Are managed service providers ready for insider attacks?

Gaidar Magdanurov, President of Acronis

People are the weakest link in any cybersecurity defense. Given the complexity of today’s attacks, negligence and inexperience are becoming increasingly consequential. Therefore, MSPs must diligently protect themselves and their clients from users with bad intentions. MSP businesses are prime targets for attackers because they have direct access to the infrastructure of multiple clients.

Holding the proverbial “keys to the kingdom,” or access to virtually every network and application in the client and provider IT ecosystem, MSPs cannot afford any lapses in protection protocol, especially from inside their organizations. One disgruntled or uninformed employee could bring a complete disaster to the whole business, from taking systems offline across the provider’s network to the financial liabilities that can bankrupt the company. One single attack by an insider can be the end of the MSP business.

MSPs must implement industry best practices and create strict cybersecurity policies for everyone, including leaders and tech professionals. Those policies are essential to the long-term success of the business.  

Identify the risks

The most important first step for MSPs building an effective cybersecurity practice is acknowledging the full scope of their vulnerabilities. To that point, they have to protect their systems from every known threat. 

They need to identify and neutralize vulnerabilities, examining everyone and everything in the IT environment. Performing periodic network assessments and penetration testing across systems helps MSPs minimize exposure by detecting new gaps in their defenses.  

Most frequent concerns include:

  • Techs have more access rights than they need to have to do their daily jobs.
  • No audit logs for actions of techs.
  • Techs creating access shortcuts, using third-party tools, accessing internal networks from insecure locations and syncing sensitive information between work and home computers.
  • Avoidance of awareness training and low level of cybersecurity knowledge.
  • Unsecured or open wireless networks connected to internal infrastructure of client networks.
  • Techs allowing clients and end users to avoid cybersecurity protocols. 
  • Opportunities for malicious activity and sabotage from disgruntled current or former workers — the absence of a policy to reduce access and remove or block accounts.

MSPs must create a system of checks and balances to ensure those concerns don’t become cybersecurity failures for themselves and their clients. For example, every IT services firm’s IT infrastructure should follow a strict protocol for employee terminations and resignations. MSPs need to turn off access to business systems as soon as possible to minimize opportunities for malicious behavior, such as a disgruntled former employee accessing sensitive customer data or uploading malware. 

Reduce the risk

Maintaining cybersecurity requires a continuous process of adapting to change. No matter how well designed and managed the defenses are, IT infrastructure evolves, new applications and systems are introduced, and employees come and go. MSPs must take a proactive approach to prevent insiders from using trust as an advantage.    

The Cybersecurity and Infrastructure Security Agency (CISA) developed guidelines are a great place to start, with several recommendations to help businesses reduce insider-related vulnerabilities. Five key suggestions include:    

  1. Security awareness training

While MSPs typically require clients to adhere to these programs, some don’t demand the same commitment inside their own business. Everyone from the new hire to the owner of the firm should not only participate in, but be assessed on security practices on a regular basis.

  1. Identification of unexpected behavior

This cybersecurity process maps employees’ regular conduct to make it easier to detect deviations from their usual behavior. MSPs can use tools to track employees’ system-related activities based on log ins, downloads, access times and other factors. For example, a disgruntled employee may log into the firm’s servers or its clients’ critical business systems after hours without a good reason. Tools for anomaly detection monitor unusual activities and alert team members to verify.

  1. Role-based access control (RBAC)

This approach restricts system access to authorized users only. While MSPs frequently implement these systems with clients, adopting these applications in their organizations can limit the potential damage from an insider attack. 

  1. Data encryption

Encrypting sensitive information and limiting access keys to approved personnel minimizes risk. The less data an insider can steal and exploit, the better.

  1. Continuous monitoring

Implementing a security information and event management (SIEM) platform has become a standard practice for companies to collect information about behavior of employees, customers and software. These systems detect threats and collect information about the impact, based on the activities tracked between all systems SIEM serves.

Trust but …

No system or practice is infallible. MSPs know that fact all too well and must continually assess and address all potential threats externally and internally. 

Securing clients’ sites and internal operations takes time and dedication, as well as a viable plan. Unfortunately, these strategies must extend to protect MSPs from disgruntled and inattentive employees in their own businesses to prevent financial and reputational loss. One wrong hire or bad termination could compromise not only the provider, but also their clients and others who rely on their expertise.