MSPs, Don't Be the Weak Security Link
Don't assume that because you're a small company, you're not in the crosshairs.
July 3, 2017
Greg Arnette
By Greg Arnette, Founder and CTO, Sonian
Attackers are branching out when it comes to the methods they use to infiltrate organizations. Not only are they targeting specific businesses and high-profile individuals and looking for ways to get in through third-party contractors, they’re going after organizations that house data for multiple companies. Managed services firms and other solution providers need to be aware that they’re highly attractive targets — especially those with high-profile or regulated customers .
In fact, in late 2016, PwC, along with BAE Systems and the UK’s National Cyber Security Centre, uncovered a global cyber espionage campaign carried out by APT10, a well-known threat actor in the cyber security world. The campaign, which may have begun as early as 2014, directly targeted IT MSPs and when successful provided unbridled access to their customer networks. This “back door” approach allowed attackers to reach multiple organizations through one entry point.
To avoid what would surely be an uncomfortable conversation, MSPs need to take strategic measures to protect themselves. That’s especially true if you use or resell cloud services. A recent Check Point survey of IT professionals found 34 percent listed general security risks as the No. 1 barrier to cloud adoption. These apprehensions mean businesses are increasingly requiring that MSPs demonstrate how they’re bolstering their security services. Providers perceived as not up to par may find themselves losing clients.
For MSPs who have not yet taken strides to fortify their systems – and most have not, in my experience – now is the time to be hyper-proactive. Create the best defense with a strong offense. For example, training employees on security is important at every organization and but especially crucial for MSPs, where there tends to be high staff turnover and more junior-level skill sets.
Train teams should be trained to spot common tricks and identify suspicious activity. For instance, many security compromises happen when employees are sent what appears to be a password-reset email. While they often look legitimate, if employees open the messages and follow the instructions listed in the email, they are flinging the proverbial door wide open. Look at the hack of the Clinton campaign: Chairman John Podesta received a password reset notification from “Google,” and while there was confusion with IT about its legitimacy, he ultimately followed the prompts, allowing attackers full access to his account. He also failed to activate Google’s two-step verification – an easy and often overlooked security measure – which further weakened the locks on his emails.
While longtime IT professionals may wonder how someone could be so careless, hindsight is 20/20. No one expects to be a target, so it’s easy to ignore red flags without proper training. MSPs should consider offering to customers and using internally a series of …
… web-based training courses in, for example, cloud-based email best practices. According to a 2016 Verizon data breach report, 30 percent of phishing messages are opened, but only 3 percent are reported to management. However, when employees are trained on how to spot phishing emails, and then get tested with mock phishing emails, the percentage that fall victim decreases with each round.
While practice may not make perfect, it will certainly help.
Other simple yet important steps every MSP should take include reviewing email security settings to make sure you’re following best practices, limiting access to customer account data, and selecting vendors that hold, and can help you comply with, third-party certifications. For example, while FedRAMP has been criticized as being costly and time-consuming for government contractors, more and more corporations are looking into which vendors meet FedRAMPS’s key criteria related to factors such as structural organization, policy and procedural communications, risk management, control monitoring, systems operations and change maintenance.
As both real and perceived concerns over security threats continue to grow, MSPs need to be proactive in bolstering their own security measures to protect themselves, and their clients, from potential threats. In doing so, you’ll demonstrate you’re not an Achilles heel for customers, but a defensive line against attackers. In addition to strengthening customer relationships, bolstering security measures will prove to be a lucrative move as well. In fact, a recent survey by my company that polled more than 320 MSPs revealed 52 percent said their security offerings have been significant business drivers in the past 12 months.
Greg Arnette (@gregarnette) is founder and CTO for Sonian (@sonian). Greg has been a messaging, collaboration, Internet, and networking expert for over 15 years, and has been consulted by leading corporations on the management and administration of email systems. He has also been working with AWS infrastructure as a service since 2006, creating innovative software applications for an enterprise audience. Before Sonian, Greg was founder and CTO for IntelliReach Corporation, an SaaS email-governance service that was acquired by Infocrossing.
Read more about:
AgentsYou May Also Like