The role of cyber insurance when using managed service providers
As businesses become more reliant on digital technologies, they are increasingly turning to managed service providers (MSPs), also known as technology providers, to help them harness greater administrative efficiencies, remain competitive and gain market share. In fact, a 2019 survey1 by the Australian Bureau of Statistics found that 50.1% of small businesses and 65.7% of medium businesses in Australia use an external cloud service provider.
Understanding the potential cyber exposures when using MSPs
There is no doubt that MSPs can offer your businesses access to quality services and platforms in a cost effective way, removing the need for companies to invest heavily into establishing these from the ground up. However, using MSPs does not come without material risk. These third parties manage sensitive client data, supply foundational software platforms and often have privileged access to their customer’s systems. This makes them an attractive target for cyber attacks – and by targeting a single technology provider, the potential victim pool is significantly larger. A study2 by Soha Systems found that ‘63 percent of all business data breaches resulted either directly or indirectly from access via third parties, such as outsourcing contractors and suppliers’.
Cyber attacks can be disruptive, expensive and damaging to your business’s reputation. It is critical that you consider the cyber risk exposure that could arise from using an MSP to manage your data, especially if your MSP has access to your business’s IT systems. Cyber attacks targeting MSPs are generally outside of your client’s control, yet they can directly and seriously impede your own business financially, operationally and also on a reputational level.
Because all eligible data breaches must be reported under the Notifiable Data Breach scheme to the regulator (Office of the Australian Information Commissioner) as well as affected individuals, a breach can leave your business exposed to potential regulatory actions if MSP requirements are not complied with.
An MSP incident3 involving a software company was reported in 2021, when it was discovered that threat actors used their software platforms to deploy malware to their extensive client base, which consisted of federal agencies and private sector businesses. The exposure arising from third-party technology providers is so significant that the Australian Cyber Security Centre published a case study4 of an Australian company that had been compromised via its MSP, outlining the key findings and mitigation strategies in a detailed document.
The role of cyber insurance
A cyber insurance policy is an extremely valuable risk transfer tool for any business. Just as you rely on MSPs for their specialist services, one of the most valuable components of cyber insurance is priority access to specialist vendors who can assist in containing and managing a cyber incident. Having immediate guidance from experienced professionals can help protect your business’s reputation and finances, and can help minimise any damage or disruption from the cyber attack.
With a cyber insurance policy in place, access can also be made available to cybersecurity training modules and risk awareness videos as part of your business’s policy, helping your business and your team to identify and prevent cyber attacks.
Proactive steps SMBs can take to minimise their risk
MSPs and the services they provide are invaluable for businesses, like yours. To help mitigate the risk involved take some proactive steps:
- Don’t share more data and administrative access than necessary.
- Ensure that third parties have unique accounts that can be tracked, monitored and access removed if necessary.
- Regularly upgrade your business applications to implement important security updates and patch applications to protect against known software vulnerabilities.
- Conduct frequent cybersecurity training for all employees covering effective cybersecurity practices, common threats to be aware of, and how attacks can occur.
Holistically evaluate:
- Which third parties currently have access to your business data and systems?
- What data and systems do they have access to?
- Why do they have access?
- When does your business regularly review this access to ensure it is secure and still necessary?
Enquire with your third-party service providers about their cybersecurity practices including network security, compliance with industry standards, employee training, risk monitoring, contingency plans, data privacy and application security.
Determine what business data is more sensitive if stolen, versus other data that may be more disruptive if unavailable. This assessment will help you determine the potential risk level that each MSP has to your business.
Ensure that Multi-factor Authentication is enabled by both your business and third-party service providers.
Reach out to experts in the field of cyber security consultation and cyber risk insurance to provide additional professional assistance, if required.
The cyber threat landscape is complex and rapidly evolving, meaning that no business – large or small – is safe from cyber threats. If you use digital technologies in any way in your business, you should consider seeking advice from a broker with cybersecurity expertise who can help you assess whether you have the right cyber security cover for your business, and put risk mitigation plans in place.
[1] Australian Bureau of Statistics, 2019, Characteristics of Australian Business, 2017-18 financial year
[2] Soha Systems, 2016, Third party access is a major source of data breaches, yet not an IT priority, Report_1.3 (squarespace.com)
[3] Solarwinds, 6 April 2021, Solarwinds security advisory
[4] Australian Cyber Security Centre, 2018, MSP investigation report