MSP Security Put To The Test: Cybersecurity Attacks Continue To Target MSPs In An Attempt To Mass-Infect Customers

Now more than ever, data breaches and hacks plague the IT industry. Ever-present but unpredictable, they represent massive challenges for MSPs and their clients, requiring vigilance and continual monitoring and bolstering of defenses.

In June 2019, the Sodinokibi ransomware made headlines when hackers used it to compromise multiple MSPs. These ransomeware attacks were reportedly executed through MSPs, whereby adversaries who were accessing MSP networks via remote desktop services were then pushing the ransomeware to client endpoints using various management consoles, such as Webroot, ConnectWise, and Kaseya. While some were quick to blame this breach on weaknesses in the solution providers’ security, the reality is that these systems were compromised not because of shortcomings in the software but because of poor cybersecurity hygiene on the part of the MSP.

Simply put, MSPs are being directly targeted because attackers realize that compromising the credentials of a single MSP can ultimately provide them with “the keys to the kingdom” of hundreds of businesses.

These attacks highlight the importance of not relying solely on usernames and passwords to protect critical IT systems; how users log in is typically the weakest point in the protective chain of IT security. This isn’t as much a technical issue as it is simply a combination of human nature and the delicate balance between ease of use and proper security protocols.

Don’t Poke Holes In Password-based Protection.

Usernames and passwords are soft targets for malcontents. Over and over again, these credentials are the top target for data breaches because they can unlock access to so many different places. Nearly every week, there’s another report of massive compromises, from 50 million Instagram accounts to 1.5 billion WhatsApp credentials.

Usernames are consistently reused across multiple systems and websites, and passwords are also frequently recycled or “iterated” upon in predictable ways, even when users are forced to change them regularly, creating a disincentive for the user to get creative and use unique passwords. So, when a data breach extracts a haul of these credentials, it not only represents a threat to the organization that was hacked but also to any other site or system where those individuals might use the same or similar usernames and passwords.

Even when individuals aren’t reusing and recycling passwords, they’re typically far too weak to begin with. The vast majority of passwords (80–90%) are eight characters in length and include a special character, number, or capitalized letter. But those eight characters are no match for the software available to hackers — particularly if the dictionaries and encryption keys are also available — who can crack them in just a few minutes.

By contrast, a 12–14-character password can take upward of a decade to decipher, proving for once that bigger really is better. But longer passwords highlight the challenge on the human side of the equation: People are lazy and don’t want to put in the effort to create unique passwords for every site and system, and, given the sheer number of websites that a person logs into on a routine basis, they definitely won’t remember them if passwords are twice as long.

This is where MSPs can offer additional value by not only educating, recommending, and (potentially) requiring longer passwords but also by providing password management as part of their service offering. These tools stop users from recycling predictable passwords while simultaneously removing the burden of having to remember and keep track of them all.

While this is great advice for MSP customers, it’s also a best practice for MSPs themselves. MSP employees have access to a ton of sensitive information across multiple clients, so there’s no excuse for taking shortcuts in-house while preaching better policies to others.

Great Passwords Aren’t Enough.

Even the best password hygiene is still only scratching the surface of what MSPs and their clients can do to protect themselves from hackers and malware. To provide a better buffer between hackers and critical data, MSPs must get their customers to utilize two-factor authentication.

Requiring an additional step in the authentication process is the perfect preventive strategy for phishing emails and counteracting data breaches that allow credentials to fall into the wrong hands. Unfortunately, there’s a lot of inherent resistance to adopting this superior security mechanism because it’s viewed as an inconvenient extra step for end users, but that’s largely a misconception.

Companies looking to add two-factor authentication to their IT infrastructure have a plethora of options, including freebies from Google and Microsoft (included with Office 365 subscriptions) to premium offerings from Kaseya, Duo, and Okta. Some solutions will even support single sign-on by leveraging a universal directory.

Don’t Forget About Physical Security.

Often overlooked in the battle against cyberthreats is the “brick-and-mortar” component of protecting sensitive data. While the vast majority of breaches occur solely in the digital domain, physical access to servers, devices, and networks also poses a legitimate threat that shouldn’t be ignored.

Restricting access to facilities, server rooms, and endpoints is another key layer of defense in the battle against data theft and security breaches. MSPs themselves are particularly vulnerable since they touch multiple enterprises from a single location, so utilizing proper procedures at their own offices is just as valuable as imploring clients to do the same.

Change The Dynamic By Changing The Defaults.

Customers are entrusting their mission-critical applications to MSPs with the expectation that the MSPs are doing everything possible to protect their systems and data. These clients will most likely go along with their MSPs recommendations, so starting from a position of strength instead of making security best practices optional is a winning position for all parties.

Instead of requiring customers to opt IN to better security mechanisms (such as two-factor), MSPs should instead make their clients opt OUT. Many will not even question if all this security is mandatory and simply go along with what’s in the standard package.

For those customers who will want to remove some of these best practices, it will require a conversation with their MSP to ensure they fully understand what they’re asking for and the inherent risks and dangers of that decision. This might be tricky to implement, as MSPs are often in “sales mode,” where the customer is always right, but this must be non-negotiable if MSPs are to adequately protect their clients and themselves.

It might feel awkward to be so demanding of customers, as MSPs generally want to reduce friction and appear easy to work with. But the risks are simply not worth the reward when you’re talking about opening yourself up to unnecessary weak spots in security.

The other piece of the equation MSPs can influence is education. Ideally, every employee would already be well-versed in all things security, but this is unfortunately not the case. Instead, they need both initial education and continual reminders of how to manage their personal information and credentials.

To create a culture of security, MSPs can offer education platforms such as ID Agent’s BullPhish (which provides ongoing reminders and awareness via articles and videos that speak directly to end users) to get employees up to speed on protecting their company data. Without the proper context, employees tend to ignore security because they’re simply unaware of the breadth and scope of threats to their employers.

Once empoyees understand the situation, they’re typically eager to participate. By actively involving employees in security, they shift from risk factors and weak points to a network of sensors on the edges, helping to identify possible holes in a company’s defenses.

Don’t Wait For Something Bad To Happen.

Proactive, preventive measures are the best defense against security threats. MSPs simply cannot afford to wait for an incident and then react after the fact. Not only can it damage reputations and customer relationships, but it can also put an MSP out of business permanently.

Security is no longer optional, which means MSPs must take a hard line with customers and prospects for everyone’s sake. No deal is worth destroying the entire business, and proper security requires the active involvement of every employee, not just the IT department.