While you’re busy handling the security for your customers, your own internal security may get neglected. October is cybersecurity awareness month, and we wanted to remind you of the importance of covering your own internal security. The article below offers some tips.
The Dangers Within
You’ve just started having success with your MSP. For the first few months, you ran a break/fix shop, but you’ve recently picked up more managed services contracts with monthly recurring revenue. Things are looking up.
Then, one day, all your customers’ systems go offline at once. They’re panicking, and you don’t know where to start. At this point, you have to spend hours (and money) restoring systems and data to full capacity. Your customers are mad, and some are considering leaving.
Unfortunately, someone managed to hack into your network and systems. They’ve helped themselves to customer credentials and are now actively attacking your customer base. You spent significant time securing and setting up customers, but missed an essential step in your own security. In short, you spent time putting security cameras, deadbolts, and extra locks on others’ buildings, but forgot to lock your own doors.
Part of being successful these days means securing everything as best you can—not only your customers, but also your own systems. In this article, we’ll talk about the business impacts of not securing your MSP—as well as steps to keep your own house in order.
Threats to MSPs
It’s a dangerous cyberlandscape for everyone—individuals, small brick-and-mortar businesses, large enterprises, and governmental organizations. Lately, cybercriminals have increasingly gone after MSPs as a value-rich target. If they attack one MSP, they can gain access to multiple businesses—all with valuable data to steal.
This isn’t theoretical. The Department of Homeland Security (DHS) issued a warning in October 2018 about attacks focusing on MSPs . While DHS issues alerts potentially affecting wide groups of victims, individual attacks against MSPs can occur as well. If you have data, cybercriminals will want to use it to turn a profit.
Your security is intertwined with your customers’ security. If you get breached, they will get breached, too. If you don’t continuously focus on your own internal security, you could end up:
- Gaining a bad reputation: Businesses talk. Odds are good many customers come to you via word-of-mouth. If you lose a customer because you were hacked, they’re unlikely to feed your referral engine. They may even actively warn colleagues away from your business.
- Paying heavy costs: Breaches cost money. For starters, it takes time and resources to restore systems and data to full health. Also, if one of your customers works in a regulated industry, you may need to spend money discovering the extent of the breach—and you could face punishing compliance fines.
- Losing customers: If you’re a breach victim and your customers lose data, money, or time, you could fail to keep the customer altogether. Even if it’s due to an industry-wide cyberattack over which you have no control, customers rarely like excuses. So, make sure you treat your security as seriously as you would one of your customers.
With this in mind, what do you do?
Establishing a Secure Culture
Security should be woven into the DNA of your company. This means setting the right policies, hiring smartly, and using the right tools to make security part of everything you do. Below are some tips to help you get started:
Practice the Fundamentals
Focus on your own cyberhygiene. In particular, make sure to use:
- Patch management: Patching is security 101. Once a vulnerability is discovered, it doesn’t take long for cybercriminals to create an exploit. Keep your machines and software up-to-date with the latest critical patches, just as you would for your customers.
- Backup: If you lose your own data or access to your own systems, you can’t adequately support customers when they need it. The last thing you want is a customer facing a major technical issue who can’t get support because you’re dealing with a ransomware attack internally. Make sure to back up your own data with a good, cloud-based backup solution to help ensure everything will be there when you need it.
- Endpoint protection: Earlier in the article, we mentioned a DHS warning about attacks on MSPs. Attackers primarily engaged in living-off-the-land attacks, or attacks that use internal system components or processes to cause damage. Traditional antivirus wouldn’t catch these attacks because AV typically focuses on malicious files, not legitimate system processes. An AI-driven endpoint protection solution can better help you handle these attacks.
- Email security: Most cyberattacks get delivered via email. It’s a cheap, easy way to target victims, and all it takes is one tired employee clicking a bad link to infect your business or give away important user credentials. Make sure to bolster the native security in your email system with an additional solution designed to deal with spam and other email threats.
Focus on Physical Security
If you’re looking to rent office space, try to choose a place that has physical security measures, like a night watchman, and requires keys, badges, or biometric scanners to enter the building. Security cameras can help as well, especially if you ever need evidence of someone stealing something from the building.
Additionally, make sure to train technicians to avoid opening doors for people who aren’t active employees. Even former employees should require permission before entering the building—you never know if that person plans on gaining access to systems or sensitive information for personal gain.
Consider Hiring and Turnover
Unfortunately, insider attacks do happen. As much as you want to trust the people around you, you can never tell when someone is hiding a malicious agenda. For starters, when hiring, always run background checks. Even if the person was highly recommended by people you already trust, you should still do this as a practice.
When employees leave, collect all badges and devices and shut down account access. You don’t want someone logging in a few days after being let go and collecting some customer data to resell as a severance package.
Focus on BYOD and WFH Policies
You’ll have to make your own decision on a bring-your-own-device (BYOD) policy. Anything that uses corporate resources increases risks, so make sure any device brought onto the network has appropriate security safeguards set up. You may want to consider setting up a separate wireless network specifically for external devices.
Additionally, strongly consider how you’ll set up your work-from-home and work-from-the-road policies. For example, you may want to require employees to sign in via VPN to access corporate resources from outside your network. With the amount of travel required these days, it’s not uncommon for people to log in from unsecured networks at airports, coffee shops, or hotels. Even if the network has a password on it, anyone with that password can gain access to other devices on that network. Password protected doesn’t always mean secure—so be smart.
