10 best practices for MSPs to secure their clients and themselves from ransomware
Lock-downs and social distancing may be on, but when it comes to addressing the need for IT support—whether by current of potential clients—it’s business as usual for MSPs.
And, boy, is it a struggle.
On the one hand, they keep an eye on their remote workers to ensure they’re still doing their job securely and safely in the comfort of their own homes. On the other hand, they must also address the ever-present threats of cybercrime. Although some threat actors were vocal about easing off on targeting hospitals and other organizations that are key to helping societies move forward again, sadly not all of them are like this.
Letting up and turning a blind eye to such groups is almost tantamount to not putting security in mind when safeguarding your organization’s future. Ransomware, in particular, has impacted the business world—MSPs included—unlike any other malware type. Business-to-business (B2B) companies not protecting themselves or their clients against it is simply not an option.
Why abide by best cybersecurity practices
The majority of what impacts MSPs in the event of a breach is not that different from what affects other B2B entities that keep data of their clients. MSPs are preferred targets because of the eventual cascade of successful infiltration they promise to threat actors. Traditionally, cybercrime groups target multiple companies, usually fashioning their campaigns based on intel they gleaned about them. For attackers, hitting one MSP is tantamount to hitting multiple companies at the same time with significantly lower effort and exponentially higher gain.
In the event of a ransomware attack, MSPs will have to face:
- Potential loss of data. Attacks threaten not just the data that belongs to the MSP, but also those of their clients.
- Cessation of services. An MSP suffering from a ransomware attack wouldn’t be able to provide service to their many business clients, who in turn also need support for their IT needs. The lack of support leaves them vulnerable to attacks.
- Loss of time. Time is an asset that is best used in providing the best service an MSP can offer. So, the more time spent attempting to recover from a ransomware attack, the less MSPs earn.
- High financial cost. Mitigating and remediating from a ransomware attack can be exorbitantly expensive. A lot of hardware may need replacing; third-party companies, fines and penalties, and lawsuits may need paying; and a good PR firm to help salvage the company’s reputation post-breach may need hiring.
- A crisis of credibility. Customers decide whether they stay with their current MSP or move to a new, more secure one, post-breach. Losing clients can deal a heavy blow to any business. And it can get worse if the word is out about an MSP and it hasn’t done anything to address its problems.
To serve and protect: a call for MSPs, too
To best protect their clients, MSPs must first protect themselves. Here are 10 best practices we advise them to take.
Educate your employees. Education shouldn’t stop with their clients; it should start within their own backyard. Remember, what employees don’t know may get the company in trouble.
Undergo cybersecurity training for two reasons: [1] to further aid their clients as more and more are expecting MSPs to provide this kind of service in addition to what they already offer, and [2] to have a general knowledge on basic computing hygiene, which will greatly help protect the MSP from online threats, such as phishing, when practiced.
Keeping your employees apprised with the latest threats will put MSPs on top of providing support to clients. Continuously simulating threats within their environment will also keep employee knowledge sharp and more adaptable to situations when it calls for one.
Invest in solutions that will protect you at their weak points. Threat actors see MSPs as low hanging fruit due to their sometimes poor security hygiene and outdated systems. Needless to say, MSPs must protect their assets like any other business.
To take this step, MSPs must first recognize what their assets are and find out where they lack protection. This means potentially hiring a third-party to do an audit or conduct a penetration test. For example, if a security inspection reveals that the MSP is not using a firewall to protect their servers, they may be advised to place one at the perimeter of high-risk networks. Moreover, place firewalls between endpoints within the network to limit host to host communication.
A full security suite that actively scans for malware, blocks potentially dubious URLs, quarantines malicious threats, and protects their employees from emails with malicious attachments and potentially harmful media can help in nipping online threats that target MSPs in the bud.
Backup sensitive files and data regularly. While backing up files is expected to be a staple service from MSPs, it is unfortunately largely overlooked.
According to a 2017 report from The 2112 Group and Barracuda, only 29 percent of MSPs backup data.
It has become essential now more than ever for MSPs to prioritize creating a backup strategy in their repertoire if they want to better protect their clients and address complications posed by ransomware. We recommend an effective three-point plan to guide you further.
