MSP and IT Professionals: Practice What You Preach 

Information technology and managed service provider firms tend to be the “teachers” and not the “students” when it comes to cybersecurity. It seems that those of us in the technology support industries are forever reminding our clients about the threats of cyberattacks and the tools and practices necessary to avoid data breaches. But while we’re preaching protection and compliance to clients, we should not forget that our firms are also targets for hacking. It’s no secret that MSP security attacks are often the bait for an opportunity to lure bigger fish – namely your clients.

MSP clients count on us for many things. We take care of their business servers, desktops, patching, software installation and more. As a result, we have access to an astounding amount of information, making us prime targets for cyberattacks. When an MSP is hacked, cybercriminals have access to the data of all the organizations served by that provider. So, ultimately, the core of our service is adequate protection of our clients’ data and systems. Managed service provider firms are no different from any other organization. Truth be told, the client data we store and are charged with protecting requires the highest level of defense. 

Relying solely on protection tools is – to put it politely – foolhardy. Each organization should have a checkpoint protocol in place; a point person assigned to stay on top of security safeguards. To illustrate the importance of checkpoint protocol, consider the following: A major company recently learned their lesson the hard way when one of its partners failed to implement multifactor authentication (MFA) on their Microsoft 365 portal account. They knew they needed it; they knew they should do it and yet they dragged their feet … and what happened? They wired $800,000 to the wrong people and the FBI ended up being involved. Here’s the takeaway – if you don’t put the seat belt on, you can’t be saved from the crash.

Also, falling under the category of “you can lead a horse to water, but you can’t make them drink” is an incident involving one of our clients. 

We reached out asking to conduct an audit of the client’s security systems, but they pushed back, citing lack of time, etc. But we persevered, using a protocol we implemented in our system that provides an extra push to ensure that our safety appeals to clients are not ignored. The bottom line is that regardless of the amount of protection in place, any organization is only as safe as the weakest link. The good news is that this story has a happy ending – our “nagging” paid off when the client finally agreed to a full audit.  

This country is experiencing an unprecedented increase in cyberattacks and malicious cyber activity. Cybercriminals are more prolific, craftier, and bolder than ever, and it appears that things will only get worse. Because of this, security stacks have become a necessary spoke in the wheel of data safety. A security stack serves as both an inventory and a roadmap of cybersecurity tools in place within an organization and their function. The goal is to protect the six general areas of business risk faced by most organizations:

  • Network perimeter security
  • Physical security
  • Internal security
  • Incident response
  • Long-term response
  • Cloud security

A security stack or operational plan can greatly benefit from the addition of managed detection and response (MDR) platforms, making it faster and easier to identify threats. These platforms provide full protection when used in conjunction with other tools such as advanced threat systems and endpoint detection systems. Solutions like Huntress, Blackpoint and ThreatLocker, among others, have been found to be reliable platforms to prevent unknown software from being loaded.

Compliance and security go hand in hand. You can’t have full confidence in your security systems in the absence of full confidence in your compliance protocols. At its core, cybersecurity compliance is adherence to the standards and regulatory requirements set forth by an agency, law, or other authority group. Organizations must achieve compliance by establishing risk-based controls that protect the confidentiality, integrity, and availability of information. The data must be protected, whether stored, processed, integrated, or transferred.

A risk analysis – a series of questions about the storage of personal identity information – is one layer of compliance assessment, but a penetration test offers a larger picture of an organization’s present and potential vulnerabilities. Penetration testing is also referred to as ethical hacking or pentesting. It is a detailed assessment conducted on information systems to identify vulnerabilities that hackers can exploit. A penetration testing report provides information for vulnerability remediation. Chances are a penetration test will detect personal client information on some workstations – even though your organization has a policy against it. If a risk is unknown, it remains.

OK – this may be a no-brainer, but we have to mention passwords. Repeated passwords increase an organization’s security vulnerabilities exponentially. Implementing a password manager, such as Keeper, allows IT and MSP firms to maintain both organization and individual passwords. 

The fact of the matter is that regardless of the number of safety measures implemented, the expertise of your IT department, or the industry involved, there is no guarantee that a data breach will never occur. And this applies to those in our industry – the keepers of client information. A hack attack is embarrassing, costly and often has long-term effects. Therefore, the importance of having an incident response plan in place for your organization and all of your clients cannot be overstated. 

A solid incident response plan should include:

  • Risk assessment and plan preparation
  • Identification processes
  • Threat containment
  • Attack eradication and prevention
  • System recovery
  • Incident review and future preparation

You can search for and download incident response plans on the internet, or you can even have ChatGPT create one. 

A few words of advice – don’t place yourself in the position of having to make a decision while in crisis mode. That could lead to a short-sighted and even dangerous outcome, so put that incident response plan to the test before an event occurs. This can be accomplished through a simulated attack, an exercise that can identify potential gaps in internal security systems and processes.

Another layer of security that IT and MSP firms can apply are tabletop exercises. These informal, discussion-based exercises are designed to help organizations determine gaps in their current incident response program. They can simulate a cyber event and stress test a company’s response policy, plan, and procedures to evaluate effectiveness against security breaches. In the past these tabletop exercises focused on about a dozen general questions, but today some 200 very specific questions are asked. Take note that tabletop exercises should be conducted annually – at the minimum – for your organization and for all your clients. 

MSP and IT firms are the gatekeepers of our clients’ valuable information, making us highly vulnerable to data breaches. Yes, we all strive to put our clients’ security first, but to do so, we must place our security at that same top level. 

Konrad Martin is CEO of Tech Advisors, providing outsourced IT, cybersecurity detection and prevention, training, and cloud services. The firm is based in the greater Boston area.