A core role for MSPs is to protect clients from phishing attacks. However, according to Chris Barber, many don’t take all the necessary steps to protect their own operations.
“There are a lot of MSPs out there doing great things in security [for clients] but not internally — which is terrible,” said the chief nerd at Cheaper Than a Geek.
This seems ironic, because if an MSP is breached, the consequences can be devastating, Barber added. “We are far and away a hacker’s dream come true.”
Most MSPs use remote monitoring and management systems (RMMs) to work with clients. If a hacker penetrates just one, “It would absolutely be the worst thing in the world,” he said. “I have heard of MSPs who have been on the receiving end of [a malware attack] that don’t exist anymore.”
A Massive In-house Risk
The prospect of a malware attack is terrifying because anyone can be targeted. And in one errant mouse click, “It’s all over,” Barber noted.
Shidarion Clark agreed. The engineer at 1 Sync Technologies said MSPs hold the keys to a great deal of sensitive data across client environments. “When attackers manage to compromise an MSP, that gives them a gateway to [their] customers … raising the possible impact significantly.
“Moreover, this grants MSPs administrative privileges, which literally implies they can access privileged systems, ultimately making them very attractive targets.”
How Phishing Attacks Have Changed
Resilient IT President Kevin Mann isn’t “super huge on AI.” That said, he knows that AI and machine learning are being used in many if not all phishing attacks.
Hackers no longer use broken English, and they use fake images that look real to make an email appear more legitimate. It’s important that MSPs fight fire with fire; they must fight back with the same AI tools they use to support clients, Mann stressed.
Clark echoed that, saying deepfake phishing — AI-generated content in the form of voice recordings or videos mimicking a real person — lends further credibility to a hacker’s scams.
Another emerging technique is phishing as a service (PhaaS), where the attacker leases phishing infrastructure, drastically lowering the barrier to entry for complex, sophisticated phishing campaigns, Clark said.
Vishing, or voice phishing, is an attack where a hacker calls someone pretending to be tech support or a government agent. The purpose is to trick users into divulging sensitive information or providing access to accounts, he said.
One of the most common phishing attacks is business email compromise (BEC). This is when hackers impersonate executives or trusted partners to elicit rushed activities, including transferring funds or sensitive information.
Critical Measures MSPs Can Take to Be Secure
Barber and Mann both advocated for doing the same simulated phishing attacks with internal staff that they do for clients.
If someone clicks on a suspicious link, Barber sends a prepackaged training video so the employee can see where they went wrong. “I would even go so far as to terminate someone” if they continued clicking on unfamiliar links. “Email is a huge security vector,” Barber insisted.
Meanwhile, Resilient IT has several government contractor clients, so it uses a certain type of awareness training on a regular basis, Mann said. “Micro trainings once a year don’t cut it anymore.”
Mann also instituted monthly phishing and awareness tests internally with a video-based test at the end. Employees are not informed in advance, to keep them on their toes, Mann said. However, he added, “We don’t strive for perfection [and] honesty. If you get something wrong, educate yourself.”
Implementing Comprehensive Anti-Phishing Defenses
Along with continuous staff training, Clark suggested several other steps MSPs should take to ensure a secure environment. For one thing, a Zero Trust architecture ensures that no device or user is trusted by default. Along with that, continuous authentication helps prevent lateral movement. Additionally:
- Advanced Threat Detection: Tools using machine learning (ML) to detect and respond to anomalies that may indicate a phishing attack.
- Multifactor Authentication (MFA): MFA applied to all access points, primarily against email and administrative accounts, can minimize the risk of compromised credentials.
- Endpoint Security: State-of-the-art endpoint detection and response (EDR) systems and controls will monitor and automatically respond to malware-based phishing attacks.
- Email Filtering and Protection: Apply innovative email security tools capable of filtering out phishing attempts, including real-time attachment and link scanning.
“By following these guidelines, a more flexible and robust security culture will complement the technical defenses that would diminish the chances that MSPs become victims of a phishing attack,” Clark concluded.
Image: iStock