Make Security Part of Your Daily Routine

Written by Barracuda MSP Guest Blogger
March 20, 2019

MSPs need to scrutinize their internal security posture as they increasingly find themselves targets of attacks.

Managed services providers (MSPs) that want to establish a reputation as a reliable partner and a go-to source for security services and technology need to practice what they preach–and that means making security part of your daily routine, not just for your customers, but also internally.

MSPs are currently in the crosshairs of organized cybercriminals, and the U.S. Department of Homeland Security (DHS) and other security agencies have taken notice. DHS warned MSPs last year that hackers are targeting them because of their interest in leveraging MSP networks to breach multiple companies simultaneously.

To protect themselves and their clients, MSPs must implement and follow the same best practices they advise for their customers. And, more specifically, they must monitor their network activity to ensure their systems aren’t inadvertently being used as a launching pad for malware, ransomware or other kinds of attacks.

Security Best Practices MSPs Should Follow

Examine the security tools and practices you recommend to your clients. Do you also use them internally? This not only makes your sales pitch stronger for potential clients, but it also gives staff an intimate knowledge of exactly where protection begins and ends within those products.

Develop security policies that match the current threat landscape, and make sure they are clear and easy to follow. As part of that process, evaluate your current access management and administrative procedures. You’ll want to limit permissions and access as much as is possible or practical (to reduce the scope of any potential breach), and make sure everyone understands why this is important.

Use multifactor authentication for your customers and your internal staff. Also, ensure that the vendors you work with have implemented proper security measures; otherwise, your hard work can be undone by the poor password practices of a third-party vendor or a poorly trained helpdesk employee.

Restrict access to public file share sites and use a VPN for your MSP connections.

Implement a security awareness and training program internally that includes regular updates, alerts and phishing simulations. This will help shore up any potential gaps and enable you to work with customers to correct risky employee behaviors. If you’re not feeling ready to offer this type of service to customers, get started by deploying such a program for your staff. It can be a great way to develop their own security awareness. This will position you to have more effective educational discussions with your customers and their employees.

Establish a robust incident response protocol that includes clear direction on who gets notified when there’s a problem and who’s responsible for taking action. This will eliminate costly delays and help reduce the damage when there’s an attack.

Put protocols in place to revoke privileges, remove password access and shut down accounts when an employee is terminated. Idle accounts are a disaster waiting to happen, even when an employee parts on good terms. In some cases, the email accounts of deceased employees have been used to access a network.

Have regular security conversations with your clients, and be sure to include an overview of what you’re doing internally to keep your network safe in addition to protecting their data. This not only helps customers increase their awareness of current threats, but it also improves your status as a trusted expert and advisor and can open up conversations about additional services.