Patch, patch, and patch some more. Some MSPs may just be inexperienced at protecting their own systems, thus, they miss out on updating their operating system and other software.
According to a 2018 study by the Ponemon Institute, 57 percent of companies that suffered a breach in the previous year said the breach was possibly caused by poor patch management. Worse, 34 percent of these had already known of their software vulnerabilities before they were attacked. This suggests that even when a patch is available for software an MSP uses, they either don’t apply it or manage patching poorly.
As you may already know, it’s not difficult for anyone to go through an open door the same way that it doesn’t take a genius to find out and exploit a software flaw—there’s a tool for that, after all.
MSPs should create a great patch management strategy and stick to it. But if they think this is too much to handle, scope out a good third-party provider that could do the job just as well.
Restrict or limit accounts with clients. It’s tragic that many companies hit with ransomware—MSPs included—are confirmed to be compromised by the use of stolen credentials, which is gained primarily via phishing. This point is to ensure that while MSPs must know their limits when in a client network, clients in turn must ensure that their MSP adheres to company password and permission management best practices they already have in place.
There are several ways organizations can limit MSPs regarding what they’re authorized to do and how deep in the network they’re allowed to go. MSP accounts must be removed from enterprise (EA) or domain administrator (DA) groups. Give them only the bare minimum access to systems they service. Client organizations should also restrict MSP accounts using time, such as setting an expiration date and time for MSP accounts based on the end-of-contract date; temporarily disabling accounts until their work is needed; and restricting MSP service hours only within business hours if this is required.
Isolate networks with servers housing sensitive information. MSPs should know better than to connect all their servers, including those where they keep extremely sensitive data of their customers and logs, to one network that is also public facing. Not only will this put their data at risk of being affected in the event of breach, there is also the possibility that someone who doesn’t have ill intent may stumble across the data online—especially if the MSP hasn’t secured it properly.
In the event of a threat actor successfully infiltrating an MSP, network segmentation will serve as a barrier between them and the MSP’s critical servers. Done right, this will not only prevent a potential outbreak from spreading further within the network but also hinders the bad guys—and malicious insiders—from viewing or grabbing sensitive data.
Monitor network activity continuously. Knowing that they are now targets, MSPs must invest in resources that would provide them 24/7 network monitoring and logging. This way, actively searching for anomalies and unusual behavior within the network—usually an indication of a possible attack—would be a lot easier to spot and investigate. To benchmark what is normal traffic within an MSP’s environments, they may need the aid of third-party platforms to create a baseline and alert them for network activities it finds out of the ordinary.
Enable multi-factor authentication (MFA). Username and password combinations are no longer enough to secure the types of sensitive data that MSPs are expected to protect. A layered approach to putting data under lock and key is an essential need, and there are multiple methods of authentication that MSPs can choose from that they can couple with those credentials.
Disable or remove inactive accounts. You’d think it would only be practical to remove or disable accounts of former employees. Yet, it is easy to forget or procrastinate on spring cleaning accounts, especially when the MSP is already swamped with high priority tasks. Perhaps they have forgotten that this, although simple to do, is also a critical task.
Having a good account management system or process in place should have this sorted. After all, threat actors only need a tiny opening to exploit, and an MSP’s goal—like any other business’s, cybersecurity-wise—is to make itself a hard target by making it as difficult as possible to for threat actors to infiltrate them.
Avoid shortcuts. While it’s tempting to cut corners or take unsecured shortcuts, especially when certain situations may seem viable for it, it’s important for MSPs to step back and realize that taking such measures may give them the benefit they expect but the risks will also increase.
For example: a stressed and busy MSP employee uses an access utility instead of loading up a VPN to apply an update on a client’s server. Only this time, he forgets to close the opening he created with the utility. While the task he was assigned to do is done, he also left his client’s server vulnerable.
Great expectations
Clients are expecting a lot from MSPs, relying on them for everything, and looking to them as the technology and service experts who understand their need for security and how to address them. Yet often, those expectations aren’t met or provided for.
MSPs, it’s time to gain competitive advantage in your space by ensuring that your company is as secure as it can be, so you can better give security advice, measures, and aid to the clients you serve. In the end, you can’t give security if you don’t have it yourself.
The post 10 best practices for MSPs to secure their clients and themselves from ransomware appeared first on Malwarebytes Labs.