Cleaning House: Cybersecurity Hygiene for MSPs

JP Kehoe
Vice President of XDR Sales
Barracuda MSP

Cybersecurity hygiene best practices require MSPs not just to implement technologies, but also sustainable processes that can be relied upon over time. Today, installing a piece of software and considering the job done will simply not suffice. You would not clean your house once and expect it to remain tidy and sanitary, indefinitely, right? The same goes for cybersecurity — consider this a healthy living approach to security.

Achieving and maintaining good cybersecurity hygiene means implementing processes that supplement and strengthen technologies in-place. These processes need to include concentric layers of cybersecurity as well as reliable monitoring, visibility, and response capabilities.

A complex and never-ending cycle that varies by industry

It’s no secret there are challenges that make this type of security posture difficult to maintain. The sheer complexity of the modern IT environment can be challenging to manage from a security standpoint, with IT departments required to secure a mix of cloud-based and on-premises systems and a high volume of users and devices. End users must also buy into the process, which means regular training and reminders to follow basic security protocols that some may find inconvenient. The work is never-ending and occasionally monotonous.

Exactly what good cybersecurity hygiene looks like can vary a bit by industry. Still, NIST and the Department of Defense provide guidance that (although targeted at companies handling highly classified information), offers a good framework for any business.

In 2020, the DoD rolled out its Cybersecurity Maturity Model Certification (CMMC), which closely follows the NIST Cybersecurity Framework and can serve as a model for security best practices, even for companies that may not ever do business with the military.

An excellent first step for MSPs is conducting a cybersecurity assessment that follows the Common Vulnerability Scoring System (CVSS) to identify existing systems’ relative strengths and weaknesses. This should also involve a full accounting of assets and systems that require protection and what level of protection may be necessary for each.

Guidelines can help MSPs to organize a security response

Companies can address these vulnerabilities by following the CMMC or NIST guidance. In addition, there are four general categories of security that may help organize the security response.

Networks: Network protection begins with an updated firewall but should also include 24/7 monitoring (to identify unusual activity) and robust user authentication processes and technologies. Real-time monitoring that provides rapid alerts to security and IT staff is critical to a holistic security program. Workers should be able to respond rapidly to potential breaches, and at least some level of automation should be enabled to help mitigate the impact of a cyber-attack as it’s happening.

People: As has been noted repeatedly, having the best security technology won’t help if employees are not prepared to identify and respond to potential threats, such as phishing attacks and malware. Users should receive regular security threat updates and security awareness training. There should also be clear, enforceable policies around passwords, on-premises and remote access, use of personal devices, physical security for company-owned mobile devices, and handling of credentials.

Endpoints: Physical endpoint devices (phones, tablets, etc.) must be secured and authenticated before being permitted access to networks and applications. A Zero Trust approach to access and authentication can significantly enhance endpoint security, ensuring devices are regularly updated, patched, and protected with antivirus software.

Facilities: Physical access to on-premises workstations, servers, and other IT assets should be monitored and controlled using passwords, key cards, and other processes. Guest WiFi networks should be separated from corporate networks, and remote employees should follow computer and network usage guidelines.

Framework standardization: As mentioned, it is good for all businesses and particularly for an MSP to have a framework in place that focuses on people, process, and technology. When you choose a standard like NIST, this offers real value as when you have a problem, you can point to the fact you chose a standard to measure yourself against. Technology is great and so important to have, but often the people and process piece is an afterthought. A framework allows customers to have a roadmap of when and how they want to invest in security over time.

Several years ago, the Software Engineering Institute at Carnegie Mellon (also involved in the development of the CMMC) outlined 11 functional cyber hygiene areas based on NIST standards and other similar frameworks and standards. The outline comprises a handy checklist for any good cyber hygiene program, including: 

  1. Identify and prioritize critical organizational services, products, and supporting assets.
  2. Identify, prioritize, and respond to risks to the organization’s essential services and products.
  3. Establish an incident response plan.
  4. Conduct cybersecurity education and awareness activities.
  5. Establish network security and monitoring.
  6. Control access based on least privilege, and maintain the user access accounts.
  7. Manage technology changes and use standardized, secure configurations.
  8. Implement controls to protect and recover data.
  9. Prevent and monitor malware exposures.
  10. Manage cyber risks associated with suppliers and external dependencies.
  11. Perform cyber threat and vulnerability monitoring and remediation.

Closing Thoughts

There are 5 steps to basic cybersecurity hygiene:

  1. Establish what it is you want to protect most.
  2. Build the concentric layers of cybersecurity.
  3. Gain visibility by monitoring your environment.
  4. Reduce the response time.  
  5. Standardize on a framework.

The NIST Framework and CMMC provide more specific guidance, but how closely a given company needs to adhere to those guidelines will vary based on the industry. However, they do offer a good benchmark for measuring security preparedness. Getting started requires investment and effort, but with a good security hygiene program, the MSP and its clients will benefit from reduced risk of interruptions, data compromise and data loss.

JP Kehoe is Vice President of XDR Sales for Barracuda MSP where he is focused on helping MSPs grow their businesses through cybersecurity-as-a-service offerings.