These days, it feels like every week brings news of another major data breach. The recent so-called largest credential breach in history is a stark reminder that usernames, passwords, and other types of sensitive data (like postal addresses, social security numbers, and telephone numbers) are constantly traded and sold on the dark web or exposed online.
For MSPs, the stakes are especially high. Just one compromised set of credentials can lead to a chain reaction of data loss, downtime, and reputational harm not only for your clients, but for your own business.
While you can’t control whether a breach happens elsewhere, you can take decisive steps to protect your own accounts. You can also assist your customers in doing the same.
Avoid Data Breaches with These Best Practices for MSPs
Here are seven essential best practices to adopt and share with your clients.
1. Use Unique Passwords for Every Account
It sounds basic, but password reuse is still one of the biggest weaknesses in personal security. If a single site is breached and you’ve used the same password elsewhere, attackers can use it against your other accounts.
Action Steps for MSPs
- Encourage customers to use a password manager, so they don’t have to remember dozens of complex passwords. Notably, when interacting with online services, a password manager will also warn users if they are about to send their credentials to a website that the password manager doesn’t recognize.
- Offer training sessions to show how password managers can integrate with browsers and mobile devices.
2. Embrace Multi-factor Authentication (MFA)
MFA adds an extra layer of protection by requiring a second factor, such as a code from an authenticator app, a text message, or a hardware security key. This is in addition to your password. Even if a password is stolen, the attacker can’t log in without the second factor.
Action Steps for MSPs
- Make MFA mandatory for all admin and user accounts. No exceptions.
- Recommend authenticator apps or hardware tokens over text messages, which are more susceptible to interception.
3. Monitor for Compromised Credentials
You can’t defend yourself or your clients against what you don’t know. Services such as Have I Been Pwned and commercial dark web monitoring tools can alert you if credentials tied to your email address have been exposed.
Action Steps for MSPs
- Offer dark web monitoring as an add-on service for clients. Pro tip: Use a dark web monitoring service like Dehashed.com, one of the most comprehensive services available. This can be integrated with your systems using automation, an excellent added value for your clients.
- Build automated alerts into your security dashboards for your own systems. With these, you can respond quickly to credential exposure.
4. Avoid Using Personal Email for Business Accounts
Mixing personal and business accounts is a recipe for trouble. If a personal account is compromised, attackers often try the same credentials on corporate systems.
Chris Binnie
Action Steps for MSPs
- Require employees to use company-issued email addresses for all work-related accounts.
- Enforce strong password policies across both email service and SaaS logins.
5. Be Wary of Phishing,the Top Attack Vector
Credential leaks often start with phishing, convincing emails or texts that trick you into handing over your login details. The most advanced MFA setup won’t help if you willingly give away your credentials on a fake login page.
Action Steps for MSPs
- Run simulated phishing campaigns to train employees to spot suspicious messages.
- Implement email filtering and link scanning tools to reduce phishing attempts before they reach inboxes.
6. Use Role-based Access Control (RBAC) for Sensitive Systems
Not everyone needs access to everything. Limiting permissions reduces the blast radius if credentials are stolen.
Action Steps for MSPs:
- Regularly audit user access rights and remove unnecessary privileges. Educate users to inform system operators if they notice any access permissions that seem out of the ordinary.
- Segment administrative duties so that no single account has full control over all systems.
7. Act Quickly When a Breach Is Suspected
Speed matters. The faster you respond to a leaked credential, the less chance attackers have to exploit it.
Action Steps for MSPs
- Establish a documented incident response plan (IRP) that includes password resets, MFA re-enrollment, and activity log reviews.
- Educate clients on how to escalate suspected compromises immediately.
Why MSPs Must Lead by Example
MSPs are in a unique position of trust. You manage your own business’ credentials, plus, you also have access to some of your clients’ most critical systems. A single compromised MSP account can open the door to dozens of breaches at once.
Leading by example means demonstrating strong credential hygiene internally and actively educating your clients to adopt the same measures. This goes beyond just good security practice. It’s a competitive advantage that can set you apart in the MSP market.
Bottom Line
Credential leaks aren’t going away, but their impact can be drastically reduced with the right preventive measures. For MSPs, protecting credentials is not just an IT issue; it’s a business imperative.
Share these best practices with your clients and enforce them internally. Armed with these, you’ll be far better positioned to weather the next headline-grabbing data breach.
Chris Binnie is an Edinburgh, U.K.-based cloud native security consultant and author. He has worked with critical online infrastructure for almost three decades. He has written three cybersecurity books, as well as for Linux.com, Linux Magazine, and ADMIN Magazine.
Featured image: Adobe Stock
