How MSPs Can Avoid 6 Common Security Mistakes

By Ryan Walsh and Craig Donovan, Pax8

An effective cloud services solution must include strong cybersecurity offerings. Companies need cloud services because it allows them to be more agile, especially in the new work from anywhere environment we find ourselves in today. It also means that data and information are moving digitally through devices and channels, possibly exposing the company to risk.

Data and devices must be secured to mitigate cyber threats. To do that, you need to build a multi-layered cloud security stack that includes endpoint, email, and anti-phishing protection. This security stack will help protect remote employees transferring files from unsecured places, stop malware before it reaches an employee’s inbox, and provide email filtering and reporting.

While managed service providers (MSPs) know the importance of securing their clients, we continue to see common mistakes being made along the way. Additionally, many MSPs are using manual processes, exposing them to added risks. Below are the best solutions to avoid making the top six mistakes and remedy the risk associated with inefficient manual processes.

1. Mixing Work And Personal Computers

Remote work blurs the lines of work and home life, as well as the lines between work and personal devices. It is common for employees to use their work devices for personal use because it makes things easy. People also have an added sense of security when using their work devices. However, this is not always true. Using a work computer for personal matters highly increases the risk of security issues. And adding new software or a non-business application on a device increases the opportunity of a security breach. Even applications from trusted sources carry the risk of exposing the device and company data.

When the COVID-19 pandemic hit, companies' most pressing concern was the speed to pivot to a work-from-anywhere landscape. Many employees that were new to working remotely had to utilize their personal devices for business matters. Most companies turned on their virtual private network (VPN) to protect their workforce, thinking this would secure devices. What they failed to do was verify what applications and vulnerabilities were already on the devices. Enabling security measures and detection software on devices is a step companies should take, but it does not allow them to see previous threats. Additionally, many people did not have clear communication from their employers on securing their devices.

A report from SentinelOne showed that 66% of customers did not have instructions on how to secure their devices. The best solution is to have separate devices for work and personal use—do not answer business emails on a personal computer and do not download any personal software or games on a work computer. If moving to a remote workplace, provide employees with new work computers, secure them with a remote monitoring and management (RMM) solution, and inform them about security best practices.

However, this is not always an option. If employees must use their personal computers for work, we strongly suggest using an industry-leading virtual desktop, enabling secure work on any device while also protecting data. You should also apply firewalls to shield devices from malicious network traffic.

2. Being Unaware Of Your Risks And Vulnerabilities

Being unaware of risks and vulnerabilities is another common issue we see. If you do not know where your clients are vulnerable, you cannot ensure you have the right security solutions in place. While having a firewall is an important security measure to stop hackers, your clients might be more prone to phishing emails. Without knowing about the vulnerability, you may overlook implementing anti-phishing software. That is why it is crucial to have a holistic understanding of the security landscape. Even if you believe you have created a secure cloud environment, testing and verifying is the only way to be sure.

To engage in regular security assessments, you should purchase software that evaluates your environment and ensures patches are up to date. Regularly, you should engage in penetration testing or breach attack simulation to see if a third party or current malware threats can get into your system. A study by ESG found that the most successful larger MSPs understood how vital this security issue is and spent significantly more time on cyber hunting and security operations than smaller MSPs.

3. Trusting Public Wi-Fi

Many people believe that if they have a firewall on their device, they are safe on public Wi-Fi. That assumption is untrue. Since the beginning of the pandemic, the amount of people working from public spaces has increased. When on public Wi-Fi, there is no firewall protecting devices from each other. Anyone on that network can find vulnerabilities and spy on your communication. Working from anywhere means that employees are not always working within the privacy and security of their homes.

Everyone should beware of public Wi-Fi and assume everyone on that network can see their activity. OpenVPN reported that 36% of organizations have dealt with a security incident due to an unsecured worker.

There are three steps to make public Wi-Fi more secure. The first is to ensure emails are encrypted so that only the intended recipients can read them. If not encrypted, emails are sent in plain text and are open to exposures. The second is to further lock the internet down by utilizing a VPN. VPNs protect users by keeping their traffic and activity private, hiding it from potential hackers. And finally, using a personal mobile hotspot instead of public Wi-Fi guarantees the user is on a private network. In public, utilize personal mobile hotspots as often as possible.

4. No Defined Communication Plan

In the event of a disaster and data is compromised, time is of the essence. By the time you are aware of any issues, it is usually too late. Not having a clear communication strategy in the event of a disaster could further damage your company’s reputation. Clients continuing to operate on a breached system could compromise their data. It is essential to get concise information and clear directions to those clients so they can act promptly. It is best to inform them about what happened and how you will remediate it.

Because most companies do not have time to talk to each of their clients, having a crisis communication plan in place is essential. You should know who to contact in the event of a security breach or attach and how you will contact them. It is vital to have multiple communication paths in case emails are disabled or compromised. This process will save time and loss during an emergency while ensuring clients take necessary actions.

5. Stopping At Security Awareness Training

Many companies know the importance of security training. They teach their teams about phishing emails and the dangers of clicking on a bad link. Employers have taught their employees to keep themselves safe from potential cyber threats, and that is often where security awareness training stops. Security training usually focuses on the individual and not on the entire company. But the education needs to continue with security feedback reporting.

PCMAG.com says phishing attacks are on the rise by 350% since going remote. This issue is more relevant now than ever. Training your people to identify a problem and report it to internal IT will keep the entire company safe. If your employees went through security training, you are expecting every employee to resist opening a phishing email. But if you create a layered security reporting culture, you only need one person to recognize the email threat and report it to IT. The department will quarantine that email for all employees, thereby removing the threat companywide.

6. Failing To Automate

People naturally make mistakes, which is why manual tasks are prime for human error. The more functions in a process, the bigger the risk for error and security breaches. Manual procedures that deal with sensitive data, such as onboarding new employees, handling sensitive service tickets, and change management, have a high propensity to risk. That is why lowering the amount of human touch and handoff required in workflows is just as essential as using firewalls and encryption. The only way to effectively reduce the amount of human touch is to automate as much as possible.

The ability to action one task within a single portal and complete an entire process creates chained automation. This automation immediately increases your data security because you remove several touchpoints and eliminate the need to access many portals. Implementing this task automation for all standard processes creates consistency, increases accuracy, and builds a more rigid security program. It also will streamline your license management, increasing efficiencies, and creating a better customer experience. The heightened security measures will benefit both you and your customers.

MSPs know the importance of securing their clients’ data and workflows, and their own security is just as important. Being aware of these six mistakes and understanding how to avoid them will help you establish a better internal security practice. Automating processes will lower touch points and handoffs, reducing your level of risk. Your organization will be extra secure, better prepared, and more successful.                                                                     

Learn more at www.pax8.com.

About The Authors

Ryan Walsh is Chief Product Officer and Craig Donovan is Vice President of Partner Services at Pax8.