The global cybersecurity landscape is evolving and continues to grow more dangerous by the day. More and more hackers are exploiting the relationship between organizations and their MSPs to compromise IT assets.
Since MSPs have unfettered access to their clients’ IT environments, gaining control of MSP remote management consoles provides attackers with access to privileged credentials. Given this risk, MSPs need to secure credentials and enforce password management best practices to prevent attackers from exploiting their clients.
To help you get started, let’s take a look at some password management best practices for MSPs.
Multi-Factor Authentication (MFA)
While MFA was a “nice-to-have” feature in the past, it has become a “must-have” in the face of today’s sophisticated cyberthreat landscape. If the software you or your clients use comes with multi-factor authentication, never turn it off. Be sure, too, to educate clients on the benefits of MFA and on how they can take advantage of it to ensure secure access to business-critical data and applications.
To get the most out of MFA, consider taking a layered approach to password security by leveraging biometrics, code-generating/hardware tokens and other criteria (where possible) to ensure that there isn't a single point of failure in your IT ecosystem.
Further reading Two-Factor Authentication: Solutions, Methods, Best Practices
Employ a Password Generator Tool
The best passwords are randomized strings of text containing lower and upper case letters, as well as special and alphanumeric characters.
Since users have to create such random passwords for every account they own, they may have trouble remembering all the passwords — and as such, they end up creating passwords using text they can easily remember. To simplify this process, enterprises should use a password generator tool to create truly random strings based on character type requirements and length.
Use Centralized Access Management for Privileged Credentials
As an MSP, not only do you hold privileged passwords for your organization, but you also have access to those of your clients as well. To reduce the risk of malicious activities on company and clients’ businesses, MSPs need to centralize password management to see who is accessing what credentials and when they accessed them.
A centralized password management solution gives you full control over all credentials and allows you to grant access to admins on a case-by-case basis. No admin should have access to all privileged credentials. Also, a centralized solution helps in tracking and logging the access history of IT admins. Once an IT admin leaves, you can pull the history of all the credentials accessed and change them.
Your password management policy must include rules on how often your IT admins and client employees should change their passwords. Create and enforce policies that govern the rotation of passwords for the following accounts:
- In-house systems and services
- Line-of-business applications
- Cloud services and portals
- Network appliances
- Clients’ systems accounts
However, do note that passwords should be changed and not recycled. When changing passwords, ensure that the new password is completely different from every other password ever used with that credential.
In particular, passwords to the accounts outlined above must be changed instantly when a breach is detected. This mitigates the spread of malware and ransomware and prevents hackers from gaining further access to your servers, networks, and databases.
In line with cybersecurity best practices, you need to change passwords for privileged credentials with access to sensitive data at least once every 3 months. To reduce the risk of malicious exploits from former staff, you should also change all passwords they may have had access to within six months of their exit.
Educate Clients on Password Best Practices
To remain secure, MSPs need to create and enforce rigid password management policies for client organizations. However, these policies won't be effective if clients are not aware of them. You should, therefore, educate both your techs and client employees on these policies. Inform them of the importance of maintaining password best practices at all times and on all levels — even for accounts that they deem unimportant.
Further reading MSP's Educational Posters on Password Security
Know What Kind of Passwords Not to Use
The widespread use of commonly known passwords has been linked to several data breaches in recent years. The most popular password strings in use include:
While this should be obvious, you may be surprised by the number of employees who use these passwords for enterprise accounts.
You can mitigate the risk of cybercriminals comprising your clients’ IT systems and data by creating and enforcing strict password management policies. Most data breaches can be prevented if MSPs and clients protect privileged accounts with non-recycled, complex passwords. Following through on the security best practices outlined above can help reduce threats from the password/user credential threatscape.