YOU DON’T achieve security, says Kyle Hanslovan, “”you have to constantly earn it.”” Continually reassessing and verifying your security posture is critical, stresses the CEO of Huntress Labs, a provider of managed threat detection and response services. However, he says, “”We’re not seeing MSPs do that. And we’re definitely not seeing that happen in the clients’ networks.””
With cybercrooks increasingly targeting MSPs for attack, it’s more critical than ever to adopt best practices to defend yourself, and by extension, your clients.
Jayson Ferron, chief technologist at Interactive Security Training, agrees that a lot of MSPs are not following good security hygiene. “”I hate saying this, but it’s the truth,”” he sighs. “”We know that from the forensics, but the MSP is not telling the customer, ‘Hey, it’s my fault.’ But it really is your fault because you didn’t follow good behavior internally.””
Even more troubling, some MSPs are not being transparent when there is a breach, either in their own networks or their clients’, says Jason Coffer, principal of the Coffer Group, a San Francisco-based IT and cybersecurity solutions provider. “”They know about something, but they hope no one will notice. In this industry, people always eventually notice.””
The Threat
The October 2019 research report Under Attack: The State of MSP Cybersecurity in 2019, commissioned by Continuum (acquired by ConnectWise that same month) and conducted by Vanson Bourne, found that 74% of MSPs had suffered a cyberattack in the previous 12 months, with 83% reporting that their SMB customers had suffered one as well. In addition, two-thirds of MSPs surveyed said they were worried that they wouldn’t be able to defend their customers during a cyberattack.
In a reader survey ChannelPro conducted in June 2020, 46% of respondents said they had experienced a cyberattack on either themselves or their customers.
Why MSPs are now the targets of cybercriminals should be obvious, says Ferron, noting that a decent MSP has anywhere between 20 and 100-plus customers. “”If I can get into the software that the MSP is using, I can affect 20 to 100 different companies from one attack.””
SMB customers have become more attuned to the issue too, says Hanslovan, who adds that was not typically the case just a year ago. Now, he says, people are telling him “”I’m leaving because my MSP was compromised,”” or “”I have heard the MSPs can get you compromised,”” or “”I’m considering not using an MSP and doing it in-house.””
Coffer, whose firm and its customers have not experienced a security incident, has clients in the financial services sector that are subject to industry regulations, and they read the headlines. “”Because our companies are regulated by the SEC, they need to do a certain amount of cybersecurity themselves, and they look to us to help them with that. But at the same time … we need to fill out due diligence questionnaires to make sure our cybersecurity standards are up to the standards they need to be, because we’re their vendor and they worry about that.””
Lack of Skilled Security Staff
For MSPs, part of the problem is a lack of skilled security staff and resources. According to the ChannelPro reader survey, 24% of respondents say they do not have enough of and/or the right skilled staff to proactively protect their own company as well as their customers. The Continuum/Vanson Bourne report had a similar finding, with more than 1 in 5 MSPs saying their organization does not have the right technical skills, certifications, and knowledge, while 40% of MSPs struggle to obtain and retain the skills necessary to deliver and sell security services.
“”They don’t have enough security people on board, but the problem is much bigger than MSPs,”” Hanslovan says, “”because there is so [little] security talent [and] you have inflation of security salaries. So the reality is MSPs just can’t afford truly great security talent.””
That said, Hanslovan and others say MSPs can and should improve their security posture by adhering to the following best practices:
Determine your baseline
MSPs need to know what they’ve got on their network and how it’s configured, Ferron says. Auvik, IT Glue, RapidFire Tools, and others make solutions that can assist with this process. Smaller MSPs, Ferron notes, can access a free network scanning tool like Nmap. “”It’ll show you all the computers it sees. It’ll tell you what ports and services are running on those machines. If you don’t know what’s running on your network right now, how are you going to know when it changed? And guess what, Mr. MSP, you should be doing exactly the same thing for your customers.””
Adopt a security framework
Ali Zadeh, CISSP, CISM, CISA, who leads the cybersecurity practice at the Coffer Group, recommends following a security framework like the customized version of the NIST Cybersecurity Framework that his firm uses. “”I personally believe that if you’re not using a security framework, you don’t have a security program,”” he says. “”You have to start with the framework, customize it, and then based on that you build your policies.””
Implement layered security
Layered security is the mantra for most MSPs these days. For Coffer that includes anti-virus, DNS filtering, multifactor authentication, mobile device management, encryption, complex and unique passwords, single sign-on, dark web monitoring, auditing, logging, and more. Coffer Group has partnered with third-party specialists for its security operations center (SOC) and 24/7 monitoring as well.
Change your DNS
Ferron recommends changing your DNS to a managed DNS server, such as OpenDNS from Cisco or others. “”That way, if your machine wants to go somewhere that OpenDNS or any of these managed DNS providers [know is a bad location] it will block it.””
Furthermore, Ferron says, have your firewall only allow DNS traffic from the DNS server, “”which means that if a machine gets infected and it wants to query DNS and bypass the company, the firewall says ‘no, no, no, you can’t do that.'””
Remove the low-hanging fruit
While Hanslovan says humans are the weakest link security-wise, “”there’s still low-hanging fruit like misconfigured services and unpatched things. … Misconfigurations is a big one; that was one that Verizon actually called out.”” Indeed, Verizon’s 2020 Data Breach Investigations Report found misconfigurations were up nearly 5% from the last study.
