MSP Community Blog
The ASCII Blog highlights articles featuring MSP members from our community as well as ASCII staff
How To Protect Your MSP From Cyberattacks
Managed Service Providers have been in the press a lot lately, and not in a good way. Cybercriminals have realized that the MSPs are a single point of entry into hundreds of poorly secured small and medium businesses (SMB’s), and come with fully functional remote access remote script execution to make their lives easier.
How do MSPs best protect themselves from cyberattacks? NIST has released a cybersecurity framework that provides a great illustration of how to think about security, for companies in any industry.
Identify all the equipment and services that you have and its function and importance. Do not skip this step, believing you already know your environment. Not every component needs the same level of security. Your website is going to need different security measures than your RMM. Workstations will need to be treated differently than cloud services. By identifying all assets in your organization, you ensure nothing gets forgotten or under-secured.
This what most people think of when they hear cybersecurity. Protecting the network against hackers from getting in. This is where you pile on the layers of protection. First, make sure all devices that can access the internet are fully patched. Workstations all need antivirus, anti-malware, and full disk encryption. Add DNS filtering to ensure bad requests get stopped at the edge. The network needs a professional-grade firewall—your ISP’s router is not good enough on its own. Don’t let wi-fi devices access the primary network. If you must have wi-fi, enable MAC filtering so only authorized devices can connect. Multi-factor authentication is critical on all cloud services that allow you to access client machines, client data, and documentation. Lock down access to your remote access tools so only machines on your public IP are allowed access. Most breaches begin with phishing scams, so it is important to have a good email filtering service in place.
Yet, it is not enough to simply protect users and employees from these dangers. You must educate them to protect themselves. Implement a user awareness training program to teach users how to detect scams and social engineering attacks. Have strong password policies and enforce them with password management tools.
As we all know, no network is completely secure. Researchers have even found ways to exfiltrate data from air-gapped computers. No matter how good your Protection mechanisms are, you also need to plan for the eventuality that something will get through. The first step in dealing with this is being able to detect a breach. Put EDR software on all computers. Enable logging on all network devices. Ship the logs from all network devices, servers, and EDR applications to a central SIEM that gets monitored and alerts you when anomalies show up.
If you are breached, it is important to have an incident response (IR) plan in place to guide you on what to do. All 50 states have some sort of data breach notification law, so you may be legally required to notify customers or the attorney general. You won’t want to spend your time after you’ve been hacked and your clients are being ransomed trying to figure out what to do and who to call. Include your attorney, cyber insurance agent, and PR firm on this plan. Consider hiring a professional incident response company to help investigate. Have this IR plan written down, and rehearse it regularly with your staff, vendors, and willing clients. Remember, an IR plan is like backups: if you aren’t testing it, you don’t have one.
Finally, how do you get back in business once you’ve been attacked? First have everything backed up: servers, workstations, cloud data, email, phone system configuration, everything. Have it all backed up, offsite, and air gapped so an infection cannot contaminate your backups. Yes, attackers will try to disable and delete local and cloud backups before it encrypts a user’s data. Also, consider how long it takes to restore everything. If you need to download 1 TB of data from the cloud over a 25 Mb internet line, it will take you four days before it’s all back. Can your business support that amount of downtime? If not, it’s time to get a faster restore process in place.
As a final measure, you will need cybersecurity insurance. If you do get hacked, ransomed, or your network becomes a staging ground to attack your clients, you may need to pay for decryption or damages. Protect your business assets by having insurance to cover for this. A word of caution: choose your insurance company wisely. Because of the glut of MSP attacks lately, many cyber insurance companies have started denying MSPs coverage. This is often because they didn’t do enough due diligence upfront to ensure the MSP’s security precautions were sound. Don’t work with an insurance company unless they make you demonstrate a minimum level of security.
Review And Harden
Once you have completed this process, Red Team your own company. Find the smartest, most creative or nefarious person in your company and have them try to break into your systems. Their inside knowledge will be invaluable in finding security holes. Take the outcome of this and use it to shore up your process. Set up alerts to watch for measures being disabled, uninstalled, or skipped. If you can afford it, have an external company do a penetration test instead of an employee.
The time has come for the MSP industry to practice what it preaches. We can no longer be the mechanic with a bad car or the cobbler whose kids don’t have shoes. We must have the most secure network under our management and protect all customers that entrust their businesses and livelihoods to us.
About the Author: Tim Singleton is President of Tim Singleton is President of Strive Technology Consulting and has been a member of The ASCII Group since 2019.
Reprinted with permission, courtesy MSPInsights.com