You may or may not know, but IT service providers and MSPs are currently being targeted by hackers. Numerous accounts of IT service provider and MSP breach are now being reported worldwide, and once the IT service provider is breached, so are their client’s networks.
Think about the access your IT service provider has to your systems, the passwords they hold, the direct access they have to your servers, systems, cloud platforms and data.
Think about what could happen should your IT service provider suffer a breach.
This position is only getting worse, with new breaches reported almost weekly, with some resulting in 100s of businesses being affected, in some cases with all files encrypted and the businesses left at the mercy of the attackers' ransom demands.
The hackers have realised that gaining control or access to an MSPs systems, especially their RMM (Remote management and monitoring) platform gives them unfettered access to all the client systems managed by that IT services business. The hackers are quite clever in their thinking, instead of putting all the effort into cracking an IT service providers client networks… crack the IT service provider and you have all the keys to all the client networks.
To do this specific malware and ransomware has appeared (Sodinokibi), written with IT service specific software in mind. Weaknesses in certain RMM platforms have been exploited, and poorly configured security systems breached using RDP brute force attacks.
You would think a managed IT service provider would have good security, right?
Sadly, not all IT service providers do enough to protect themselves and often fail to implement strong cybersecurity systems and processes or even educate their own technical teams around cybersecurity (yes, even techies can fall for well-crafted phishing scams – the most common attack vector).
Tech-savvy users, like those in IT services and MSP business, are well placed to work around security best practices and sometimes these are just suggested but not enforced. These “bad habits” can leave huge security vulnerabilities that leave YOUR business at huge risk.
When security is lax, the IT services business could have a one access level for all policy, multiplying the attack surface by the size of your MSP technical team. Your supplier should operate from a “Principal of Least Privilege” which can greatly reduce the damage a compromised user account can cause.
To ensure you are working with a professional partner you will need evidence of the precautions and mitigating actions that they have taken. The security of your supplier should now be a primary deciding factor in your due diligence process. If your current supplier fails to meet robust security standards it may be time for a tough conversation, as this risk is now too great to ignore.
To make this process easier, there a few key questions to ask and requested documented evidence on, that will enable you to understand you supplier’s security position and then if you consider that position to be strong enough to be trusted with your data, and essentially the keys to your entire IT estate.
Questions to ask your Managed IT service provider:
Are you Cyber Essentials PLUS certified?
Your IT service provider should be externally verified and compliant with Cyber Essentials PLUS at a minimum.
Are you using Multi-Factor Authentication on all your own systems?
Your supplier should use multifactor authentication on all platforms including RMM, Email, file sharing, and ERP systems.
Are your systems patched and regularly scanned for vulnerability?
This goes far beyond windows updates and includes all infrastructure, all infrastructure should be scanned and patched for all known vulnerabilities.
Do you restrict remote access to your systems?
Your supplier should enforce a strict access control policy to ensure complete control over the devices and users that access to your systems.
Do you have advanced anti-virus, anti-malware, gateway AV and APT scanning systems in place?
State of the art Anti-Virus and Anti-Malware and APT enabled firewalls should be in place at all locations.
Do you have a suitable backup and disaster recovery systems in place?
Does your supplier have a complete DR replica of all data and systems across multiple data centres? Can they provide a documented disaster recovery procedure?
Do you have any public (internet) facing RDS servers?
Remote Desktop Servers are a known point of attack. Ideally, your supplier should not have any public internet-facing RDS servers.
Do you train your staff about cybersecurity?
Even staff in technical organisations can fall foul of Phishing and social engineering. Your supplier should have documented proof of training internal teams.
Do you apply all security best practice internally?
It is easy for an IT service business to slip into the “It’s ok, we know what we’re doing” mentality. However, most breaches go undetected, this mentality does not work.
The above points are just the basics, the bare minimum you should expect from your IT partner.
Adam Harling, founder and Managing Director, Netitude