At the recent MSP Connect Live, a group of virtual events put on by The ASCII Group, the CEO of a well-versed MSP provided a framework for MSP internal security practices.
As Corey Kirkendoll, CEO of 5K Technical Services, said during the session: it’s more important to make sure your own company utilizes internal security best practices.
“As MSPs, we’re always under attack. If they get us, they can get our customers,” he said.
Kirkendoll has been aggregating best practices from within the ASCII and vendor community into a definitive guide to help MSPs lock down their environments from would-be attacks.
He focused on the things most MSPs are not doing that are leaving them vulnerable to being breached. This has been a collaborative effort for our industry as we present the findings to all attendees.
First: assess your ‘security posture’
It’s critical do develop what Kirkendoll called a “security posture.” You can develop one by answering the following questions:
- how much risk are you accepting?
- have you had a security assessment done by a third party?
- have you prioritized what you need to protect?
- do you know what is critical to your business?
Let your answers to these questions guide your approach to all things internal security going forward. If you feel any response to the above questions is weak or leaves you & your team asking more questions, you need to address those areas first, Kirkendoll said.
Pick a cybersecurity framework: CIS, zero-trust, NIST, etc.
Are you a customer of yourself, using your own business to service yourself? Using your own helpdesk, etc.? “This allowed us a better insight into how we really work,” Kirkendoll said.
Do you onboard yourself and have consistent documentation and training?
Are 2FA and proper security measures implemented? “I may be taking a firm stance here, but there’s just no acceptance anymore for a lack of 2FA implementation.”
A quick MSP security checklist
- You need disaster recovery and contingency plans in place in the event of a data breach or ransomware attack
- Pursue certifications wherever possible (Security+, CISSP)
- The ability to partner with other MSPs for help in the event of a major attack is a good “all-else-fails” resource
- Harden your stack!
Don’t doubt the importance of tabletop exercises
“We run through scenarios where there are factors like breaches and hacks, but also physical disasters like tornadoes. What happens with the hardware? If something happens, the way people communicate about it will determine the outcome. If they’ve never even heard of a specific situation happening, they’ll probably mess something up,” Kirkendoll said.
“Getting my team to wrap their heads around the importance of these exercises can be tough, but in the end, it strengthens our communication and makes us more prepared for the inevitable day when something happens.”
Additional resources for internal MSP security:
- Infraguard – provides a vehicle for seamless public-private collaboration with government that expedites the timely exchange of information
- ISACA – global association that provides IT professionals with knowledge, credentials, training and community in audit, governance, risk, privacy and cybersecurity
- staysafeonline – National Cyber Security Alliance
- MSSP Alert – research for Managed Security Services Providers