Don’t let your MSP’s lack of security turn you into a victim
Many organizations utilize a managed services provider to provide a wide range of IT support services, systems management and administration and improved cyber security. While MSPs might be better at performing these activities than the organization that hired them, very few service providers focus on security in a way that is actually providing meaningful business value.In fact, the most prevelant attack vector for the last 24 months has been attacking MSPs themselves.Attackers can then compromise dozens upon dozens of networks using the MSPs own toolsets against them. This issue is so widespread that US CERT and the US Department of Homeland Security has issued an advisory for MSPs to protect their own systems - which almost no provider in the industry has yet to actually follow.
Email continues to be the #1 attack vector for malicious actors to extract hard cash from organizations and individuals alike. Successful email attacks usually result directly in monetary loss and have the most immediate impact on businesses unlike data breaches which may or may not have quantifiable damages over a finite period of time.60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. If the Data Breach Doesn’t Kill Your Business, the Fine Might.
While a number of safeguards may be in place to protect a company's core financial systems and ERPs, we have found little thought is given to reporting systems and operational data. As a result, we have found broad exposure of intellectual property, proprietary operations data and financial reports stemming from development, sandbox and other "interim" system usage.
Many MSPs use a single password vault or documentation system to store all of their customer's credentials across all systems. While a password vault is generally secure, having a single platform with every customer's information is a rich target for hackers. In addition, MSPs who use their main documentation systems such as IT Glue, ConnectWise KB or similar platforms to store customer passwords are actually doing so in plain text.Don't compromise your organization's security by trusting your MSP to handle its own security properly. Ask for evidence, we will show you how.
Many organizations opt for sharing pipeline information across all sales and marketing departments in favor of efficiency over security. This issue is rooted in cultural fears of slowing company growth instead of black swan events like seeing an active sales pipeline leave to a competitor. CRM security is complex and needs to be thoughtfully addressed - we have a roadmap on how to achieve security while fostering BETTER sales enablement and visibility across the opportunity portfolio.
In today's SaaS dominated environment, shadow IT spending on the rise and generally decentralized operating models, modern HR and IT organizations often struggle to partner in a way that allows them both to keep pace with the rate of change. Often hours if not days/weeks can go by after a termination leaving corporate data in the hands of someone who no longer should be authorized to access it. When employees on-board it might take several days or weeks to sort out role based access issues, system credentials and the like which also costs the business money and ramp up time.
US CERT Advisory Alert for IT Managed Services Providers
In October of 2018, the US Department of Homeland Security Cyber + Infrastructure Security Administrtion (CISA) issued Alert TA18-276B which was prompted by Advanced Persistent Threat Activity Exploiting Managed Service Providers detected by the DHS National Cybersecurity and Communications Integration Center (NCCIC). This Alert calls for immediate security countermeasures to be implemented by Managed Services Providers affecting all industries and business sizes.
The alert can be found here: https://www.us-cert.gov/ncas/alerts/TA18-276B
Unfortunately, if you have been monitoring the news, you can see that this warning has largely been ignored by Managed Services Providers across the country who are prioritizing convenience of administration and their own profits over customer security.
Recent News About Managed Services Providers
Share this article - 5 Key Security Lessons From The Cloud Hopper Mega Hack
Share this article - Report: Cloud Hopper Attacks Affected More MSPs
Share this article - Ransomware at IT Services Provider Synoptek
Share this article - Ransomware at Colorado IT Provider Affects 100+ Dental Offices
Share this article - China Hacked Eight Major MSPs, Technology Services Providers: Report
Ransomware gang hacks MSPs to deploy ransomware on customer systems
Is your MSP Superhero letting your company down?
Until recently there is no definitive way to know if your MSP is compliant with the requirements of the US CERT Alert TA18-276B which is the only standard to date that directly addresses the attack vectors and vulnerabilities currently being exploited by Nation States and large autonomous hacking organizations to compromise and control Managed Services Providers toolsets and their customer networks.
Parsolvo has created a testing and validation framework that will assess a company’s security posture as well as evaluate the controls implemented by Managed Services Providers relative to the organization’s network.
Managed Services Providers are not security minded organizations regardless of how many security “solutions” they try to sell. MSPs, by nature, are focused on support and ease of use. Another term for this might be “End User Experience” or “Simplifying IT.” These concepts run directly counter to the level of sophistication modern businesses need to protect their most critical data assets and business processes. If you do not take action, it is your company and its employees that will suffer. A Managed Services Provider can always find its next customer, but will you risk your entire business operation on their word?
Do not end up as a nameless faceless “customer” reference in the news like these other companies, engage with Parsolvo and get the transparency and accountability in your MSP relationship that you really need.
Learn more about our MSP security audits