6. Deprecate obsolete accounts and infrastructure. Both MSPs and customers should periodically review their internet attack surface and take steps to limit it, such as disabling user accounts when personnel transition.
7. Apply updates. Organizations should update software, including operating systems, applications, and firmware. Prioritize applying security updates to software containing known exploited vulnerabilities. (This also means removing unsupported operating systems, software, and devices when they reach end-of-life and no longer receive security updates.)
8. Back up systems and data. Organizations should regularly update and test backups—including “gold images” of critical systems in the event these need to be rebuilt.
Organizations should base the frequency of backups on their recovery point objective (RPO). (Backup processes should also be tested to ensure they can meet the recovery time objective, or RTO).
Store backups separately and isolate them from network connections that could enable the spread of ransomware; many ransomware variants attempt to find and encrypt/delete accessible backups.
9. Develop and exercise incident response and recovery plans. Incident response and recovery plans should include roles and responsibilities for all organizational stakeholders, including executives, technical leads, and procurement officers.
Organizations should maintain up-to-date hard copies of plans to ensure responders can access them should the network be inaccessible (e.g., due to a ransomware attack).
10. Understand and proactively manage supply chain risk. All organizations should proactively manage supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritize the allocation of resources.
11. Both MSPs and their customers will benefit from contractual arrangements that clearly define responsibilities. MSPs, when negotiating the terms of a contract with their customer, should provide clear explanations of the services the customer is purchasing, services the customer is not purchasing, and all contingencies for incident response and recovery.
Customers should ensure that they have a thorough understanding of the security services their MSP is providing via the contractual arrangement and address any security requirements that fall outside the scope of the contract.
12. Manage account authentication and authorization. All organizations should adhere to best practices for password and permission management.