When it comes to ensuring strong cybersecurity protections, it isn’t enough to only look inside your organization. Organizations should also ensure that tightly integrated third-parties, such as managed service providers (MSPs), also meet high standards of cybersecurity excellence — or risk them becoming a new attack vector to their organization.
Attacks on MSPs have been on the rise in recent years, with attackers leveraging weaknesses in their systems to then target high-value clients. This type of attack is so successful because the MSP services require admin access to client systems, ensuring hackers have privileged access to the systems of many clients whom they might then look to travel down the supply chain and attack.
For this reason, many organizations are requiring their MSP partner to undertake a SOC2 certification based on the American Institute of Certified Public Accountants (AICPA) Trust Services Categories (TSCs). The designation is provided by an independent certified public accountant that certifies the firm has met the necessary internal controls requirements of the standard for a minimum of six months.
SOC2 compliance helps provide some cybersecurity assurances to professional services firms and other companies that may look to work with an MSP. This is different from a SOC1 audit, which focuses primarily on the organization’s controls relevant to financial reporting. SOC2 is broader and helps companies ensure they meet risk management requirements around cybersecurity and is more tailored for third parties like MSPs, cloud service providers, and other similar organizations.
The standards for SOC2 compliance are stringent and must be held for a minimum of six months. The framework criteria center around securing IT systems and ensuring digital privacy. Many of the framework requirements center around reliability, including ensuring systems are protected against unauthorized access, maintaining uptime for operation, and maintaining integrity in processing. In addition, SOC2 compliance requires the MSP to uphold strong security protections for its processes, including ensuring the confidentiality of information and privacy for personal information.
Companies with an existing MSP relationship should evaluate whether their current provider meets these standards or could be on a path to achieving them in the near term. If not, then an organization may want to consider switching to a different MSP if cybersecurity is viewed as a top priority by the organization or is required by regulatory bodies. Those who aren’t already signed on with an MSP should look for SOC2 certification before moving forward.
While even the most stringent certification cannot guarantee that an organization won’t get hit by a cyberattack, it can certainly help mitigate some of the risks. With attacks on the rise around the world, it’s a smart move for any organization to ensure their systems, as well as those of their trusted partners, are secured.