How to audit an MSP

More and more businesses are outsourcing their cybersecurity to Managed Service Providers (MSPs), but just how do you know whether they themselves are cyber secure?

How risk tolerant are you?

Before outsourcing your businesses cybersecurity to an MSP, you need to assess what your risk tolerance is.

If you’re a business that doesn’t handle a lot of sensitive data or do financial transactions then you’re likely to have a high-risk tolerance, meaning that any aspect of your security can be outsourced.

On the other hand, if your business is supplying to government agencies your risk tolerance will be low.

Many government organisations now require suppliers to prove that they take cybersecurity seriously and will insist on them at least having Cyber Essentials certification. Any MSPs they use will likely have to be government approved too.

Check yourself

It’s a good idea to get an overview of your own security posture so that you can see which areas need improvement.

Using CyberScore™ for example on your networks will allow you to inform an MSP which areas they should focus on, allowing you to better use your budget.

 Auditing your own organisation’s internal data allows you to identify which is most sensitive and crucial to day to day business activity. This also allows you to identify what should be outsourced and to who.

Other factors to consider include finding out where your MSP stores its data. If it’s stored in Europe for example then they will be subject to the EU’s GDPR legislation.

Auditing an MSP

The best way to get a clear overview of an MSP’s cybersecurity posture would be for them to run CyberScore™ on their networks. This benefit’s both parties as it will also allow the MSP to spot any vulnerabilities they may have.

The tiniest details can say a lot about their standard of security.

For example; did they contact you about their services via a business email or a personal one?

Getting independent references from the MSPs other or former customers is a good way of seeing whether their service is up to scratch.

As part of your due diligence, you should also research the MSP in question. Are there any negative stories in the media? Has it suffered a breach before in the past?

You can easily see if an organisation has, for example, Cyber Essentials Certification by visiting the NCSC website here.

Always check the small print

One thing the recent data scandals that have hit the headlines over the past year is that you should always read the small print before agreeing to anything.

MSPs might collect large sums of your data without you realising in order to do its job. Reading a contract can also reveal any other potential security vulnerabilities such as whether the MSP will make copies of your data.

It’s a good idea to ensure that an MSP cannot gain access to any sensitive data or systems.

We can also help MSPs!

XQ cyber also offers support to MSPs as well as end clients and offers a range of incident response and consultancy services such as Penetration Testing, Cyber Posture Assessments and Incident Response preparedness and testing.

For further reading:

5 steps to choosing the best cybersecurity solution

Third of businesses would ditch suppliers who neglect cybersecurity

Are you challenging your Channel Partner?

Want to learn more about how CyberScore™ can help secure your business? Visit our website at

Follow us on FacebookTwitter and LinkedIn