MSPs: Improve Internal Security Practices, Avoid Headlines

Doug Truitt

By Doug Truitt, Kalleo Technologies

Make no mistake: The high-profile $2.5 million ransomware attack striking multiple local governments in Texas last summer that was traced to a single compromised managed service provider has raised the stakes for all MSPs. Not too long ago, MSPs’ greatest danger was perhaps that a single client might be infected by malware. Now, MSPs must worry about being hacked themselves (and attackers then exposing all of their customers). MSPs must improve internal security practices.

Conversations among MSPs on Reddit make it clear that attacks compromising MSPs’ entire clientele have become nearly a weekly occurrence. This new reality has MSPs fearing breaches of their own systems like never before. It has given even the smaller MSPs new incentive to implement every security precaution.

Best Practices

While emerging MSPs lack the resources to enlist expensive tools, they can still employ many effective best practices against these threats and improve internal security practices. Here are five internal security practices these MSPs ought to implement as soon as possible, if they haven’t already:

1) Remove risks stemming from employee mistakes (with two-factor authentication, access controls, etc.). At its heart, IT security is the art of managing human nature. I’ll give you an example on the client side of things: In the past 12 months we’ve had employees at four different clients fall for the “Please buy me iTunes gift cards because I’m stuck in a meeting” phishing scam. It’s important to understand that none of these individuals are stupid — they simply got hit at the perfect distracted moment. This may be a client example, but its lesson applies to internal MSP teams. Don’t think that your people are “too savvy to fall for that kind of thing.” No, they’re not.

To secure against social engineering threats, smaller MSPs should design systems where an employee can fall for a scam and it doesn’t matter. In our case, we now use two-factor authentication (2FA) across all our solutions. We do that so that if an employee has a bad day and exposes his or her login credentials, attackers still cannot access our systems. MSPs must also be strict in adhering to these types of security strategies for them to be effective. For example, standardizing all solutions across a multifactor authentication (MFA) tool of choice, like Duo or AuthAnvil. If our techs want to adopt a new solution, it has to support our 2FA tool.

We also use Beachhead Solutions’ SimplySecure to erase the impact of mistakes when it comes to safeguarding employee devices and the data they hold. With this platform, if a device with access to our data is lost or stolen, the tool can block access or delete that data remotely. Because phones are the key to our two-factor authentication, this capability to protect phone devices is even more essential to us. It not only prevents isolated data breach incidents but ensures that such events can’t cascade and expose additional systems.

We have an easy time selling a tool like this to clients as well. We sell it like insurance against data breaches — a proposition they understand and are eager to engage with. This is clear example of how implementing secure solutions for your business can serve as a launchpad for secure client-facing solutions.

2) Introduce isolation. Practice isolation so that one compromised system cannot impact others. For example, our servers are isolated from each other and located in a SOC-compliant data center. Emerging MSPs can introduce isolation without introducing big expenses. Take strategic inventory of each system’s access capabilities and the associated risks. Analyze your systems as an attacker would — if you wanted to break in and escalate access to impact all systems and clients, how could you do it? Then, limit those systems, shutting off every avenue that might give an attacker hope.

3) Enlist capable external tools. As a small MSP in 2004, we created our tools. However, that was another time and another world. If I was starting over today, I’d use zero in-house tools. Today’s cloud-based solutions are simply far more capable from a security perspective. For example, we use a third-party business management software provider built for MSPs.

We also use a heavy-duty endpoint security that locks down how much trouble a user can get into.This has helped to reduce the endpoint infections…