Best Security Practices With Managed Security Services Providers

For business owners, business growth is the name of the game. It’s important to establish protocols that can easily grow with your business to protect your assets, especially when it comes to the technology that facilitates business processes. If your business has the proper security fundamentals in place at the start to protect your business, then it’s relatively simple to grow your security with your business. In fact, this is one of the areas where having a Managed Security Services Provider (MSSP) augments your security practices.

What is Security?

In essence, security is minimizing the risk of a threat to a vulnerable asset. We can only control the vulnerability from a cybersecurity standpoint. We cannot control the threat, because it is external to the organization.

As such, the first rule of security is to protect the people. The first rule of cybersecurity is to protect the data. Protecting the data, in turn, protects the people as well as the business.

What We Can Control With Security

First thing we can control are the physical controls, such as doors, locks, fire extinguishers, etc. Next controls are the procedural controls, such as training, management policies, procedures, etc. Then there are our technical controls, including firewalls, anti-virus software, passwords, data authorization, and multi-factor authentication. Last are the legal, regulatory, and compliance controls, which includes laws and industry rules.

We then put these controls in place before an incident occurs to attempt to deter any incidents from occurring in the first place. We place locks on the doors, require users to have usernames and passwords to get into the business system, employ virus scanners to catch any malicious downloads, and set up a backup process so that we have images of the data saved in case the data becomes corrupted.

Security Controls After an Incident Occurs

When a security incident occurs, however, we do have physical and cyber elements under our control. In the physical world, we have burglar alarms, fire alarms, smoke detectors, and fire suppression systems. In the computer world, we have detective controls such as firewalls and virus detection to detect viruses as they’re executing and stop them before they really start doing damage.

We also have corrective controls for after the incident. Corrective controls are restores from backups, for when an attack corrupts the data or if there was a ransomware attack.

What’s the Benefit of Hiring an MSP?

For starters, a Managed Services Provider already has the expert staffing with industry-standard certifications in their areas of expertise. They understand the layers of controls that they’re putting in place as well as how the controls are used together to protect the data at the other layers.

In addition, an MSP uses mainstream and standardized equipment. By bringing on an MSP, businesses can also have the peace of mind knowing that the equipment and support is of the highest level of security available.

How an MSP Sets up Best Security Practices

Equipment Setup

The key gateway for employees to communicate and for threats to break in is via the Internet. The first step of any security process is to place a firewall route that blocks Internet access both in and out. With the cloud-based intrusion prevention system in place with the firewall, your MSP can keep a list of known threat actors and keep dynamic firewall rules in place. This way, no one has to hard code every bad threat actor in real time.

The next step is to set up the wireless access points that employees use to connect to the Wi-Fi. The MSP will protect the wireless access points through encryption and authorization.

Next is an SD WAN. The one we use provides for high availability as well as packet prioritization. When you’re looking at VoIP phones or Microsoft Teams, it allows for the availability of that data so that the prioritization ensures that the services that need to be at the top of the list are actually highly available.

Workstations and servers come next. These are considered the endpoints to the network or where the data actually lives. As such, workstations and servers have more of the cybersecurity controls previously mentioned than the other components.

Virus scanners and detectors are next, followed by backups for all of these systems. An MSP will also take care of all of the incoming patches and updates, which are probably the most important things a business can do to protect the data on its computer systems.

Setting Security Protocols

Once the equipment is all in place, the next step is setting up good procedures for authentication and authorization. Authentication verifies a person or system’s identity to determine that they are whom they say they are. Authorization ensures that the data remains confidential only to the people/systems that need access to that data.

As another layer of authorization, all hard drives should be encrypted. Encryption is a preventative control to make sure that data remains confidential on a computer if someone steals that computer.

Establishing Security Policies and Procedures

Laws such as GDPR and HIPAA require confidentiality of data, but it’s up to the organization to establish internal policies to keep the integrity and confidentiality of that data. What policies do they need?

Acceptable User Policy

An acceptable user policy (AUP) includes determining a backup schedule and user account and access management. It’s important to create the data custodian and data owner role so that role can make sure the right entities have access to the right data at the right time.

Archiving Policy

How long do we keep the data backups? The longer the data is kept, the more liable it potentially becomes. It’s important to decide how long to keep data before purging it.

Industry Compliance Policies

Industry compliance doesn’t always fall under laws, but some functions of industry requires policies for compliance. For example, when it comes to accepting credit card payments, the business must have PCI certification.

Multi-factor Authentication (MFA)

Software solutions such as Microsoft 365 are no longer products that the company “owns,” but instead pays for licensing as a service (software as a service, or SaaS). With SaaS, users have to log into the software using a username and password. However, your MSSP can help you add another layer with MFA.

MFA can use tokens (such as sending a text to your phone), biometrics (such as facial recognition technology), and even geolocation to ensure that a user is logging in from a particular country.

Security Awareness Training

People are a company’s greatest asset, and we need to create a human firewall to protect the other security layers. All the technologies or technical layers that we’ve created so far can easily be thwarted by a human who does not have security awareness. As such, people can be the greatest weakness to a security system. It’s important to train the users on good password hygiene as well as what MFA is and why they should use it.

Educating users on safe web browsing and only visiting acceptable sites listed in our AUP is also important, so that users do not browse outside to unapproved sites that potentially could have malware and other malicious software.

It’s equally vital to educate users on email phishing attacks. Since the pandemic started in 2019, we’ve seen an increase in phishing attacks over 600%. Users must be educated on what to do in case they notice that there is something wrong without shaming them. If they do do something wrong, let them know they need to report the incident either to their manager or to computer security.

Where Does an MSSP Fit in?

The MSSP builds off of what the Managed Services Provider (MSP) has already created. This includes all the security controls listed here to protect the business’ data. The MSSP then sets it up so that the data from those controls are gathered and logged to a central repository within the MSSP. From there, the provider can receive alerts from any suspicious activities or events taking place. Therefore, having an MSSP always monitoring your environment lowers your risk and increases your security.

Benefit of Expert Staffing

Since the staff of an MSSP are security experts, they can focus solely on the security of your business, which is beyond what MSPs can provide. Because this is an outside staff, an MSSP reduces overall staffing costs of the business, as hiring a security expert in-house is relatively expensive.


In addition, Managed Security Services Providers are scalable. No matter if your business has five employees or 150 employees, the MSSP can grow with your business and even scale to multiple businesses.

Security Log Storage

Our MSSP services keeps all data logs for six months by default. These logs are invaluable during forensic investigations, and keeping them speeds up the investigative process by storing them all in one place.

We keep these logs in a SIEM, a security information and event manager. All of the technical controls that we have for security that the MSP put in place are logged centrally to the SIEM. Our SIEM has a correlation engine that performs data analytics against all the messages coming in and creates alarms for suspicious activities. Once the SIEM creates these alerts, they go to the Security Operations Center, which is manned 24/7 365 days of the year. They will determine if any of these alerts are valid and act accordingly.

Ready to take the next step in your best security practices with a Managed Security Services Provider? Please contact us at any time!

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author