More and more, hackers are targeting managed services providers (MSPs). This is because MSPs can be a weak link when it comes to security if they aren't implementing the same security practices they encourage for their clients.
MSPs are an attractive target for attacks because of the network connectivity that exists between MSPs and their clients. Successful MSPs with a global client base are even more appealing because the MSP serves as a "hub" from which multiple attacks against other big targets can be launched.IT solution providers have intimate access to their customers' networks and applications. That’s why groups like the Chinese hacker collective APT10 are targeting MSPs. Cloud-based platforms are also increasingly targeted by these groups and the attacks are likely to increase in number and frequency.
MSPs with a strong security offering are already providing plenty of protection for their clients, using available tools to stop malware and ransomware attacks. Not all MSPs are using those same tools for their businesses, however, which represents a blind spot in their IT infrastructure.
Consider the potential consequences if an MSP employee falls victim to a phishing scheme. Malware coming from a trusted MSP account presents a significant threat to every customer and vendor connected to that company.
Sophisticated phishing attacks can compromise user accounts, which allows cybercriminals to move quickly through the MSP’s customer accounts until they find those that have the highest level of access rights to client infrastructure, or to the most valuable assets.
Last year, the Australian Cyber Security Centre (ACSC) published its annual threat report, which included a description of a multinational construction services firm that was the victim of a malware attack via an MSP account. The company was defrauded out of $500,000.
According to the report: “The example highlights the risk that companies can be compromised through their service provider, without either the company or provider knowing. It also demonstrates the types of risks that organizations face when they outsource certain activities, or when they outsource with little consideration to security. When MSPs give other organizations access to their network, it can be exposed to that organization’s security posture — which effectively increasing their own risk.”
Security Begins at Home
What can MSPs do so they don’t put their clients’ networks at risk?
First, they shouldn’t ask their clients to implement security tools or practices that they aren’t willing to deploy in their own organization. It is important that they know where security starts and stops in the products and services they currently offer.
MSPs should train their employees to recognize potential threats and phishing emails on an ongoing basis. They are probably already doing this for their clients. Credential theft presents an enormous risk because of the potential damage that can be done in the cloud. MSPs should have phishing protection and two-factor authentication practices in place and use a VPN for cloud logins.
MSPs should also implement a robust security program around privileged accounts, and make sure they have a security management system in place to control access for employees, customers, and vendors.
Additionally, MSPs should use a unified threat protection agent that they can deploy the security stack on both virtual and physical endpoints, and make sure to protect their data and clients’ data with robust backup and disaster recovery (BDR) solutions.
MSPs should make sure they can track data provenance across their infrastructure. By increasing their security footprint, they can strengthen security around the cloud environments their customers’ solutions are running in.
Security staff should have a real-time view of what is happening with their cloud-based virtual machines from a central location and the ability to conduct sophisticated analysis of out-of-the-ordinary events.
MSPs should make sure they are following industry requirements for highly regulated markets, such as the HIPAA security requirements for healthcare data. If not, the cost of a breach will be compounded by fines and other penalties for non-compliance.
Finally, MSPs should develop an incident response protocol, including who will be notified and when. That should also include a communication plan for all employees explaining how the breach happened, so they can help prevent the problem from repeating or spreading.
Clients rely on their MSPs to ensure uptime and secure their data. MSPs that aren’t looking within to spot potential vulnerabilities may be leaving their customers — and themselves — vulnerable to cyberattacks.