Rubber Stamp time for MSPs
For those that don’t know or have not heard of the PDSC; it is the Police Digital Security Centre and was established by the mayor of London office in 2015 in conjunction with the Metropolitan Police. Its purpose to help educate businesses of London on the risk they are leaving themselves open to and now the centre has grown from a initiative based only in the capital to a UK-wide program. They are sourced with awarding 2 certification, a digital security provider and digital security innovator.
The BSI has been around since 1901 and has been creating and certifying standards since then so the pedigree doesn’t go unnoticed, The BSI joined forces, pardon the pun, with the Police Digital Security Centre to not only certify but help develop the standards that the new certification sets. By engaging with the BSI, it rubber stamps the PDSC and the significance of such a certification.
Support Tree first engaged with the PDSC in 2019 to help solidify our position as a leader in the cyber security space for SMEs. The PDSC supported us with both new & existing clients in delivering the message of how critical it is to take steps in securing their businesses digitally. Having now worked together on 8 events, with a further 8 planned for 2020, we have gotten to know each other very well and built a great rapport between the teams. It has been during our meetings we have helped the PDSC to set the standards and determine some of the criteria for certification of a regulated organization.
Having worked in the IT sector for more than 20 years it has always frustrated me that there is no recognised body that other professionals have. Lawyers that have the Law Society, surveyors have RICS and accountants have ACCA; all meaning that the work that is performed for their clients is to a standard that is deemed acceptable, why do they have these? Mainly to mitigate risk of choosing the wrong provider, what does this mean? Well, take accountants, if they give you bad advice or operate poorly then repercussion are fines and legal actions; take The Law society, they ensure that the client has peace of mind that there case and everything with it are handled with care and don’t leave their clients exposed. However in IT and specifically in cyber security, there is no governing body or set of minimum standards that these providers must have and yet the trust that is given us is huge, we not only host all logon credentials to all systems, but we also host this data, we must make sure our systems are effective but we must also ensure our processes are right and our staff checked and working to these standards. When you consider this, it is crazy that the due diligence checks are left to the client who has engaged with the provider because they know less about these aspects than the providers, at catch 22. So, it is with huge relief that we are now engaging with a governing body that will separate the wheat from the chaff.
A quick case study… At Support Tree we have had first-hand experience of the lack of care some MSPs take when it comes to cyber security. About 18 months ago we started onboarding a new client, and as it happens this client was required to comply to certain regulations as stipulated by the FCA. When starting an onboarding we request the current configurations, which include details of logon to the firewall – we received information and were shocked to discover that the logon for the firewall was the default, “admin” and “admin”! The client had been working with the provider for more than 5 years and in all this time the firewall had not been secured. This is not an isolated event, but an event that proves that an independent body is needed to ensure people, process and systems are at the very least set to a minimal level.
As the IT provider we are expected to manage the infrastructure, the foundation to all the applications and data needed to operate the business, we have standards that we deliver to our clients and these ensure data is kept safe, this of course includes but not limited to ensuring all infrastructure passwords meet a minimum complexity standard.
The reality is as an IT provider we hold the keys to all the castles, every facet of the client we support is recorded on our systems, that includes systems that don’t fall under our remit, this could be logon details to CRM as admin through to the backup solution that has every email sent from every employee including the boss.
If this information is not only stored carefully but monitored at all times we could breached from either an internal threat or external attack, Starting with the team and checking police records, through to developing process that means data is accounted for and stored in the right places, through to procuring, using, maintaining and updating the right asset management tool are just a small part of the efforts made to ensure we are acting on our client best interests. This of course can all be checked by a third party easily.
Of course, the due diligence doesn’t stop there, as the IT expert we are expected to provide advice based on the kind of business, risk willing to take and the information held. Providing this insight requires year of experience and business understanding, these can also be check through client referrals.
If you are reading this and are now concerned about the level of due diligence your current provider has taken to ensure you are being kept safe please give us a call and we can review your providers setup.