How do you know if your current Managed Service Provider (MSP) is effectively managing your cybersecurity? Most Not for Profits have outsourced their IT services, but not many consider their cybersecurity risks after the contracts have been signed.
Even if someone else is responsible for managing and delivering these services, the accountability still remains with the organisation. In fact, the Australian Institute of Company Directors made it very clear with their advice:
“While it is not the role of the board to directly manage cyber risk, it is the board that has ultimate accountability for how risks are governed and addressed. This includes being satisfied there are appropriate processes and delegations in place that provide directors with comprehensive oversight of the actions of management.”
So, how would you give confidence to your Board that your Managed Service Provider is effectively managing your cybersecurity? Here are a few indicators:
Simple indicators to know if your Managed Service Provider is effectively managing your cybersecurity:
- How much spam do you get? If you are getting a lot of spam, it’s a sign that your Managed Service Provider isn’t actively managing it.
- When was the last time your computer required you to restart it after a security update? Microsoft has been releasing security updates weekly lately. If your computer has not initiated a restart recently due to an update, that’s a real concern.
- Can you download software onto your computer without admin help? The accidental download of malicious software is a common way that cybercriminals get into an organisation’s IT network. If your staff are allowed to do this without admin permissions, the policy setting has not been turned on.
- Do you use multi-factor authentication to login? Every account should require multi-factor authentication these days. This is when two actions are required to gain access to a system, usually through a password and one other method like a text message or authentication app. If you’re not required to do this (especially if Single Sign-On is not available), your provider is not managing it properly.
- Has your Managed Service Provider discussed an upgrade pathway to Windows 11? Microsoft recently announced the 2025 end-of-support date for Windows 10. Furthermore, much of the new AI Copilot functionality will only be available on Windows 11. If you are still using Windows 10 (or older – major risk!), then your Managed Service Provider is not doing their job.
These are only indicators, obviously. So, if you want to really understand how they are doing, you should require your IT Service Provider to provide you with a regular report that demonstrates their performance.
Ideally, you should already have this built into your service contract. If not, there are other ways.
Essential Eight Report
The Australian Signals Directorate created a cybersecurity risk baseline framework called the Essential Eight. It’s primarily aimed at organisations that use Microsoft but can be applied beyond that.
The Essential Eight covers:
- Application control
- Patch applications
- Configure Microsoft Office macro settings
- User application hardening
- Restrict administrative privileges
- Patch operating systems
- Multi-factor authentication
- Regular backups.
An Essential Eight report will NOT mitigate all cybersecurity risks in the organisation, but it will cover a lot of it if your organisation relies heavily on Microsoft. There’s enough free information available online for this framework that your Managed Service Provider should be able to prepare the report (for an additional fee). If they can’t, I’d suggest looking for a new provider as soon as possible.
As for other frameworks, there are many available, but I often find them to be overkill for most Not for Profits. For my clients, I create custom evaluations depending on their size, risk profile and other needs.
I regularly help Not for Profits with strategic IT decisions, including identifying cybersecurity risks. Let me know if you need some help.
P.S. If you found this article helpful, you might want to read these ones too:
- What is cybersecurity insurance, and why is it important for Not for Profits?
- What are some cheap ways to enhance your organisation’s cybersecurity?
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today she helps NFPs with strategic IT decisions, especially around investments.