evaluating mspsBefore things went all COVID on us this episode was planned out. It may be even more worthy of an episode now. Have you been evaluating your MSPs response to your current state of business? We knew there were some MSP issues in 2019 but now, in 2020, you must have a reliable trusted MSP partner more than ever. What kinds of things do you need to know about your tech needs, your MSP and where you both plan for the future?


A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

Evaluating MSPs – Ep 252

The HIPAA Boot Camp

2020 Session Dates

August 18, 19, 20

Tucker, GA

2020 Fall Session Dates

Sept 15, 16, 17

San Pedro, CA

For info go to TheHIPAABootCamp.com

Registration Form


Share Help Me With HIPAA with one person this week!

Thanks to our donors.  We appreciate your support!

 If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com.

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

Evaluating MSPs

There was an article published about a talk that the Louisiana Secretary of State did in January: Louisiana Criticizes MSP Industry’s Security Practices; Employs MSSP that had some tough things for MSPs to hear.  The first paragraph was as follows:

Many MSPs (managed IT services providers) are dropping the ball on cybersecurity, leaving elections open to the threat of cyberattacks, Louisiana Secretary of State Kyle Ardoin warned peer government leaders on January 31.MSSP Alert

MSSP Alert picked up the original story from State Scoop and that article shows a room full of leaders from various states because this talk was given at a meeting of the National Association of Secretaries of State.  Yes, they all heard what happened to LA over the summer when several government agencies and schools were hit by a ransomware attack.  Plus, a follow up ransomware attack on agencies in Nov.  Sec of State, Kyle Ardoin, didn’t seem to pull any punches based on quotes in the State Scoop article.

Firewalls and system patches and antivirus: what used to be sufficient for MSPs, they are no longer. As attacks grow more sophisticated, many MSPs have not been upfront with their clients about the need to invest more in security. This leads to serious problems for their clients, and the MSPs themselves.Kyle Ardoin, Louisiana Secretary of State

He explained that his office now uses an MSSP.  David has been doing that work now for some time.  He saw the need to step up security and made the switch. Yes, it is more expensive but as Ardoin told the group “election officials need to fight for more IT security funding” and closing with a statement that sounds eerily familiar to our listeners.

It’s not about saving money, it’s about protecting systems.Kyle Ardoin, Louisiana Secretary of State

While this discussion was about elections we know that the same principle applies in banking, healthcare, and fintech and much more.  This message should be heard by every business out there regardless of industry or size.  You should evaluate your risks and address security requirements on your networks.  That includes evaluating your MSPs or MSSPs because they clearly don’t have things covered the way many people believe they do or should.

As we discussed this topic another discussion came up from a forensics group.  The unnamed group said the following:

Just finished a pen test of a MSP that supports banks. We were able to phish the VP of compliance and get his 2FA code.  Found the FTP creds for their payment processing systems of all of their clients in an Excel sheet in SharePoint w/ the directions for formulating the username.

So that brings us to the point of the episode.  How do you go about evaluating MSPs or MSSPs that you use or are considering using.  This is where David gets to drop some knowledge on us all.  Check out the full session on this at the SMB Cybersecurity Summit where he discusses evaluating MSPs in his session with William Price of Cyberx.

Things You Need To Have Clarity On Before Evaluating MSPs:

  • What Are Your Wants/Needs?​
  • What Is Your Total IT Budget?
    • Average 14%​
    • 11% Security​
  • What Are Your Expectations?​
  • What Risks Does The Vendor Bring Into Your Org?​
  • Do You Have A Vendor Security Assessment?​
  • Do you truly understand your industry’s requirements for privacy and security?

evaluating msps security door latch cartoon

Things The MSP Must Have Clarity On:

  • What Are Their Differentiators?​
  • What Services / Security / Solutions Do They Provide? ​
  • What Are Their Expectations For You?​
  • What Risks Do They Bring Into Your Org?​
  • What Do They Do To Stay Educated?​
  • How Do They Ensure The Security Of Your Business?​

Things To Look For When Evaluating MSPs:

  • Tenure In Industry And Space​
  • Understand The Bigger Picture​
  • Follow Proven Cybersecurity Frameworks​
  • They Have Proper Insurance​
  • They Have A Formal & Comprehensive Agreement​
  • They Have An IR/BC Plan​
  • Submit To A Vendor Assessment​
  • Provide Proof Of Concept
  • Does the vendor truly understand your privacy and security requirements in detail?​

Things To Expect:

  • Communication​
  • Documentation​
  • Technical Reviews​
  • Periodic Assessments​
  • Action Plan / Roadmap​
  • Identify, Protect, Detect, Respond, Recover​

David’s list applies to him, too. Don’t hesitate to ask these questions of your current MSP after you have asked yourself what you really need. Even if you feel certain your current MSPs are set with security and HIPAA it is better to document you checked.

Just as the article discussing what Louisiana learned about cutting corners with their MSPs, or by their MSPs, it isn’t about saving money it is about protecting systems. It is clear after what we have all been through in 2020 technology is officially the backbone of business today. If you can not run your business via technology the business was pretty much shut down completely without people onsite. Otherwise, technology allowed businesses to continue operating during social distancing. As we move forward evaluating MSPs for your business will become a necessity to keep the ones you work with now as well as when you are selecting one.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Special thanks to our sponsors Security First IT and Kardon.