Recently, and as always, we’ve seen additional alarming reminders of how important cyber security measures are for MSPs.
- According to industry news reports, the Kansas City-based MSP NetStandard sustained a cyberattack in early August of 2022 that caused an unknown but possibly significant amount of damages. It’s reported that due to this attack the MSP shut down its MyAppsAnywhere cloud services for more than a day, including hosted Dynamics GP, Exchange, Sharepoint, and CRM services.
- In late July, experts dramatically warned, almost in real time, that a Russian hacker had gained access to over 50 U.S. companies by breaching an MSP – the hacker was on the dark net seeking help in taking advantage of the access they had gained.
Attacks on MSPs are increasingly frequent and dangerous, according to intelligence continually gathered by the governments of multiple nations including the U.S.
While the details of any given attack currently in the news may be unclear, MSPs represent a large focus of attacks by state-sponsored as well as by other entities. Therefore it’s important that MSPs maintain vigilance and mount the best defenses possible.
It’s no longer a question of if any given MSP will suffer an attack. The only question is when.
So it’s critical that MSPs spend time and resources on preparing for what to do in order to defend against attacks, as well as protecting themselves with mitigation in the event an attack gets through their defenses.
How to defend an MSP against cyberattack
Deploy and maintain monitoring and logging processes.
Since many weeks and even months can go by before a breach is noticed, MSPs should maintain monitoring and logging processes dedicated specifically to network threats. Specific expertise is required to decide what to log, how long to store the logs, how to analyze the logs to detect threat behavior. In the accelerating threat environment, off the shelf settings and once-over examination by a non-expert are not safe practices.
Even beyond the MSP itself, the organizations connected to it – whether these are clients or partners or consultancies – should also suse robust logging and analysis dedicated to the detection of illicit network activity.
MSPs and their customers need to meet the threat with as much cooperation and sharing of logs and analysis, and other detection strategies, as is appropriate and possible. The default should not longer be walls up, but windows to each other, as appropriate, in order to help defend the entire community of an MSP.
This cooperation should include, as appropriate, comprehensive plans that include customers in development and implementation, mutual visibility and identification within the network, and an efficient plan for notification in the eventuality of an attempted attack or other incident.
Use multifactor authentication
MSPs should strongly encourage, if not require, the use of MFA across all customers’ accounts and require MFA for all administrator accounts and any remote access accounts. At this point in this threat environment, MFA is a fundamental basic requirement for safety.
Tighten network architecture (including customers’)
MSPs should segregate networks, so that an attack can’t easily and rapidly spread throughout. They should also segregate critical business systems within their own network, so that a breach of the network doesn’t give the keys of the kingdom, empowering another dreaded MSP ransomware attack.
Allow only necessary permissions
Give each user only the system privileges their tasks require, and only for as long as they require. Although constantly updating permissions may seem tedious, it can be systematized into a fortnightly or monthly task, and it significantly reduces risk, which can balloon out of control when permissions are over-distributed and not updated.
MSPs should apply updates, especially security updates but including all, on their own networks, and strongly encourage or even require customers to do the same with their software.
Backup data and systems (and test the backups regularly)
MSPs should maintain a schedule of backups of their data, their systems, and strongly encourage or require customers to do the same. Backups should be offline, encrypted, and tested frequently to ensure that this crucial safeguard works.
Plan (and regularly practice) incident response and recovery plans
An incident response and recovery plan should include complete, detailed lists of what each responsible team member should do. It should include up to date contact information, including methods of contact outside of the MSPs systems, since email and other methods of communication may be affected by an attack.
By the same token, hard copies of plans should be available, since only digital plans stored in a system that has been shut down for ransom won’t be available for consultation.
Use cyber security expertise
Whether from your team, or from an outside consultant, experienced knowledgeable cyber security expertise is needed these days for creating and implementing an MSP cyber security plan. Articles such as this can motivate, and give a view from 40,000 feet, which are both necessary – especially the first. But with the warnings, specifically for MSPs, from multiple national governments, an MSP cybersecurity checklist is something to develop with the help of focused, specialized expertise.
Risk reduction via cyber insurance
Another method of defense is the right insurance. Cyber security insurance is for MSPs an crucial backstop to business losses in the event of a successful attack. As you tighten up your defenses, and implement your plans based on expertise, you put yourself in a position to afford highly protective cyber security insurance at an affordable price, since premiums are based on risk, and you’ve reduced your risk to a very low profile.