Doug Truitt

By Doug Truitt, Kalleo Technologies

Make no mistake: The high-profile $2.5 million ransomware attack striking multiple local governments in Texas last summer that was traced to a single compromised managed service provider has raised the stakes for all MSPs. Not too long ago, MSPs’ greatest danger was perhaps that a single client might be infected by malware. Now, MSPs must worry about being hacked themselves (and attackers then exposing all of their customers). MSPs must improve internal security practices.

Conversations among MSPs on Reddit make it clear that attacks compromising MSPs’ entire clientele have become nearly a weekly occurrence. This new reality has MSPs fearing breaches of their own systems like never before. It has given even the smaller MSPs new incentive to implement every security precaution.

Best Practices

While emerging MSPs lack the resources to enlist expensive tools, they can still employ many effective best practices against these threats and improve internal security practices. Here are five internal security practices these MSPs ought to implement as soon as possible, if they haven’t already:

1) Remove risks stemming from employee mistakes (with two-factor authentication, access controls, etc.). At its heart, IT security is the art of managing human nature. I’ll give you an example on the client side of things: In the past 12 months we’ve had employees at four different clients fall for the “Please buy me iTunes gift cards because I’m stuck in a meeting” phishing scam. It’s important to understand that none of these individuals are stupid — they simply got hit at the perfect distracted moment. This may be a client example, but its lesson applies to internal MSP teams. Don’t think that your people are “too savvy to fall for that kind of thing.” No, they’re not.

To secure against social engineering threats, smaller MSPs should design systems where an employee can fall for a scam and it doesn’t matter. In our case, we now use two-factor authentication (2FA) across all our solutions. We do that so that if an employee has a bad day and exposes his or her login credentials, attackers still cannot access our systems. MSPs must also be strict in adhering to these types of security strategies for them to be effective. For example, standardizing all solutions across a multifactor authentication (MFA) tool of choice, like Duo or AuthAnvil. If our techs want to adopt a new solution, it has to support our 2FA tool.

We also use Beachhead Solutions’ SimplySecure to erase the impact of mistakes when it comes to safeguarding employee devices and the data they hold. With this platform, if a device with access to our data is lost or stolen, the tool can block access or delete that data remotely. Because phones are the key to our two-factor authentication, this capability to protect phone devices is even more essential to us. It not only prevents isolated data breach incidents but ensures that such events can’t cascade and expose additional systems.

We have an easy time selling a tool like this to clients as well. We sell it like insurance against data breaches — a proposition they understand and are eager to engage with. This is clear example of how implementing secure solutions for your business can serve as a launchpad for secure client-facing solutions.

2) Introduce isolation. Practice isolation so that one compromised system cannot impact others. For example, our servers are isolated from each other and located in a SOC-compliant data center. Emerging MSPs can introduce isolation without introducing big expenses. Take strategic inventory of each system’s access capabilities and the associated risks. Analyze your systems as an attacker would — if you wanted to break in and escalate access to impact all systems and clients, how could you do it? Then, limit those systems, shutting off every avenue that might give an attacker hope.

3) Enlist capable external tools. As a small MSP in 2004, we created our tools. However, that was another time and another world. If I was starting over today, I’d use zero in-house tools. Today’s cloud-based solutions are simply far more capable from a security perspective. For example, we use a third-party business management software provider built for MSPs.

We also use a heavy-duty endpoint security that locks down how much trouble a user can get into.This has helped to reduce the endpoint infections…

…from a few each month down to zero. Given the really solid solutions out there right now (Webroot, Carbon Black, SentinelOne, etc.), it’s absolutely worth it not to go it alone. MSPs must improve internal security practices.

4) Implement in-person employee trainings. While we’ve previously established that even smart employees will still make mistakes, effective employee trainings are valuable in promoting secure practices — and especially so from a regulatory compliance perspective. In our case, all of our employees are required to go through annual training in secure practices associated with the Health Insurance Portability and Accountability Act (pertaining to our clients in the health care field) and Criminal Justice Information Services (pertaining to our law enforcement clients). Based on experience, I recommend in-house trainings with live instructors. Workers at MSPs are always too busy for self-guided trainings to have the proper effect.

5) Enforce ironclad rules around secure employee practices. MSPs of all sizes are at risk when technical staff cut corners and forego secure practices to save time. It’s extremely tempting for technicians to solve their pain points and expedite work through unsecured shortcuts. However, that is why rules forbidding those shortcuts are so necessary.

For example, a busy MSP technician needs to update an app on a client’s secure server. The correct practice is to load a VPN client, jump through hoops to successfully transfer and execute the update file. The technician would prefer to use an access utility to create an open remote access connection to the internet, do the work and close that security hole afterward. In practice, it’s all too common for technicians to forget to close that hole, leaving a potentially disastrous opening. At our MSP, we put in the policy of no unauthorized remote access tools to the internet. If you do so, you get fired. It’s harsh, but it can take rules that strict to manage human nature. There’s no excuse for allowing sloppy, risky practices that might destroy your business — or your client’s.

By becoming more conscious of these security risks  and implementing effective safeguards, emerging MSPs can protect themselves from fatal data breaches and other attacks and improve internal security practices, MPS can also leverage those same techniques to successfully protect clients.

Doug Truitt is the CEO of Kalleo Technologies, a managed service provider specializing in remote IT management support for the health care, government and transportation industries. Follow him on LinkedIn or @kalleotech on Twitter.