By Terry Cole, Cole Informatics
It’s time to admit it: the bad guys who draft up phishing emails to capture login information or deliver payloads of malware are getting pretty darn crafty. In fact, it’s to the point now where even paranoid experts like yours truly can be close to peril without the right tools and a holistic security strategy in place. I’ve recently been the target of increasingly clever email attacks that I’ll share – including one of them almost got me.
The email that almost had me fooled appeared to be from a trusted colleague of mine in the MSP industry. It said that this colleague had sent me a secure private message that was ready for me to read and included a link to click. This was absolutely consistent with my normal experiences communicating with him. In this instance I didn’t check the email tooltip, as I always recommend for people to do, but instead just went ahead and clicked the link. This opened an Outlook screen that included the words “Encrypted by Microsoft Office 365” (very likely a lie) and asked me to verify my identity by entering my email and password. However, at this point I noticed that the URL was an unpronounceable assortment of random numbers and letters – and clearly not a valid frontend for Microsoft. I stopped there, and they didn’t catch me.
This example goes to show how proper employee training and vigilance has to be at the foundation of every IT security strategy, whether delivered by an MSP or otherwise. I’ll give you another example of a recent email attack, which was constructed to be so subtle that no antivirus or spam tool would have detected an issue. I received an email from a legitimate domain, which asked if the number on the business card I sent them was correct (because, they said, their call didn’t go through). First of all, I never sent anyone a business card, and second, hovering over the link to my “business card” displayed the dangerous-looking address of a phishing email. Just the day before, I’d received an email that linked to a similar phishy address, from a supposed customer using a lot of swear words asking why a linked-to bill had been sent to them.
When it comes to these scenarios that phishing emails like to put people in, a cool head and proper training in ever-evolving phishing techniques can make all the difference in how you react. That said, adding further protections to improve the margin for error is absolutely recommended for any MSP worth its salt.
Given the reality that even very security-minded people like myself can be fooled (or almost fooled) by these scams, employee training needs be backed by several layers of security, so that the safety of your clients’ (and your own) systems and data isn’t solely dependent on each employee’s level of concentration or, worse, how much they care. Considering the costly and damaging ramifications when a business fails to meet regulatory compliance standards, when they let in ransomware, or when they simply lose customers’ trust, it’s crucial to support employees with strategies and tools designed to avoid or neutralize the impact of otherwise-crippling security incidents.
When I was moments away from handing my login credentials to a scammer, I could still take comfort from the fact that I had two-factor authentication (2FA) in place to protect my account. Most 2FA or multifactor authentication solutions add a required code to the login process that’s only available on a device you control. Thus, logging in requires two types of factors: something you know (your login credentials) and something you have (the code). In my case, the bad guys would have had my username and the password that I was using that moment, but that’s as far as they would have gotten. For a 2FA solution, I like to use Duo 2FA, because it’s quite simple for users to incorporate into daily life. MSPs must ensure that 2FA is enabled on every system that their employees and clients’ employees log in on – it easily provides a barrier that can defeat a vast majority of attacks, which would have profoundly negative outcomes otherwise.
Demonstrable data encryption and device security are essential protections as well (device security can of course be quite important when also using 2FA security measures). If data remains safely encrypted, attacks that successfully infiltrate systems can still be thwarted, and data breaches averted. In those cases where devices are lost or stolen and login credentials are compromised, device access controls can still save the day by remotely revoking access and locking down any data or access on the device. For example, we use Beachhead Solutions’ SimplySecure for MSPs to add that extra layer of encryption and device protection on client devices, in case more preliminary security layers are overcome.
Finally, you need the ability to endure successful attacks and recover quickly from a disaster, and that means having a data backup system in place that’s both absolutely trustworthy and designed to maintain your business continuity. For data backups to have value, data should be easily restorable with minimal downtime, and must be isolated and immune from the same file-encrypting ransomware or other attacks that may take down your production data. In those worst-case scenarios where production data is corrupted or systems are locked up by ransomware, the ability to simply replace data from a backup (and ignore ransom demands) lets you snatch victory from the jaws of defeat. We use Datto as our tool of choice in this category for its reliability; when these scenarios do occur, your backup solution simply must work. IT security may never be 100 percent bulletproof, but at the end of the day your ability as an MSP to recover data has to be.
While we all understand the reality that mistakes will happen, clicking on a phishing email or otherwise messing up and compromising security can leave your clients (or you) feeling pretty dumb. At the same time, nothing will make that feeling go away like knowing your MSP has your back with layers of security that ensure no harm can be done.
About The Author
Terry Cole is the Founder of Cole Informatics, an IT professional services and support company in West and Middle Tennessee.