Any IT managed service provider (MSP) offering their clients security services should first secure their own house, putting the same exacting security controls and solutions in place they would expect their clients’ to implement.
The risk to your clients from external cyber threats, data breaches, ransomware attacks, and business email compromises has never been higher. The many malicious software vendors peddling products empowering would-be and seasoned cybercriminals is growing rapidly. Cybercriminals are laser-focused on developing the most efficient ways to scam the most money from their victims in the least amount of time. This focus on "efficiency R&D" is helping to make each successive cyberattack more convincing, more impactful, and more costly.
As such, MSPs have recognized the value in offering security in addition to remote monitoring and management services. With so many off-the-shelf solutions available, MSPs imagine it’s fairly easy to get in the game.
But are your clients the only ones in need of better security?
In recent months, cybercriminals have upped their attacks on MSPs. And for a simple reason: they gain unrestricted administrative access to multiple clients’ networks. It’s simple math, really – compromise one organization’s network, or access tens or more at one stroke by compromising a single MSP.
This trend, called "island hopping," now occurs in 50% of cyberattacks – an attacker leverages their first victim to access a second. Attacks on MSPs are making news, including a Ryuk ransomware attack on cloud-service provider Data Resolution and their 30,000 customers and Chinese-sponsored hacker group APT10’s attack on Norwegian MSP Visma and their 850,000 customers. The problem is so rampant that the U.S. government even released an official warning to IT service providers about the threat.
Because of the risk of these attacks, it is imperative that MSPs look inward and practice what they preach about security.
More specifically, MSPs need the same layered security strategy they should be offering their customers. Layered security requires technologies, policies, and processes be put in place to combat cyberattacks from multiple angles. It should assume at least one layer is likely to fail, but that each additional layer is capable of stepping up before an attack can do real harm.
So, what elements make up layered security?
Here are several high-level layers to keep in mind when putting together a comprehensive security strategy:
This is the point where an attacker could “touch” your network. It can be a corporate firewall, user’s inbox, personal laptop in use at a coffee shop, or an endpoint visiting a webpage, for example. Or if you look at outbound network traffic your DNS connection to the Internet.
Users are targets of phishing scams, other social engineering attacks, and business email compromise. They must be both aware of the threats facing them and the role they play in maintaining their organization’s cybersecurity.
All corporate owned and managed endpoints must be protected against all forms of malware.
Attackers require credentials to access systems, applications, and data. Whether low-level or elevated credentials, cybercriminals have ways of leveraging both.
Those seeking to move within your network, or island hop, require elevated permissions. Protecting accounts with privileged access – particularly for MSPs managing multiple customers – is critical.
Both on-premise and cloud-based applications can provide attackers with enough context to commit fraud, reach a user or customer through social engineering, or otherwise penetrate a network. Protecting access to applications concerning money or customer data must be protected.
Eventually, bad guys will target data, whether it’s an entire database of personally-identifying information or the details of a single banking transaction. Regardless of the target or intent, any data that could be of value to a cybercriminal must be secured.
Designing Layered Security
Many technologies can be put in place to address each of the layers discussed above. But, given that most MSPs are small businesses themselves, a layered security rollout must be practical. Let’s begin with some “low-hanging” options for establishing a layered security strategy:
- Use reputable, proven, and multi-vector endpoint security. The primary method of entry is the endpoint. Whether through an email or web-borne attack, an attacker ultimately needs to inject malware onto an endpoint. So having endpoint security that attacks the problem with a multi-faceted approach is critical; a simple antivirus won’t do the job. Solutions that effectively address attacks include malware detection and remediation, application white and blacklisting, endpoint firewall management, and use AI and machine learning to stop zero-day attacks. These functions help address security concerns at the Logical Perimeter, Endpoint, and User.
- Implement DNS protection. To avoid detection by signature-based solutions, most malware communicates with a command-and-control server (C2) to download malware payloads, so internet communication is required. DNS protection ensures all network communication requests are reviewed to determine whether the connection is reputable or known to be malicious. Suspect DNS entries can be blocked, cutting off an attacker’s ability to transmit malware. DNS Protection addresses the Logical Perimeter layer of your security.
- Educate your end users. Cyberattacks often require user interaction; the clicking of a malicious link or the opening of an illicit attachment requires a user. Initiating continual security awareness training establishes in the user’s mind the need to be vigilant about corporate security. Training can also educate users on the latest scams, attacks, and tactics used by cybercriminals so they know what to watch out for. Security awareness training addresses the User layer of security.
- Back up your data. Data has multiple uses to an attacker – it can be held for ransom, stolen and sold on the dark web, leveraged as intel for an advanced attack, or manipulated for espionage purposes. Having backups of data, systems, and applications stored in the cloud means attacks can be remediated. Assuming they cover an entire environment, backups can play a role in restoring data, accounts, security configurations, and more, helping to address the Identity, Privilege, Applications, and Data layers of the security strategy.
Locking down with Layered Security
MSPs today make mouth-watering targets for cyber criminals. It no longer enough they secure their customers. Their networks must be equally, if not more, secure. Using layered security should be common practice for both MSPs and their customers. By doing so, MSPs lower their risk while improving the security of their network… and their customers.