Are your data and IT systems safer hosted by a Managed Serviced Provider or better kept in house?

A growing number of businesses are utilising a Managed Serviced Provider (MSP) for their IT requirements, including cloud space, firewall management and patching.  Our latest article provides advice as to how you can ensure your MSP is protecting your business’s IT assets.

A Managed Serviced Provider (MSP) can be a cost effective and efficient solution for a growing number of IT needs, with on site servers increasingly becoming a thing of the past. Whilst the idea of no significant initial capital expenditure on servers, back up systems, licences and warranties can be an appealing prospect for a business, using an MSP can have its downsides from the perspective that a third party becomes responsible for your IT assets and customer data.

For some, this may be a further appeal, with MSPs offering sophisticated protection against malware, ransomware, hackers and even promising to ensure your data is held in line with GDPR. But in reality, will a large MSP with thousands of customers react in the same way as you do to protect your data in the event of an attack or breach? Will they resolve things as urgently as you need them to?

Things to consider when you use an MSP:

  • What are your contract terms? It’s highly likely in the event of significant downtime, you have agreed that their only liability to you is that you don’t have to pay their storage fees.
  • What would you do if the server on which your data/website/processing is held at the MSP suffered an attack? Do you have a back up at another MSP and can you move your systems with ease to it?
  • Does your MSP update regularly with patches against the latest ransomware? A number of MSPs have recently been infected by the Sodinokibi ransomware variant which exploited a vulnerability in their servers.
  • How easy is your MSP to contact? If your servers went down, could you contact them as easily as your local IT provider and what are your SLAs for fixes?
  • Where is your data actually being held? Is it being held in line with the requirements of your cyber insurance and GDPR compliance?

The answers to these questions should be weighed up against the level of control you have over using your own servers. You would retain control over your own security and in the event of downtime will have more control over the remedial work and how long this takes and it’s prioritisation over other matters.

There is no question that MSPs serve a valuable purpose for businesses in terms of expenditure and maintenance of hardware, however it is a dangerous misconception that if your data and systems are held elsewhere that these systems aren’t as vulnerable to attacks as your own servers. Similarly, as a business you are still as responsible for losses of and breaches to personal data held on a server at an MSP than you are for it held at your own office and you would need to report this to the ICO in the same manner.

Cyber and Data Insurance can provide protection for losses arising from MSPs as a result of ransomware, malware or hacking. A Firth & Scott client who utilises a global, well known MSP for their e-commerce website suffered a loss as a result of malware being injected to the MSP’s host server. The MSP shut the server down as a precaution and our client had no website for two days whilst they moved to another provider. The MSP provided no information initially as to the cause of the server being down, but their Cyber insurers still provided assistance in case it transpired to be a cyber incident and helped them discover the cause of the loss. Within a month of the attack, our client received a settlement of £25,000 for the loss of profits in the 2 days they were without their website. Fortunately, there was no breach of data which needed to be notified to the ICO, however this would also have been insured.

Cyber and Data risks are undoubtedly the most growing area of risk in insurance, yet there is still very little awareness of the protection you can obtain for your business. Please do not hesitate to contact Stevie Jeffrey or Steve Allwright to discuss this further if you have any concerns.