Coffer stresses the importance of patch management, which goes beyond patching a product and assuming it’s doing its job. “”Making sure things don’t fall through the cracks is really important,”” he says. “”So first you build on a good RMM tool that can patch those things properly and automate the process.””
He recommends using a Splunk-type tool to aggregate information from multiple sources as well. “”The RMM provides a lot of information, but there’s other information that goes beyond what the RMM provides.””
Hanslovan says “”self-investment”” is one of the most important steps an MSP can take, starting by learning how to use all the built-in security in their RMM such as group policies and configuration management. “”They’re not hardening their environments and they’re not using group policies. They’re also not minimizing their attack surface. … If they did know how to use what they were already paying for, they could provide better encompassing security.””
Utilize a secure documentation/password management system
“”One of the biggest problems that MSPs have is all the shared accounts,”” says Zadeh. In addition to minimizing those, he recommends storing credentials, customer data, project information, IP network information, and more in a documentation system, or what he calls a “”secure vault.”” This type of database allows you to enable multifactor authentication, change passwords, and have an audit trail, he says. Examples include SolarWinds Passportal, IT Glue, and others.
Don’t sacrifice security for shiny things or ease of use
Built-in security factors high in vendor selection for the Coffer Group. “”If they said we don’t do multifactor, we would just say forget about it, we’re not even working with you,”” explains Coffer, who adds that he recently passed on a promising new company’s product because it wasn’t SOC 2 certified. “”It’s a high hurdle that they have to get over because that’s ultimately our liability too if their product doesn’t work in a safe and secure manner.””
Zadeh adds that MSPs need to resist the temptation to sacrifice security “”to gain access to a tool that can make things much, much easier for you.””
Weigh the benefits of a SOC 2 audit
Becoming SOC 2 compliant can be time consuming and expensive, so Hanslovan recommends weighing its applicability to your business. “”It will make you better, but you should figure out what is most important, like Maslow’s hierarchy of needs.”” For instance, do your customers require SOC 2? Do they see the value in it? Will it allow you to increase your revenue and the service you deliver? Get SOC 2 certification only if you answer yes to such questions, Hanslovan stresses.
Have an incident response plan
Create an incident response plan before you have an incident, advises Zadeh.
Adds Coffer, “”We want to have [a plan] in place so we know what our obligations are internally, who we need to notify internally to get things forward, and if and when there’s a need, who do we notify, and under what circumstances, [at] the client, as well as understanding the severity of something, so we know how quickly we need to respond, what information we need to gather.””
If there is an incident, speed of response is important, he says, so having a plan ready “”is really valuable.””
Implement security awareness training
Security awareness is a challenge for almost all MSPs, Zadeh says, so he recommends training employees with “”a program just like we do for our clients. It’s really important internally that everyone knows to look for the warning signs”” in emails and phone calls. Keeping employees up to date on the latest scams and best practices should be ongoing too, he adds.
Get cyber insurance
Cyber insurance isn’t optional anymore if you’re an MSP, stresses Hanslovan.
The Continuum/Vanson Bourne research found that 43% of MSPs claim that their organization would be held solely accountable if one of their customers experienced a cyberattack. Additionally, 83% said that their customers would take legal action against them in the event of a cyberattack.
ChannelPro‘s reader survey found that more than 43% of respondents have cyber insurance, but nearly 17% worry that it isn’t enough.
The reality is it’s just such a big problem that I would like to see more investment in people, more investment in the basics.— Kyle Hanslovan, CEO, Huntress Labs
Indeed, Hanslovan says insurers are scrutinizing claims more. “”They’re starting to pay out much different. [In] 2019, insurance was paying out claims like there was no tomorrow.”” Now, he says, cyber-insurance companies are doing more forensics on incidents to determine if the MSP was negligent or at fault. “”They’re actually calling their own incident responders in to represent the insurance [company] to help figure out who is negligent.””
For Coffer, his company has cyber-security insurance because it is “”an expectation.”” However, he says, while that provides peace of mind to customers and protects them after the fact, his top priority is prevention. “”Our focus is really to secure our systems and to make sure our employees understand what to watch out for and to follow proper procedures.””
Stay informed
With attack vectors and techniques constantly changing, Ferron recommends that every MSP join InfraGard, a partnership between the FBI and the private sector, that shares information on cyberattacks
Another resource is the MSP information sharing and analysis center (MSP-ISAC) formed by Datto, Huntress, ConnectWise, and Kaseya last summer, and since joined by numerous other vendors who exchange threat information through a Slack channel. The TSP-ISAO, created by ConnectWise last year and now run by CompTIA, is an option as well.
A New World
The security threat landscape has changed a lot since many MSPs got into the business, and it continues to demand more from them as they work to protect themselves and their clients, says Ferron. “”If you think about the history of MSPs, they were break-fix … Now we’re asking the MSPs to learn new technologies on security, and then they’ve got to convince their customer to buy this new offering, to help them secure their environment. That also means that they have to have people inside their building who understand security, who understand alerts, who understand incident response.””
There’s no sugar coating the challenge, Hanslovan says. “”The reality is it’s just such a big problem that I would like to see more investment in people, more investment in the basics.””
Image: iStock