Building your own MSSP? Start at Home!

Written By Mark Jennings

Most traditional MSPs today are aware of the need to provide their client base with a much higher level of security services. The recent spate of high profile ransomware attacks make national headlines but lesser attacks that don’t garner as much attention occur every day in much smaller institutions. Many MSPs are seeing the need for advanced security services as not just an opportunity but a "must have". Whether they are looking to build their own MSSP practice or partnering with others the provide the service for their clients the need to look internally at our own security is a must.

 

Although, it was revealed early on that the SolarWinds Orion Platform compromised in March of 2020 was not the same one used by many MSPs, it was a wakeup call. In 2018, long before that attack, the Department of Homeland Security released an alert indicating that bad actors were targeting IT Service Providers as a way of gaining access to their client's networks. According to a recent Perch Security study, in 2020 73% of MSPs surveyed reported at least one security incident. In that same study 69% reported a ransomware attack

 

Famously, bank robber Willie Sutton was asked why he robbed banks. His reply, "Because that is where the money is". This rings true in the MSP industry today. MSPs have elevated, if not complete, access to their client's networks. Back in the early "00s", as a service manager for a fairly large MSP, I would lose sleep at night thinking what might happen if anyone ever gained access to our client documentation system. It contained our password database as well as detailed documentation of our customer's networks. It was basically a cookbook for any hacker to compromise any number of our clients. We implemented Token-based Multifactor- Authentication for remote access when only larger institutions and banks would invest in the technology.  Additionally, we contracted with an independent security audit vendor to perform internal and external penetration testing, including social engineering. We learned a lot and as a result improved our security greatly. It was a case where we had a higher level of security than the vast majority of our clients. Back then few SMBs could afford such a level of security services, nor did most need it. That has all changed.

 

Many MSPs over the years have had a bit of "cobbler's kids" syndrome. In a "do as I say, not as I do" kind of way, MSPs have not given the same level of attention to their own internal network that they do their customers'. When we were primarily focused on monitoring and managing the health of the infrastructure and ensuring systems were patched, the implications of an internal failure were relatively contained. It might lead to a disruption of service, but typically not result in damage to our clients. That is no longer the case. A security breach in your own network can result in irreparable harm to your clients.

 

Before you focus on building out the advanced security services you will offer your clients, make sure you implement them internally first. Even if you aren’t looking to get into the MSSP business, this is a critical step. You are custodian to very sensitive information for your clients. In effect, you are the "bank" for your customer's information. Guard it with your life.

 

Here are some critical steps for MSPs:

 

Start with a comprehensive outside independent security audit of your organization. This should include Internal and External penetration testing, vulnerability scanning, policy reviews, social engineering (including email phishing and fake password requests to the helpdesk). Identify your weak spots and address those.

  • Review the 2018 DHS Threat Alert for MSPs and follow recommendations therein.

  • Enforce strong passwords, password change policies, and ensure EVERY employee is using MFA for external access to your network.

  • Continuously scan your network for vulnerabilities. Remediate critical and high vulnerabilities immediately.

  • Log, log, log! Enable logging at the highest reasonable level on all internal systems. If there is suspicion of a breach you need to be able to review what happened on the system.

  • Develop a comprehensive response policy. Train your employees how to identify and handle suspected breaches. Exercise your response plan regularly.

  • Review your cyber insurance coverage to make sure that you are protected financially against losses due to a direct attack or any claims against you from you clients due to a breach.

 

Security starts at home. If your environment is not secure, your client's networks are not secure.

Photo Credit: JonaThunder

Mark Jennings
Previous

Cyber Insurance for MSPs
Next

Securing the Hybrid Workforce