Guest Column | April 14, 2020

Small MSPs Are Making Big News As Data Breach Targets: 5 Best Practices For Bolstering Internal Security

By Terry Cole, Cole Informatics

Cyber Security locks

MSPs are no longer just bodyguards when it comes to securing their clients’ businesses against attacks: they now find themselves squarely in the crosshairs. This is the state of play in the aftermath of the particularly headline-grabbing Texas local government ransomware attacks, in which attackers demanded a $2.5 million ransom from multiple municipalities for exposed data in the care of the same compromised MSP. The worst fears of MSPs are now a shade darker, as the nightmare scenario in which a single client succumbs to malware has been outdone by the real risk that an attack on an MSP’s systems could breach the data of every single client.

Smaller MSPs suffer from two distinct disadvantages in the face of this new threat. They have fewer resources with which to implement security tools, putting costly solutions out of reach. At the same time, they’re more likely to suffer a fatal blow to their businesses if an incident with the magnitude of the Texas attacks occurs.

That said, small MSPs have the power to vastly decrease their internal security risks by implementing best practices, even with smaller budgets. Here are five security measures small MSPs should have in place to protect their systems from attackers:

Start By Supporting Employees With Two-Factor Authentication, Access Controls, And Further Safeguards

While it’s true that employees represent the most vulnerable links in the security strategies of both MSP and their clients, it’s a dangerous (but common) misconception to believe that employees who fall for phishing attacks and other malware schemes are simply dim. Attackers play a percentage game, unleashing their schemes on broad ranges of targets at once, and succeeding with those few unfortunate individuals that are caught at their most vulnerable moment. Casting blame or believing that your employees are “too smart” to fall for social engineering scams, is counterproductive. What is effective is introducing systems that protect the company even when employees make mistakes.

Small MSPs should utilize two-factor authentication as a safeguard across every system that employees log into so that even if attackers gain an employee’s login credentials they still cannot infiltrate the MSP’s systems. It’s crucial to standardize this and other safeguards across all tools to realize their full potential. For instance, an MSP using Duo two-factor authentication should ensure that any new tools it adds are compatible with Duo to maintain a cohesive security strategy.

On the device security front, we deploy Beachhead’s SimplySecure to encrypt and protect access to our systems and data even when employee devices are lost or stolen. Doing so provides controls to remotely revoke access or delete data from employees’ phones, laptops, and other devices. Considering that we also use two-factor authentication, which hinges on the integrity of phones as the secondary factor, the fact that we can fully secure these devices makes our security strategy that much more layered.

Conduct Employee Trainings With Live Trainers

Even though employee errors may be inevitable – and systems should be built to safely absorb those errors and remain secure – employee trainings still offer a great deal of value by imparting best practices and preparing employees to meet regulatory compliance requirements. For example, MSPs with clients in the healthcare field would be wise to require employee trainings in the complex nuances of safeguarding data and systems in-line with HIPAA regulations. Because self-guided trainings can fail to command the attention that they deserve, it’s most effective to bring in live trainers (companies like Compliancy Group and HIPAA Secure Now provide these) and set aside dedicated time for sessions where employees can fully absorb and learn to demonstrate secure and compliant practices.

Introduce Strict Rules That Categorically Forbid Unsecure And Dangerous Shortcuts

MSP staff constantly have their hands full when it comes to workload and face ever-present temptations to save themselves time and simplify challenges through unsecured shortcuts. For example, a technician who is supposed to follow a deliberate and time-consuming procedure to VPN to a secure client server and carefully transfer and update an app file might much rather build backdoor access through an unsecured RDP connection. Technicians that take these kinds of dangerous shortcuts always intend to close the doors they open, but when they forget, the consequences are devastating. To effectively bar these bad practices, small MSPs should have severe penalties in place for any technicians that ignore secure procedures – penalties that include terminating employment.

Isolate Systems To Limit The Impact Of Potential Breaches

Small MSPs can prevent the nightmare scenario of an attack that exposes every clients’ data by practicing isolation. This means isolating servers and systems from each other, such that an attacker that gains a foothold in one system has no opportunity to escalate the attack or access other areas. To implement isolation, MSPs should inventory and analyze each system from the mindset of an attacker, considering all risks and weaknesses. Then, MSPs should harden those systems by removing all access paths that attackers might use against them.

Implement Effective And Affordable External Security Solutions

When it comes to choosing whether to build security tools in-house or purchase external solutions, the high quality of security tools available on the market today now make those decisions simple for small MSPs. For example, a robust endpoint security solution like Cylance or SentinelOne (paired with human oversight) can more or less eliminate endpoint infections and is much better than what even midsize MSPs could hope to achieve alone.

Finally, it’s important to remember that implementing effective security solutions and practices provides a double value for MSPs: those same tools and techniques that ensure the MSP’s security can be further leveraged to win new clients, by demonstrating the MSP’s competitively stronger understanding of what it takes to not become the next headline.

About The Author

Terry Cole is the Founder of Cole Informatics, an IT professional services and support company in West and Middle Tennessee.