Click to toggle navigation menu.

How to Defend an MSP Against Cyberattacks

< BACK

Managed service providers remain high-value targets. The biggest drivers of incidents today are (1) abuse of remote access tools (RMM and screen-sharing) and (2) identity takeovers that bypass legacy MFA. This playbook shows what to fix first—mapped to the minimum controls most cyber insurers expect.

Controls that actually move risk (and premiums)

  1. Identity and access: Enforce phishing-resistant MFA (FIDO2/passkeys) for all admins and any remote access; use Conditional Access; adopt Just-in-Time privilege (PIM).
  2. Remote tools (RMM/screen-share/help desk): Treat as Tier-0; lock down install and use; require SSO plus strong MFA; approvals and monitoring for privileged sessions.
  3. SaaS/OAuth hygiene: Disable end-user app consent; require admin workflows; allow only publisher-verified apps; disable legacy authentication.
  4. EDR/XDR and patching: Coverage on 100% of endpoints and servers; tight patch SLAs, especially for remote access tools and known-exploited issues.
  5. Backups: 3-2-1-1-0 with at least one immutable or air-gapped copy; quarterly restore tests.
  6. Logging and detection: Centralize identity, email, endpoint, RMM, firewall, and SaaS admin logs; keep about 12 months where feasible.
  7. Attack surface: Eliminate exposed RDP/admin portals; put anything sensitive behind VPN or Zero-Trust with strong MFA.
  1. Identity first: kill phishable logins
  • Phishing-resistant MFA (FIDO2 security keys, passkeys, or certificate-based) for administrators, remote access, and any high-risk apps.
  • Just-in-Time admin (PIM): No standing global admins. Use time-bound elevation with approvals and reason codes for Microsoft 365/Azure and other critical SaaS.
  • Conditional Access: Require compliant devices for admin portals; block risky sign-ins (for example, impossible travel, unfamiliar locations); step-up MFA for sensitive actions.
  • Rotate local admin passwords automatically (for example, Windows LAPS). Never reuse local credentials across machines.
  • Disable legacy protocols (POP/IMAP/SMTP Auth/Basic) where possible.

Insurance lens: Carriers increasingly expect phishing-resistant MFA and privileged access controls before offering favorable terms.

  1. Remote tools (RMM, screen-share, help desk): treat as Tier-0
  • Minimize footprint: Do not install RMM agents on Domain Controllers; avoid server installs unless strictly required.
  • Control installation: Require signed agents; block user-installed remote tools via application control; alert on new remote-access binaries.
  • Access policy: Enforce SSO with phishing-resistant MFA; restrict by IP/VPN; log and record privileged sessions where feasible.
  • Approvals and dual control: Require approvals for high-risk actions (script deployment, registry edits, mass uninstalls).
  • Break-glass: Maintain out-of-band communications and separate credentials for emergencies; rotate immediately after use.
  • Help-desk SOPs (anti-social-engineering):
    • No password resets, factor enrollments, or privilege changes via chat or ticket alone.
    • Call back only to pre-verified numbers; use multi-person approval for privilege escalations.
    • Require stronger proof for admin-level requests (for example, manager approval plus callback).
  1. SaaS and email: clean up OAuth/app consent
  • Disable end-user consent to third-party apps; route through admin consent workflows.
  • Allow only publisher-verified apps; review scopes and restrict by assignment.
  • Apply Conditional Access for admin changes (app registration, security info, token lifetimes).
  • Block legacy or less-secure access and enforce modern OAuth across mail and file services.
  • Allowlist only the external apps you trust; review OAuth grants regularly.
  1. Endpoint, patching, and EDR/XDR
  • EDR/XDR everywhere: all workstations, servers, and supported mobile devices.
  • Patching SLAs: critical vulnerabilities in days; remote-access tooling and known-exploited issues in hours when active exploitation is observed.
  • Baseline configuration: Use CIS Controls (IG1/IG2) for asset inventory, secure configuration, vulnerability management, and malware defenses.
  • Application control for admin tools and scripts.
  1. Backups that survive ransomware
  • 3-2-1-1-0: three copies, two media, one offsite, one immutable or air-gapped, zero untested restores.
  • Immutability: Use storage features such as object lock or WORM where available.
  • Test restores quarterly to real RTO/RPO targets and document results.
  1. Logging and detection that responders can use

Centralize and retain the logs that tell the story:

  • Identity (authentication, MFA changes, privilege changes)
  • Email (delivery, impersonation detections, rule or forwarding changes)
  • Endpoints and EDR telemetry
  • RMM and admin actions (script runs, tool deployment, session starts and ends)
  • Firewall and VPN or Zero-Trust access
  • SaaS admin and audit logs (app-consent changes, mailbox permissions, file-sharing policy changes)

Aim for approximately 12 months of searchable retention where feasible; at minimum, meet regulatory and contractual needs and your incident-response partners’ requirements.

  1. Internet-exposed attack surface
  • Eliminate exposed RDP and management interfaces.
  • Put admin portals and sensitive apps behind VPN or Zero-Trust with phishing-resistant MFA and device checks.
  • Scan your public footprint regularly; alert on new services and certificate changes.
  • Use strong DNS, TLS, and email authentication (SPF, DKIM, DMARC) with enforcement.

Quick audit checklist (use with your PSA/RMM)

  • Phishing-resistant MFA enforced for admins, remote access, email, and RMM
  • PIM or JIT configured; standing global admins = 0
  • RMM hardened (install controls, SSO plus MFA, no Domain Controllers, approvals, alerting or recording)
  • App consent locked down; legacy authentication disabled
  • EDR/XDR on all endpoints and servers; patch SLAs defined and met
  • Backups follow 3-2-1-1-0; quarterly restore tests documented
  • Central logging with about 12 months retention; alerting on identity and RMM events
  • No exposed RDP or admin portals; regular external scans in place

Cyber-insurance alignment

Underwriters increasingly ask for evidence of the controls above before binding or to remove sub-limits. If you need a concise, MSP-friendly list to share with clients, see: Cyber Insurance Requirements: The Minimum Controls Checklist (for SMBs and MSPs).

MSPs / Thinking
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.