January 27, 2022
Cyber attacks have risen sharply in the last couple of years. For organizations that outsource IT operations to managed services providers, there are some key things MSPs should do to safeguard their clients’ sensitive data in the ever-more-likely event of a breach. Our Mindsight experts, CIO Tad Gralewski and Director of Internal Systems & Security Matt Cox, highlighted five key areas.
This industry-recognized compliance program consists of a couple of hundred controls that measure the level of detail and accuracy with which a company is doing the things they’re supposed to be doing. For instance: When you get a new user, do you onboard them correctly and consistently? When somebody leaves the company, do you disable their account right away? Do you patch your servers on a regular basis? Do you have a risk management program? No company that implements these controls is 100% secure, but it’s a feather in their cap and a sign that they’re at least taking their controls seriously. On top of that, they should be bringing in an external auditor (as opposed to an IT specialist) and challenging them to find evidence of gaps in security controls that are purportedly in place according to documentation. That way a report can be generated by an impartial third party and customers have more peace of mind.
Named Accounts and Multi-factor Authentication
Everyone should be doing this, not just your MSP. It’s a very basic step, but it is absolutely a best practice. In the past, it was not uncommon to have an administrator account for which everyone had the password. When somebody left the company, you had to go in and change that password. A better way is to set up named accounts, each protected by multi-factor authentication that allows only that individual to gain access to a given environment. This goes for internal company employees and external MSPs that manage the environment. Because everything is logged, it’s possible to see exactly who entered the environment and when, as well as what they did there. While this certainly isn’t new technology, its adoption has definitely accelerated because bad actors continue to proliferate along with increasingly sophisticated techniques they employ to breach even the most protected systems.
Regimented Vulnerability Management
Every MSP does patch management for its clients on a scheduled basis. But how good are they at quickly reacting to odd events and mitigating potential threats? While installing patches monthly or quarterly is the norm, real-time patching is even more effective. That way, for example, if a critical firewall update arrives from the vendor, there’s no lag time in installing it and the client remains as protected as possible from cyber threats. Is that method more time-consuming and labor-intensive from an MSP’s perspective? Yes. But keeping clients’ risk profiles as small as possible is well worth the effort.
Disaster Recovery and Data Immutability
Some of the most sophisticated ransomware doesn’t merely infect and lock all the files on your server, it also infects and locks your backup files. That doesn’t happen often, but it’s becoming more prevalent. And it can be disastrous. Businesses are particularly vulnerable if they’ve set up easy-to-manage environments with an integrated backup solution that uses common passwords for access. In those cases, it’s pretty easy for a bad actor — who might have been lurking in the environment for weeks or months, doing their homework and waiting for the right moment to strike — to break in and encrypt all of those files as well. That’s where so-called “immutable” backup solutions come in. They’re off-site and cannot be easily changed or deleted. As a result, even if everything else is compromised, immutable backups are likely to remain. Which means cyber criminals can’t hold the primary data for ransom. Blackmail doesn’t work without leverage. (Here’s more on disaster recovery for SMBs that work with MSPs).
Alert Monitoring and Minimal Access
A mainstay of security policy is that no one has more access than they need, which reduces liability both internally and externally. In order to administer an IT environment, you have to have users with administrative access — the keys to the castle. If your company brings in an MSP, for example, the MSP can’t administer your environment unless they have those keys. But they shouldn’t open everything. It’s important to strictly limit that access only to specific areas that MSPs need to perform their work effectively. Wider access means more avenues of entry for bad actors to potentially exploit.
As for alert monitoring, it requires administrative access to monitor the environment — which is another risk pathway. If your monitoring tools are publicly exposed, that could be used against you. The best way to prevent that from happening is to make sure those tools are as secure as possible. It’s also imperative to understand what tools your MSP uses to administer your environment and the access granted to those tools. Clients should ask questions of their MSPs like how do you secure these tools, how do you control your employees’ access to them, how do you onboard and offboard your employees.
Like what you read?
Mindsight is industry recognized for delivering secure IT solutions and thought leadership that address your infrastructure and communications needs. Our engineers are expert level only – and they’re known as the most respected and valued engineering team based in Chicago, serving emerging to enterprise organizations around the globe. That’s why clients trust Mindsight as an extension of their IT team.
Visit us at http://www.gomindsight.com.
About The Experts
Mindsight CIO/COO Tad Gralewski is graduate of the University of Illinois at Champaign-Urbana and has been in the IT industry for over three decades. At Mindsight, Tad focuses on both delivering Mindsight’s services to our customers and working with them to help develop strategies, roadmaps, and solutions to solve their issues. To Tad, “We don’t sell things – we solve problems”. A self-proclaimed “outdoors person”, Tad enjoys camping, hiking, and riding motorcycles in his spare time.
Matt Cox is the Director of Internal Systems and Security at Mindsight, and has over 20 years of experience in Telecommunications, Information Technology and Network Management. In his role at Mindsight, Matt has the uncanny ability to communicate complex technical ideas to a broad audience. He is passionate about information security and using technology to improve business outcomes and is currently pursuing CISSP certification. When he’s not focused on the hyper-technical, Matt enjoys boating, fishing, and lock picking.