It’s Time Managed Service Providers Enhanced Their Internal Security Practices.
Managed service providers, or MSPs, are utilised by a plethora of entities spanning almost every niche of industry and business. Their job is to remotely manage a client’s end-user systems, telecommunications, and pretty much everything related to information tech. As such, MSPs encompasses everything from servers and scanners to cloud storage and PCs. The wide range of touch makes MSPs equally as invaluable to modern business as they are prime target for security breaches. Let’s explore the threat and what can be done about the problem.
MSPs Are Prime Targets For Hackers
A Reuters report recently documented how MSPs are now being targeted by hackers. One major attacker is cloudhopper, which is an international hacking ring linked to the Chinese government. Why are MSPs under such rapid fire from hackers? Having such a wide range of clients, the expansiveness of the data MSPs handle for each of those clients, and the value in the sensitive data thereof that all combine to make MSPs prime targets for all hackers looking to get their hands on personal data.
From a security standpoint, the risk for all IT support providers is plain sight. If for no other reason, it’s the uninhibited access to a client’s sensitive data that makes MSPs such a valuable target for hackers. When bank robber Willie Sutton was asked why he robbed banks, he simply said because that was where the money was at, and this basic logic is similar reasoning with hackers and MSP.
The Importance Of MSPs Ramping Up Security
For both their own solvency and the well-being of their clients, MSPs have no choice but to step up their security game now, not later. Once upon a time, measures like anti-malware, firewalls, and anti-virus were enough to filter out most information predators. That’s no longer the case as hackers have developed new methodologies and tools to circumvent such rudimentary security measures in cyberspace. Today, Managed Service Providers must employ a comprehensive 360-degree ecosystem of security around their realm in cyberspace if they hope to avoid losses and resulting liabilities.
Such a security system puts a dome over MSP operations, leaving nothing exposed for hackers to reach nor utilise for their own benefit. This is a no-chance approach to information security that all MSPs would be prudent in employing.
MSPs Should Work With Security Pros To Ramp Up Security
For this type of no-chance, comprehensive security approach to be most effective and efficient, MSPs will want to coordinate the planning and implementation with cybersecurity professionals. These pros can help ensure that the approach includes custom-built, purpose-built security applications and appliances for the MSP’s particular operations.
Why call in the security pros when information technology pros are already on-scene? Most professions have a umbrella in which many classes, or specialities, of workers exist. Information technology isn’t an exception, and cybersecurity professionals are one of those subsets. Think along these lines: Someone may have the best general practitioner doctor in the world on-hand, but if they needed a kidney transplant, then they’d need a surgeon specialising in neurology for the surgery. The same distinction applies between general information tech pros and security pros specialising in cyberspace.
What Does Comprehensive Security For MSPs Look Like?
A big investment in this holistic ecosystem of security is in next-gen security to protect client data access systems, including:
- Next-gen advances endpoint protection
- SIEM 2.0
- Next-gen perimeter protection
- Data loss prevention
- Network level monitoring
- File and disc encryption
- DNS and web filtering
- Multi-factor authentication
- Encrypted backup
- Dark web monitoring
- Security awareness training for employees
In addition to the above, MSPs will want to work with security pros to develop a comprehensive and enforceable cybersecurity policy. The best measures are those that 1) deputise IT support to join the mission to safeguard client data and 2) define security behaviors, objectives, and expectations for all employees and contract workers.
Education and training are part of a comprehensive security game plan. These need to be proactive, consistent, and routinely ongoing to be effective. While breaches and threats may demand on-the-spot training, the time for the bulk of an organsation’s education and training exercises is before a threat happens, not after. And, employees need opportunities to implement what they’ve learned in real-time operations and normative processes along the way to be prepared for when threats do arise.
All of this can seem overwhelming and daunting for MSPs. Break implementation down into small information security chunks, and most will find that efforts aren’t that grandiose in scale to support an environment conducive to employees prioritising keeping their own and the company’s data safe and secure. Here are some implementation examples:
- Establish quarterly renewals for security policy reviews by employees. They’ll sign and date that they’ve read, understand, and agree to adhere to all previous and newly updated security protocols.
- Establish routine security announcement times, places, and methodologies. These can be included in morning staff meetings, in-service scheduling, morning login popups, paycheck stub messages, and so forth.
- Establish security as an element in annual employee reviews. How’d they do? What can they do better?
Don’t Forget To Cover Sociological Elements In Security
Another area MSPs should ensure is covered by the blanket of security is how employees utilise social media. Educate employees on potential threats and why they should be wary. Show them what cyberattacks look like from the surface of a victim’s perspective. Inform them that even legitimate websites are often infected, how malware and other hacker tools behave, and what to do to stay safe. Empower them with vigilance through knowledge and know-how.
Training employees in the sociological elements of security is essential to prevent such a massive hole in data protection. Aim to change lax behavioral and social media engagement norms to a posture that demonstrates internet security strength for both themselves, their employer, and the clients they manage. How? Start by enforcing these guidelines for employee social media engagement:
- Never use personal social media profiles and pages to post anything of consequence concerning an employer nor client. The public domain is fine to rally support for an event, but nothing related to specific role’s within the event should be posted for hackers to latch on and use as a source of infiltration.
- Do have a written policy on what types of information is public verses private and can and cannot be posted online as public information.
- Do establish educational programs for employees to identify, avoid, and report potential online leaks. Instruct logic-first rules, such as don’t click on an incoming message notifying of a UPS package problem if the recipient wasn’t expecting a UPS package.
- Do have a protective cyber liability insurance policy in place for when the worst case scenario happens, and it will occasionally happen even under the best security measures, and an employee inadvertently is led to an infected attachment or website.
Onward Toward The Good News
While any information-based company is responsible for the information they handle on behalf of clients, being fully protecting against information theft lessens the liability significantly.
With cyber threats to security increasing over the last decade, entities doing business online and using the web to house and transfer sensitive data have stepped up to meet each newfound threat and challenge. In stepping up to protect themselves, they’ve all helped bring affordability to adopting security measures and utilising the expertise of security pros.
Do you have a comprehensive cyber security ecosystem in place to protect your MSP business and its clients? Are you a business leaving your data to an information technology service provider who’s under protected? In either case, it’s a mistake that can cost you dearly.