MSPs are used to having hard conversations with their customers about implementing better security practices, but recently MSPs have found themselves being the ones advised to take more serious precautions.

In early October, the U.S. Department of Homeland Security (DHS) issued a warning to managed services providers and cloud services providers (CSPs) that they were being targeted by cyber criminals looking for a way in to their customers’ networks. You can read more detail here.

The DHS said it has been tracking hackers for the past two years that are using advanced persistent threats (APT) to break into MSP and CSP networks to reach their customers.

The National Cybersecurity & Communications Integration Center (NCCIC) states: “By servicing a large number of customers, IT service providers can achieve significant economies of scale. However, a compromise in one part of an IT service provider’s network can have globally cascading effects, impacting other customers and introducing significant risk.”

In short, an MSP breach can have more far-reaching consequences than an incident at a single company. MSPs that haven’t been following their own advice when it comes to security best practices should be prepared to eat some crow if their customers demand a look behind the curtain–or worse, if there’s already been a breach.

The Security Conversation

The upside of the DHS alert is that it presents an opportunity for MSPs to sit down with their customers and have a conversation about how both entities can work together to strengthen their networks against these attacks.

It’s a talk that needs to happen soon. The APT attacks described by DHS are conducted using legitimate credentials as well as trusted off-the-shelf apps and pre-installed system tools like command line scripts to discover accounts and transfer data from MSP client networks. Because they are using legitimate scripts, it can be difficult to tell that there’s even been a breach.

The alert (TA18-276B) also includes connectivity and network configuration recommendations that can help MSPs and their clients protect themselves against these APT attacks. Those recommendations provide a good list of talking points for productive customer conversations. Among them:

With DHS ringing the alarm bells, MSPs should evaluate their own networks and reach out to customers to provide assurances about security. But don’t stop there: Use this as an opportunity to further strengthen your client relationships by working together to guard against these emerging threat vectors.

Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management.

This guest blog is part of a Channel Futures sponsorship.