Emphasize a "Safety First" Culture
Despite the number of tickets your team likely fields on a given day, employees in organizations can often be reticent to bug IT people. Your team may feel the same way when it comes to speaking with management around security issues.
Make sure to positively encourage reporting potential security issues. For example, if they receive an email that looks suspicious, they should be willing to either mark it as spam or talk to the person in charge of administering your email system. Even if you get 49 false positives, your business is too important to risk missing the single real threat. Also, this goes double for people practicing bad security habits, like writing passwords in plain view or bringing unsecured devices to the office. Make sure to emphasize to your team members that they won’t get anyone in trouble if they report; rather, just tell them you’ll use the opportunity to keep the entire team in check.
Hold Frequent Security Trainings
Hopefully, you already offer some security training for your customers. It’s even more important to hold security trainings for your own team. They should be aware of best practices for security, even if they don’t work primarily on security.
And, don’t stop at a single security training session—consider holding more frequent, less time-intensive refresher courses. You could hold lunch and learns, set up 30-minute monthly recurring meetings, or even send emails with quick tips to the team. Encourage employees to send interesting or important articles on security best practices to the rest of the team. This provides the additional benefit of offering job training in security to more junior staff members.
Implement Least Privilege
Employees should have access only to the resources they need to do their jobs. If someone doesn’t work on a specific account, there’s no reason for them to access that account’s systems or data. When you set up new employees, make sure to keep their access on a "need-to-use" basis. Over time, as employees’ job functions change, they can sometimes retain access to information they no longer need. So make sure to periodically audit user permissions.
This isn’t just about preventing malicious insiders—it’s also about preventing mistakes. Technicians can sometimes expose data, whether it’s due to accidentally sharing information via email or copying information to an unsecured device. If you adhere to the least privilege principle, you will at least restrict the amount of damage they could potentially do.
Select Tools Wisely
Many security teams attempt to vet the software solutions they use before they’re approved for corporate use. Poor development practices could easily lead to allowing criminals to gain a foothold in the organization. If you choose something for your business, such as an RMM, backup, or password management tool, gain as much information as you can about the vendor’s security practices. When you first start out as an MSP, you may be tempted to use cheap or even free tools. You should know their creators rarely invest in security protocols the way bigger vendors do. While it may seem like an added expense, choose paid tools where you can to help minimize your risk.
Practice Proper Password Management
Unfortunately, not everyone is vigilant about their passwords. According to a survey presented at Infosecurity Europe, 45% of security professionals re-use passwords across multiple accounts . This wasn’t just IT professionals; these were specialized security pros. As you probably know, this is an absolute no-no in security. But security experts are humans, too, and may cut corners at times. It’s human nature. How often have you seen IT admins write passwords on post-its and keep them under their keyboards—or store plain-text passwords in a spreadsheet?
Instead, make sure to remind people of the importance of creating unique, strong passwords for their accounts. A good password management solution can help your team generate strong passwords and access customer systems and accounts without needing a word-class memory. Also, make sure to periodically force users to change passwords to avoid credentials getting stale.
Protecting Your MSP
At the end of the day, your MSP’s security is interlinked with that of your customers. If you get breached, they’re likely to follow. This can have serious impacts on your business, and could potentially cause you to shutter your doors. So make sure to spend as much time and energy on your own security as you do for your clients.
Learn more about SolarWinds® Passportal, schedule a demo »
About SolarWinds Passportal
As mentioned previously, strong password practices are essential for keeping your MSP business and your customers secure. SolarWinds® Passportal is a cloud-based password management solution built to help MSPs create and securely store passwords for their entire customer base. Beyond that, it allows you to generate strong passwords, grant or revoke access to accounts quickly, and automate password changes for your team. Learn more by visiting passportalmsp.com today.
About SolarWinds MSP
SolarWinds (NYSE:SWI) is a leading provider of powerful and affordable IT infrastructure management software. Our products give organizations worldwide, regardless of type, size or IT infrastructure complexity, the power to monitor and manage the performance of their IT environments, whether on-premises, in the cloud, or in hybrid models. We continuously engage with all types of technology professionals—IT operations professionals, DevOps professionals, and managed service providers (MSPs)—to understand the challenges they face maintaining high-performing and highly available IT infrastructures. Targeted for MSPs, the SolarWinds MSP product portfolio delivers broad, scalable IT service management solutions that integrate layered security, collective intelligence, and smart automation. Our products are designed to enable MSPs to provide highly effective outsourced IT services for their SMB end customers and more efficiently manage their own businesses. Learn more today at solarwindsmsp.com
The SolarWinds and SolarWinds MSP trademarks are the exclusive property of SolarWinds MSP Canada ULC, SolarWinds MSP UK Ltd. or its affiliates and may be registered or pending registration with the U.S. Patent and Trademark Office and in other countries. All other SolarWinds MSP and SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.
1 "Advanced Persistent Threat Activity Exploiting Managed Service Providers," CISA, Department of Homeland Security. us-cert.gov/ncas/alerts/TA18-276B (Accessed August 2019).
2 “Nearly Half of Security Pros Reuse Passwords,” DarkReading. darkreading.com/endpoint/nearly-half-of-security-pros-reuse-passwords-/d/d-id/1332314 (Accessed August 2019).