October is known as National Cybersecurity Month in the US. Due to the accelerated growth of cybersecurity risks, this sounds appropriate for end or home users but, at the same time, the situation is equally dangerous for any knowledgeable managed IT provider.
The malefactors have turned their attention not only to companies but also to MSPs. So it is obvious that September should also be known and publicized as Cybersecurity Month -- as well as, quite frankly, any other month of any upcoming year.
In this article, we will provide some statistics about the latest cybersecurity incidents and risks, and define what you should do to protect both yourself, as an MSP, and your clients.
Ransomware Hits 51% of All Companies
According to Sophos, 51% of companies were hit by ransomware during the last year, 73% of these attacks being successful. According to Sophos, that 51% is a slight decrease compared to 54% the previous year; but it’s still huge.
It's all about people. According to IBM, user error is the cause of 95% of cybersecurity breaches. That figure is doubled in the report of the National Centre for Cyber Security, which states that 45% of users are reusing their email passwords on other services. (And, the worst fact of all is that “123456” is the most popular password in the world.)
Further reading 17 MSP Statistics to Show the Value of Managed Services
Lack of Backups
It seems a bit weird to be talking about the necessity for backups in 2020, and yet, 75% of small businesses have no disaster recovery plan in place.
The Obvious Help of Backups
According to the same report, 96% of companies with a trusted backup and disaster recovery plan were able to successfully recover after ransomware attacks.
MSPs Under Attack
The US Secret Service released a note in 2019 for public and governmental organizations that MSPs are now the prime target for cybercriminals. While there are no solid statistics on successful attacks on MSPs, there is the recent law in Louisiana obliging MSPs to register with the state, the order to register each public or governmental data breach that happens under managed IT surveillance. Also, if you imagine that ransomware is basically about paying half a Bitcoin for your data, you are in for a surprise. In June 2019, an MSP paid a hacker more than $150,000 to recover data after a ransomware attack. Learn how to to respond to cyberattacks on your business in our article.
Further reading Takeaways From 2019 Ransomware Attacks on MSPs
Securing Your MSP: Best Practices
Managed IT providers are a really enticing target for malefactors. They basically own keys from their clients’ tens and hundreds of IT infrastructures. In 2019, according to Huntress Labs, in the US alone there were at least 63 successful reported MSP attacks which resulted in ransomware in their clients' networks.
On the other hand, there is a second, more discreet attack vector. In the same 2019, ConnectWise reported that, due to an exploit in their massively popular RMM, hackers were able to spread crypto lockers across end-users.
All that resolves to a single conclusion. Before securing your clients, you, as an MSP, should perform an IT security audit, find all pain points, and eliminate all possible attack vectors.
The single best practice is to perform a security audit on a monthly basis. It should be based upon a checklist of your software and hardware solutions. All changes during the previous months should be carefully noted. Here are some cybersecurity basics to include in your list:
- Don't store your passwords in plain text; use a password manager.
- Don't share your password by copy/paste in chats or emails.
- Don't reuse any previously created passwords.
- Create different passwords for different users and don't ever use the same passwords for several users or platforms.
- Create a guideline on how to create secure passwords and monitor monthly to check it's being used.
Further reading Password Management Best Practices
Enable multi-factor authentication for all platforms you use, including PSA, RMM, emails, documentation platforms, and all others.
Keep in Contact with Your Vendors
You need to know about their exploits. Also, you should keep an eye on MSP peer groups. Typically, fellow MSPs find out about exploits and other vendor issues faster than the latter send out press releases.
Don't blindly reset passwords or start remote sessions for anyone by request. You need to create a solid end-user authentication policy.
- Ask your team to lock their computers when they leave the desk. Make the rule to auto-lock machines when idle for 15-20 minutes.
- Don't use open Wi-Fi networks.
- Encrypt your staff members’ hard drives.
- Block ports 443, 80 for remote connections.
- Connect anywhere only with a VPN or other tunneling solution.
- Perform antivirus checks for each machine daily.
- Document all network, security, and backup changes, and keep your documentation clean, concise, and in one place.
- Patch your systems whenever the patches come out. However, for Windows boxes, create a sandbox environment where you can test the updates. Microsoft tends to have buggy releases.
- Create a security manual for your team. Organize cybersecurity training programs, and test their knowledge monthly or quarterly.
Assess vulnerabilities and threats, network security, workspace and equipment security, documentation, and more. The pack includes:
- a ready-to-print PDF file
- an Excel file to help create a customizable assessment resource
Cyber Insurance and Contracts
- You need insurance. Discuss what exactly is needed with a company that is oriented towards IT insurance.
- Limit your liability in your contracts as much as possible. Check them with your attorney.
Further reading Do You Really Need a Cyber Liability Insurance?
Providing Managed Security to Your Clients
Nowadays, client cybersecurity protection is a must. You don't have to enable full-on SIEM for all clients and repurpose your MSP towards MSSP, but antivirus, a firewall, a password policy, 2FA, backups in place, network audit, email filtering, and spam protection are, again, a must. Here's a brief list of what you need to cover for your clients' basic protection:
- The same policy as yours. All the basics we've outlined before that you must implement at your workplace should also be implemented at your clients’.
- Infrastructure. Monitor your clients’ networks and connections. Perform a security audit monthly to find any unexpected changes in the configuration. Install antivirus and firewall for all devices.
- Data protection. Create a solid backup and disaster recovery policy. You should understand how fast you can recover in different cases, starting with a faulty deletion and on up to a full-on ransomware attack on the network. Also, think about protecting the users' hard drives with BitLocker, for example.
- Identity and access management. Don't allow your users to create or change passwords. Only change passwords after an authenticated call. Make sure all users are using MFA on all systems.
- Train and educate. Create videos and presentations about cybersecurity in general, anti-phishing training, and ransomware awareness training. Make sure that your end-users understand how to act in the event of data breaches or hacks. (They need to contact you immediately and provide details.)
Cybersecurity is a must, and you must have solid security policies in place before it’s too late. And, although it might happen that you or your clients never become a victim of a data breach or a hack, governments will at some point create further security compliance regulations for all MSPs managing user data. So, start today, and check your security.