How Banks Should Choose Their Outsourced IT Services Company (or MSP)

IT Professional Working on Bank's Server

Introduction

Choosing a Managed Service Provider (MSP) is much like dating.  You need to find the right one that will fit your needs and be with you for the long-term, despite any obstacles that may come up.  There are literally hundreds of MSPs that you can choose from, but you need to vet them out carefully to see which one will work with you the best for your bank.

We provide some tips in this article.

What To Look For

Conduct a thorough assessment of your IT/Network environment:

Before you begin the actual process of selecting an MSP, you first need to figure what it is you truly require.  This can be done by conducting an audit.  Some key things to look out for include the following:

  1. Determine the number of servers, workstations, and wireless devices your bank currently has.
  2. What is your software patching process like? Are you up to date with everything?
  3. How and where is your data stored?  Is it stored in the cloud or on premises?
  4. What is your current Cybersecurity situation like?  Are the right controls in place?  Are you implementing multiple layers of security?

An MSP that you are potentially looking at hiring should provide this checklist for you. You should not have to create your own.

Determine what you want from them:

After you have conducted the audit in the last step, the next item you need to consider are what kind of services you need from an MSP. Many of them offer an entire array of services, and it can be confusing at first glance to determine what you need.  The key thing to remember here is to just focus first on what your audit has revealed, and then you can add other services later on.  Also, make sure that your MSP is not selling you on too much.  They should only quote you on what you initially need.

Will your MSP be around when you need them the most?

Nobody knows when a security breach will occur or even when a natural disaster will strike.  If it does happen, usually it as the worst time possible.  So therefore, you need to make sure that your MSP will be around in these kinds of situations, and even for minor requests as well.  Also, they should be able to help you restore your mission critical operations in a short period of time in case they go down for any reason.  Many of the management and monitoring services are typically automated, and thus, you also need to make sure that they have deployed the latest security tools and technologies in their own infrastructure as well.  In fact, that is how the Solar Winds hack occurred in the first place.  They had an automated platform called “Orion,” and it was through this that the Cyberattacker was able to deploy the malicious payload to the hundreds of victims that it infected.

Make sure your MSP can also physically visit you:

Although everything can be pretty much done virtually today, your MSP should also make the time to visit your bank personally as well.  During this visit, they should make a brief inspection of your IT and Network Infrastructure and address any questions or concerns that you may have.  Also, they should review the current support plan that you have in place and see if any adjustments need to be made.  They should also be able to go over any long-term objectives that you may have with regards to hardware, software, and digital assets.

Do they have a cloud infrastructure in place?

Many businesses are opting to migrate their entire IT/Network operations to a reputable cloud-based platform, such as AWS or Microsoft Azure.  But in reality, rather than going through this entire process themselves, many are now choosing to have their MSP do it for them.  There are two situations here that you need to take into account:  1) Your MSP could do the migration for you onto your cloud account, but this will be an expensive proposition to your budget; or 2) They can migrate your stuff into their own cloud account, and this will be a much cheaper option for you.  Also, by hosting your IT/Network Infrastructure through your MSP, you will not have to worry about any maintenance issues or security updates, as this will be all taken care of for you.  So therefore, the bottom line is to make sure that your potential MSP is making use of either AWS or Microsoft Azure, and that that they also have taken all of the Cyber protections that is afforded to them.

Are they reputable?

As in the case of any third-party vendor your bank is working with, you also need to do your diligence to make sure that the MSP you are considering onboarding has a rock-solid reputation for delivering IT Services for Banks.  They should be able to provide you with a list of references that you can contact, and also even conduct a Google search on them, to see what kind of other reviews other customers have left.  

Is the contract airtight?

Typically, these are known as Service Level Agreements, or SLAs for short.  Before you sign off on this, make sure that you have your attorney check it out first in order to make all is good from a legal standpoint.  Also, if there are any questions or edits that you want to make to the SLA, your potential MSP should be responsive to it.  If not, or if they are acting evasive in any way, then this should be a huge red flag to you.

Conclusions

Apart from doing normal IT related functions, your MSP should also have a Cybersecurity offering as well.  In other words, they should have such services as Threat Hunting, Penetration Testing, Vulnerability Assessments, etc. to help you shore up the lines of defense at your bank.  Included in this should be a comprehensive compliance check, to make sure that the controls you have in place are up to snuff with the provisions and tenets of the GDPR, CCPA, etc.