Why MSPs’ Security Keeps Me Up at Night

For at least a few years now, the press has rightly brought attention to the fact that small-to-midsized businesses (SMBs) have increasingly become targets for cybercriminal activity. SMBs often contain valuable data, yet rarely have the security controls available to their enterprise counterparts.

In 2019, we saw cybercriminals point their sights at managed services providers (MSPs) as well. The US Department of Homeland Security (DHS) issued warnings about attacks against MSPs, and I don’t see any reason for cybercriminals to stop. With recent turmoil between nation states, it’s not unthinkable that MSPs could become targets of nation-state actors or cyberterrorists.

This is why MSP security keeps me up at night. MSPs can still take steps to reduce their exposure to cyberthreats. So, today I want to talk about why MSPs are vulnerable and what steps you can take as an MSP to secure your own environment.

Why MSPs Are So Vulnerable

The obvious reason MSPs have become targets is that they’re central hubs for the data and systems of multiple businesses. If an attacker compromises one MSP’s employee’s account, they can get into systems and data for multiple companies. For the effort, that’s a much larger score for a criminal than focusing on one company at a time.

However, there are less obvious reasons that make MSPs vulnerable. The nature of running an MSP adds complications that large enterprises won’t face.

• Lack of security knowledge: Although not always, MSPs traditionally come from the world of systems and network management. Their focus is typically on keeping systems up and running. Protecting environments from cyberattacks hasn’t been their traditional domain. As a result, they may not be as comfortable with more advanced security tools required to fight the worst of modern threats.
• Time-poor: Running an MSP business takes a lot of time. MSP owners must market the business, sell services, keep track of employee schedules, make sure service quality is up to snuff, and deal with any “fires” as they arise. Keeping up with the latest tools and threats in the press can be a lot to ask those owners.
• Lack of fiscal resources: Unlike larger corporations with deep pockets, MSP businesses often have to watch every penny. It’s tempting to put all their money into growth strategies or bringing in new technicians instead of investing in their own security.

So if MSPs are vulnerable, what can they do to fight back?

Secure Your Own House

If you own an MSP, you probably offer some security measures to your customers already, but you can’t skimp on your own—your security must be stronger than your customers’. There are several steps you can take to reduce your risk of a breach. While nothing’s bulletproof, these steps can help reduce your overall danger.

• Keep up with the fundamentals: You probably offer some of these services to your customers already, but you can’t neglect them on your end either. Patch regularly on both OS and third-party systems to close software vulnerabilities. Protect and monitor your network by using a next-generation firewall (and make sure it’s configured appropriately). Do everything you can do to protect your endpoints. Perform regular backups and test them for recoverability. Also, add email security to the mix, since many attacks begin at the inbox.
• Advanced endpoint protection: Basic endpoint protection solutions are not enough in high-risk environments (and MSPs fall under the “high-risk” category these days). Your team is most likely mobile, sometimes working from home and other environments. Invest in advanced endpoint protection solutions that look for anomalous behavior on endpoints. For example, one alert mentioned that APT actors used trusted applications and credentials for malicious purposes, an attack often known as living off the land. An endpoint protection solution could use artificial intelligence to detect a legitimate account attempting to perform an unusual action—say deleting data or attempting to reach out to other endpoints on the network—and spring into action.
• Monitoring: Some threats can’t be detected or prevented using the aforementioned tools. Many threats require more advanced detection tools such as security information and event management (SIEM) tools for monitoring logs. Odds are your logs already show anomalous behavior. But wrapping your arms around the gigabits of log data each day is tough to do on your own. SIEM tools allow you to be proactive in your monitoring and get alerts when high-value, actionable events occur. Many threats require this level of active monitoring to detect and handle.
• Security training: Whether they need reminders on generating strong passwords, recognizing social engineering signs, or avoiding insecure WiFi networks on the road, reinforcing strong policies with regular trainings helps you establish and maintain a culture of security.
• Reducing the attack aperture: Don’t give cybercriminals any easy openings. Look at your environment and identify the common areas representing the biggest risks, then look for ways to mitigate that risk. This could be technology, processes or people. If a single tech has full access to all your clients’ systems, what would happen if their machine was compromised? If a device in your environment was infected with ransomware, could it spread to other devices in the environment and reach your clients? Do you have appropriate segmentation in the network? How about segmentation for users? You can’t stop all attacks—but you can contain them with proper segmentation.
• Password security and identity management: Managing identities and passwords for your users is critical to the overall protection of your environment. Passwords are often one of the weakest links, but using a password manager can help you keep passwords hard to hack across your organization. With a solution like SolarWinds^® Passportal, you can automatically generate strong, unique passwords and provide technicians with one-click access to important accounts and services for your customers. Password managers prevent users from having to generate and remember passwords (or worse—type them into spreadsheets or write them on sticky notes). Beyond this, Passportal lets you quickly grant or revoke account access so if an account does get compromised, you can quickly shut it down and contain the damage.
• Prepare for incidents: Despite your best efforts, security attacks happen. Hopefully, they don’t happen often, but when they do, you should be prepared. Having an incident response process in place is absolutely crucial for limiting the damage. You don’t necessarily have to reinvent the wheel. Build on what you already know. You have a disaster recovery process in place for your customers—treat a security incident in a similar fashion. The key is to have processes set up and understand who to involve, how to communicate, and where to get help. Beyond that, it’s worth drilling the team on the process of dealing with these incidents before they happen. When incidents occur, most people have strong emotional reactions; drilling beforehand can reduce potential panic among the team, allowing everyone to make smarter decisions. Don’t leave it to the last minute—or the actual event—to prepare.

Are You Prepared?

As an MSP, you’re on the front lines of the fight against cybercriminals. With access to so much data, you have a responsibility to not only help secure your clients’ locations and systems, but also your own. While we can’t completely eliminate the possibility of successful attacks on MSPs, the industry can at least work on reducing its risk.

As I mentioned earlier, you should maintain strong password hygiene and access controls to guard against the cybercriminals. SolarWinds Passportal is designed to help you maintain strong password practices within your own MSP. Learn more about how it can help today. 

Tim Brown is VP of Security for SolarWinds MSP. He has over 20 years of experience developing and implementing security technology, including identity and access management, vulnerability assessment, security compliance, threat research, vulnerability management, encryption, managed security services, and cloud security. Tim’s experience has made him an in-demand expert on cybersecurity, and has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. Additionally, Tim has been central in driving advancements in identity frameworks, has worked with the US government on security initiatives, and holds 18 patents on security-related topics.