Last month, a critical advisory was published by cybersecurity authorities from the United States, United Kingdom, Australia, Canada and New Zealand — recognizing that they have observed “an increase in malicious cyber activity targeting Managed Service Providers, and expect this trend to continue.”
As a result, the joint Cybersecurity Advisory published a thorough guide to support MSPs with practical tips and tricks that can reduce their risk landscape. These best practices and specific guidance can help to secure sensitive data, ensure compliance, and limit the threat of a cyberattack.
Interested in an overview of the guidance? You’re in the right place.
Who is the advisory talking to?
First, let’s define who this advice is targeted towards. MSPs deliver, operate and manage IT services via a contract where they guarantee a certain level or amount of support, in return for a monthly fee. They support businesses with platform, software and infrastructure, monitor, manage and support IT services, and take responsibility over cybersecurity to at least some extent.
As they need access to the customer’s network, they are usually given privileged access to systems and data, great for business continuity — difficult for security.
Why are MSPs at risk?
As MSPs have this connectivity to their customer environments, when a bad actor targets an MSP, they can gain access to their entire supply chain. The advisory calls this “globally cascading effects”, and warns against Nation State APT groups who target MSPs to gain access to a whole network of relationships that rely on customer trust.
As a customer trusts their MSP to have access to sensitive information, they may be less likely to notice signs of an attack, which can lead to wider threats such as ransomware across a whole client network.
A shared commitment to security, and open and frank conversations with customers about implementing new and emerging best practices can make all the difference in securing this relationship and ensuring customers can get the benefits of using an MSP without adding undue risk to their environment.
Once discussed, implement these guidelines in your existing contracts, and present them as baseline best practices when onboarding new customers.
Preventing initial compromise
The first step is to stop a bad actor from gaining access to the customer environment in the first place. This is usually done through existing vulnerabilities or by exploiting human error. Discuss with your customer:
- Boosting the security of vulnerable devices
- Protecting all services that are internet-facing
- Defending against brute force attacks or credential harvesting
- Smart approaches to minimize the impact of phishing
Many of these concerns can be alleviated with the support of a strong antivirus and anti-malware solution, endpoint detection and response, or other third-party cyber security software which can be implemented as part of a strong MSP solution with robust integrations.
At Atera, as well as long-standing integrations with Webroot and Bitdefender, we recently integrated with Emsisoft EDR, and Ironscales for email security — supporting customers with threat hunting against cyberattacks, and with smart education and training against phishing scams.
Monitoring and logging
The advisory reminds MSPs that cybersecurity incidents can take time to detect, and so logging and monitoring is essential. Logs help to detect threats on the network, and are also essential for incident response.
For MSPs, this means logging all activities that occur throughout the process of providing IT services to the customer, and for customers, to guarantee that either locally or via the MSP, they have monitoring and logging for security event management, and visibility into third party activity in their network. If the MSP spots anything unusual, it is their responsibility to alert the customer, and send any relevant logs to the Security Operations Center for further analysis.
Multi factor authentication
Especially in environments where remote access is common, multi-factor authentication is a must-have. Default MFA protocols may not be enough against Nation state attacks, so the advisory recommends that organizations review their configuration policies for multi-factor authentication in their customer environments.
MFA should be mandated according to your customer contracts, not only on customer services and products but also on the MSP side for all accounts that access customer data.
Segregation and least privilege
Securing a complex customer environment means having visibility and control over the assets that comprise the whole. Make sure you know where “crown jewel” applications, data and systems are held, and then apply network security to reduce the impact of a breach and limit lateral movement.
This can be anything from relatively small measures such as ensuring credentials aren’t repeated for more than one customer, to full micro-segmentation of a network to physically restrict access to an attacker if the worst occurred.
MSPs can use VPNs to access customer networks, limiting traffic to an encrypted and secure connection.
Another tool for network segmentation is the principle of least privilege, a zero trust concept. By using a tiered approach to access, accounts only have the ability to reach the data and assets that they need to do their job — and no further.
Those admin accounts that have high privileges should only be used when absolutely necessary, and be de-privileged either every six months or at a smart cadence. In general, have a process and policy in place for deprecating any accounts of infrastructure which have become obsolete.
Updates and patch management
MSPs have a responsibility to provide updates and patches on internal networks as quickly as possible, and have a process in place for recognizing and patching known vulnerabilities.
At Atera, IT automation profiles allow for hardware, software and operating system updates to be automated to ensure best-in-class security, and in-depth reporting ensures no patches or updates are missed without the MSP and customer being alerted to the potential risk.
System and data backups
MSPs also need to be ready in case the worst occurs and a cyberattack hits a customer environment. Backups are the most important element of this, especially if a ransomware attack occurs and data is being held encrypted and to ransom. Backups should be stored separately, and backups should occur regularly.
Atera recently integrated with Axcient for smart backups, a third-party that offers chain-free backups to prevent data bloat, and has intelligent AirGap technology that protects against internal as well as external threats.
Incident response and recovery
Backup is one part of incident response and recovery, and as an MSP you should be able to walk the customer through a clear plan of what would happen in the face of different kinds of cyberattack.
How long would it take to get data restored? What other impacts would you predict on business continuity? Who will take technical lead, executive lead, and compliance lead? Plans need to be tested with simulations and drills regularly.
They also should be written down for easy access to ensure there is no single point of information that could quickly become a single point of failure if that member of staff is on vacation the day the attackers make their move.
Authentication and authorization is an essential element of security. Best practices include:
- Regularly rotating credentials
- Reviewing logs for failed authentication attempts
- Reviewing logs after performing password changes
- Restricting MSP access to only necessary systems
- Verify accounts are disabled when they are not being used
- Supply chain risk is real — but prepared is pre-armed
There is no doubt that as an MSP, supply chain risk is something you need to be aware of and ready for, including understanding your legal and compliance requirements as a service provider. Ensuring regular risk assessments and making time to discuss potential impact with your customers will be key for managing the threat.
Provide better protection with Atera
Each customer will have their own requirements, and it’s essential for the MSP to make their own responsibilities clear — for example whether they will handle incident response or data backup, or if this will be outsourced to another third party or handled by the customer in-house.
The advisory comments: “both MSPs and their customers will benefit from contractual arrangements that clearly define responsibilities.”
Transparency really is the most essential part of your relationship with your customers. When you negotiate a contract, write down all the services that the customer will receive, outline the services that they are not going to be given as part of this agreement, and ensure you discuss any security best practices which fall outside of the contractual agreement, so that the customer is fully aware and can make smart decisions as part of their own risk assessment.
Flexible contracts are our middle name. Try Atera free for 30 days!
See Atera in Action
RMM Software, PSA and Remote Access that will change the way you run your MSP Business