MSP Community Blog

The ASCII Blog highlights articles featuring MSP members from our community as well as ASCII staff

ASCII Insight: MSPs Share Their Thoughts On Cybersecurity
ASCII Community   April 3, 2020

ASCII Insight: MSPs Share Their Thoughts On Cybersecurity

In our ongoing quest to provide you with the best business advice possible, we’ve partnered with The ASCII Group and their members who are going to share their thoughts on timely topics or best business practices. In this article, the following ASCII member answered our questions about cybersecurity:

Q: What cybersecurity best practices are you implementing, both for your business and your clients’ businesses?

Dreyer-Goldman: We are using a layered approach for ourselves and our clients. We use NextGen AI Firewalls with SSL/DPI, MFA, managed antivirus on the endpoints, encryption on the hard drives, secure password managers and sometimes bio-metric fingerprint scanners. We also offer endpoint, network and cloud threat monitoring with options for firewall and Office 365 monitoring. For more critical clients we offer Managed SOC-as-a-Service where Our SOC team performs continuous threat hunting and triages detections.

Liberman: Basic; patching, advanced EDR/AV, DNS filtering, user training, and dark web alerting.

Intermediate; firewall log reading/response, vulnerability scanning, and new device alerting.

Advanced; MFA, device encryption, MDM, email encryption, password management, and secure RDS.

Drobnis: We implement ISO 270001 (not certified) and ITIL internally and externally; in addition, we make sure our clients are in compliance with the legislative/regulatory requirements from their industry where specified.  For clients not in that industry, we follow the same best practices.

Picard: Since 2018 we have been steadily moving our clients and our systems to MFA on all systems across the board, single sign-on with conditional access is the next step for our clients. We have been increasing network segmentation to multiple VLANs with clients that have more than 50 systems, keeping four for the smaller clients. Guest VLAN, IoT/Staff Wi-Fi VLAN, Core VLAN, and Secure.

Hunter: Multi-layer security monitoring, password management, and strict patching routines.

Fox: All of our engineers have separate accounts (no account sharing) with complex passwords and two-factor authentication. We geo-filter inbound connections to our RMM tools, as well as any inbound rules at client sites. Sensitive requests, such as changes in credentials or permissions, are confirmed via outbound phone call to the IT point of contact at the site, in case of compromised email accounts. We routinely perform phishing simulations for both our team and client staff.

Q: Are your employees adequately educated about cybersecurity threats?

Liberman: Yes, with ongoing training and information sharing and team meetings.

Drobnis: New employees are required to take cybersecurity awareness training and sign the employee handbook, which covers policies for proper usage of company IT resources. Cybersecurity policies are readily accessible to all employees. Employees are educated regarding the latest security threats regularly and we follow the same rules for employees of all our clients.

Picard: I am constantly sharing the new documented attack vectors with our staff, showing the next generation of threats so they can be detected early. Safe hygiene when it comes to credentials and access is a key part of our business and our staff is regularly tested using various tools for their security knowledge.

Hunter: We are training every day on how the threat landscape is evolving and its effects on our customers and our business.

Fox: Yes, we cover this in a weekly meeting, and have constant conversations about emerging threats.

Q: What cybersecurity services are you currently offering and what services will you be adding?

Liberman: See the answer to the first question. All offered but not all “taken up” yet, such as universal MFA or MDM.

Drobnis: Current services include various assessment/audit services, incident response, backup and disaster recovery, penetration testing. Our next service out of the pipeline will be in the arena of NIST/CMMC certification service.

Picard: Currently, we do not do any SOC or SEIM services, while these are of importance the cost to most of our smaller clients is not sufficient. We currently offer identity management, dark web monitoring, AI EDR, DNS and SSL inspection to all our service agreement our next step is to bring in a threat hunting service, while not a SOC or full SEIM it will provide better protection than our clients have now.

Hunter: 7x24x365 monitoring and remediation for the following: endpoints, network devices, and mobile.

Fox: We provide dark-web scanning for all clients using ID Agent. We’re implementing SOC monitoring/ingestion of firewall logs to a third-party SOC. EDR is rolling out to all clients.

Q: What is your cybersecurity incident response plan?

Liberman: We have one but surely cannot elucidate it all here. We have one for incidents that are “contained” and one for those that include an actual data breach (release).

Drobnis: We have a risk-based incident response plan that is documented.

Picard: Using sential one we would isolate all stations in the event of a bonified threat, this would at least give us the opportunity to contain the event. Since we use SSL, APT monitoring we expect to get some early indications of compromise to reduce the risk to our clients. My biggest concern isn’t our practices but those of our vendors who have repeatedly demonstrated a lack of interest in cybersecurity.

Hunter: This is a work in progress at this point.

Q: Cybersecurity insurance: do you have it and why or why not?

Liberman: Yes, we do. Not even sure how to explain why … better to ask why not of those that don’t.

Drobnis: Our first response is that we don’t let people know of our status and we definitely tell our clients not to disclose that either regardless of whether they have one.  Letting people know you have a policy is an open invitation to hackers because they know it will be easier to get money when the effect on an organization is limited because their insurance company will pay it out. For our clients, we tend to look at the risks to determine if the ROI on such a plan is worth it and if so, at what cost.

Picard: Of course, cyber liability and professional liability are both required for any MSP, this is a minimum step for all MSPs to ensure their clients are protected and our operations can continue. It would be in my opinion for an MSP to preach to clients to have such protection while not having their own.

Hunter: Yes. However, we are evaluating if we need to adjust our coverage with the changing threat landscape.

Fox: Yes, we added a rider to our policy for data loss due to encryption as well as coverage for data restoration. It is $1million of coverage for our operations and coverage extends through our E&O policy to client data.

Reprinted with permission, courtesy