are continually assessed and mitigated. This includes regular assessments of the vendor's security posture and infrastructure changes that may impact the risk profile. In this same vein, Whitney says it is essential to “really understand the vendor’s software development lifecycle because understanding the vulnerabilities around software development starts with knowing how they approach developing software.” It's also important to know that vendors are regularly testing their software for vulnerabilities and performing regular code reviews. Vendor risk management and cybersecurity are not one-off tasks. They must be ongoing and comprehensive.  

Protect Your Business 

Vendor risks are at the top of the list of breach concerns, so management is a critical aspect of cybersecurity that MSPs must proactively manage to ensure the safety of their data and infrastructure. By following this process, MSPs can effectively manage vendor risks and mitigate potential threats.