Cyber Essentials: What to look out for when using an MSP

If you are looking to achieve Cyber Essentials for the first time, or you’re looking to renew your certification for another year, you as a business may be working with an external third-party IT company, a managed service provider (MSP) or a general call out technician to manage your businesses IT systems.

It is worth to note, that although this article will reference working with MSPs, this information will apply for any type of external third-party company who manages or works with your business IT systems.

So, when it comes to achieving Cyber Essentials using an external IT provider that maintains your IT, you will still need to ensure that you have full control and responsibility over the security of your environment, regardless if this is outsourced to someone else.

As part of this process, you will need to ensure that your MSP implements the five key Cyber Essentials controls correctly throughout the management of your systems. This will also include the management of administrative accounts which are used and we’ll discuss later in this article.

Before you look to either start or renew your certification, you should ensure that the key controls have been implemented and maintained before you complete the Cyber Essentials certification, as you will need to certify that what has been submitted is true, this will be via a digital signature from a member of the leadership team.

When working together, you and your MSP will need to ensure that your business meets the five controls at a minimum, these are:

  • Firewalls
  • Secure Configuration
  • User Access Control
  • Malware Protection
  • Security Update Management

One area that I’ve seen over the years as an assessor is that MSPs tend to use shared administrative accounts for businesses management. By working this way, it allows the MSP to have their staff use a single administrative account thereby reducing the amount of overhead.

However, under Cyber Essentials you should not share administrative accounts when working with your business. Some businesses think that this only relates to the business under certification, however it also applies to MSPs which manage and control the systems to your business.

To help with knowing how has access to your systems, especially administrative accounts, you should ensure that you track who has access to your administrative accounts and systems, even if you have given full control to the MSP.

You should know who within the MSP has access to your information, this can be done in several ways, but it could be in a formal of a monthly or quarterly report from the MSP to you. It could state what accounts they have, what access they have access to and who has access to the accounts.

When using a MSP for the management of your systems, you should ensure that they review the Cyber Essentials: Requirements for IT infrastructure document, as this details what is required for the protection of the businesses IT and associated systems. It also includes sections on what is required for home workers, wireless networks as well as the five controls which we’ve discussed.

As a last point of reference, if you are looking to work with a MSP, or already do work with one, we recommend that the MSP in question has already achieved Cyber Essentials themselves as this gives you the piece of mind that they understand the controls and what is required to protect the business.