Today’s MSPs can glean a key cybersecurity lesson from the masons and architects who constructed castles in the medieval age: the importance of a layered defense.
These castles were designed with outer protection and deterrents, including a moat and drawbridge. Beyond the outer wall was an inner wall, and past that, an isolated tower. These various layers of protection made it difficult for enemies to breach.
As a modern security-minded MSP, your client is your castle. But when MSPs put all their resources into the moat — with all tools and policies focused on preventing incursions and attackers from accessing client data in the first place — they don’t have safeguards at the next level. As threats get more complex, that’s a big problem.
Attackers Will Cross the Moat
There are many of examples of how threat attackers can expose an organization’s security weakness. Take this one, where a company in the oil and gas industry that took security seriously had nearly ironclad protections preventing unauthorized access to its data.
However, the security team overlooked one point-of-entry gap in the company’s armor: a postal meter. One day, attackers entered the company’s network through that endpoint. Then, they accessed its data with little further resistance. Following the breach, an MSP was hired to handle the aftermath and implement the layered security that the company should have had in the first place.
The lesson: It takes something as simple as a postal meter to allow today’s attackers a way to cross the moat.
Cam Roberson
To block out clever attackers, you need a layered cybersecurity strategy, including layered encryption and access controls. MSPs that implement this strategy can provide far more effective protection to their existing clients. They also will be more likely to win new business.
Implement Data Segmentation
A best practice and essential component of layered security is the principle of least-privilege access.
Any cybersecurity breach can become a full-scale disaster for organizations that grant broad access to all company data with one employee’s login credentials. Giving employees only the data they need to do their specific jobs minimizes the threat surface each employee represents.
For this reason, regulatory compliance rules from HIPAA to CMMC 2.0 to the FTC Safeguards Rule require least-privilege access controls. This can position you to win clients that need help adhering to those frameworks. Someone in your client’s marketing department should not need to view HR records, IT data, or the CEO’s emails — even if they have admin privileges.
Use Layered Encryption to Withstand Network-borne Attacks
Every day, one out of every 200 PCs gets hit with a cyberattack. If attackers bypass your client’s network firewall and log into a secured PC remotely, all data protected with system-level encryption (such as Bitlocker) is decrypted and fully exposed.
In contrast, layered encryption ensures that a network breach doesn’t have to mean a data breach. By encrypting data at the device level as well, successful brute force attacks crossing the moat of your client’s network will only find that each PC and device is a castle unto itself.
Empowered: How to Defeat Ransomware Threats
As an MSP, protecting clients with layered encryption can also position you to play the cybersecurity hero when ransomware strikes.
Traditionally, ransomware attackers attempt to stop a company from accessing its own data by encrypting it. Then, they extort a payment from the company to give the data back. MSPs can block this strategy by ensuring that their clients have protected data backups. This would give them the ability to easily restore the systems and data without paying a ransom.
That said, today’s threat actors have an alternative. If they can’t keep a company from its data, they threaten to sell or release sensitive exposed data on the dark web unless they receive payment.
Clients with MSP-provided layered encryption need not worry. They actually hold the encryption advantage. Attackers cannot read any of the data they’ve locked down.
Don’t Fear the Breacher
Companies face a range of potential threats. They often worry about experiencing a breach that exposes secrets and sensitive customer data or dealing with the regulatory fines and reputational damage that follow.
Just as castles have ironclad protection, MSPs must provide effective layered security. With this, they can offer their clients confidence in their ability to fight against breaches — and the subsequent peace of mind.
Cam Roberson is the channel director at Beachhead Solutions. He has spent 18 years in the MSP cybersecurity space, after launching his career as a product manager at Apple.
Featured image: DALL-E
